BIPI
BIPI

Subdomain Enumeration in 2023: Tools, Sources, and Wildcard Pitfalls

Cybersecurity

A practical look at stacking subfinder, amass, and assetfinder, then filtering wildcard DNS so your bug bounty recon does not drown in noise.

By Arjun Raghavan, Security & Systems Lead, BIPI · January 3, 2023 · 9 min read

#bug-bounty#recon#subdomain-enumeration#amass#subfinder

Why subdomain enumeration still pays

Every fresh bug bounty target starts the same way. You need a defensible list of in-scope hosts before you touch Burp, before you read a single response. The faster you can produce that list, the more time you spend hunting instead of scrolling crt.sh by hand.

Stack passive sources first

  • subfinder -d target.com -all, with API keys for SecurityTrails, Chaos, and VirusTotal in your config
  • amass enum -passive -d target.com for ASN backed sources
  • assetfinder --subs-only target.com for a quick second opinion
  • crt.sh for certificate transparency, parsed via curl and jq
  • Chaos dataset from ProjectDiscovery for known programs

Run each tool, sort and unique the output, and treat the merged file as your raw seed. Passive sources never touch the target, so this step is safe even on strict scopes.

Resolve before you scan

A list of names is not a list of assets. Push everything through dnsx to resolve A and CNAME records, drop dead names, and keep a column of resolved IPs. From there you can group by /24 or by ASN to spot related infra.

Active enumeration where allowed

When scope permits, brute force with a focused list. shuffledns plus a clean resolvers file gives you decent coverage without flooding upstream resolvers. Keep your wordlist small and target specific. Generic 100k lists waste hours and rarely beat curated ones.

Permutations and alterations

Tools like dnsgen and altdns take known names and produce variations. dev-api, api-dev, internal-api, and so on. Resolve those through dnsx the same way. This is where many hunters find the staging host that the public sources missed.

Probe with httpx, not your browser

  1. Pipe resolved names into httpx with -title, -tech-detect, -status-code, and -cdn
  2. Save the JSON output, not just stdout, so you can grep later
  3. Tag CDN fronted hosts so you do not waste time on shared edges
  4. Flag anything returning a server header you have not seen on the main app

What good output looks like

3 to 5
passive sources stacked
1
merged, deduped list
0
wildcard ghosts in your final set

Common mistakes to avoid

  • Treating raw subfinder output as a target list without resolving
  • Forgetting to refresh API keys, then wondering why sources thin out
  • Brute forcing aggressively on programs that forbid it
  • Ignoring CNAMEs that point at unclaimed cloud services
Recon is not a one shot scan. It is a pipeline you run weekly, with diffs that surface new hosts the moment they appear.

Wire it into a loop

Schedule the same pipeline on a cron. Store yesterday and today, diff the two. New hosts get pushed to a Slack channel or a notes file. Most of the easiest wins on a mature HackerOne program come from being first to see a freshly exposed asset.

Subdomain enumeration is unglamorous. It is also the difference between hunters who file duplicates and hunters who file firsts. Build the pipeline once, then let it run.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.