In this write‑up, I will briefly discuss some useful tools for subdomain enumeration as part of the information‑gathering phase in bug bounty hunting. Subdomain discovery is an important step in reconnaissance, as it helps uncover hidden assets and expands the attack surface. I'll share a few commonly used tools and how they can assist in building an effective recon workflow.
In this write‑up, we will explore subdomain enumeration techniques as part of the reconnaissance phase in web security testing. For demonstration purposes, the testing will be conducted on the VulnWeb lab environment, a deliberately vulnerable platform provided by Acunetix for educational and legal security practice. The goal is to demonstrate practical tools and methodologies used to discover subdomains and expand the visible attack surface in a structured and responsible manner
1:Subfinder
Subfinder is a fast and reliable subdomain enumeration tool developed by ProjectDiscovery. It focuses on passive reconnaissance, meaning it collects subdomains from various public sources such as APIs, certificate logs, and online datasets without directly interacting with the target. This makes it especially useful during the early information‑gathering phase in bug bounty hunting, helping researchers quickly map the attack surface and discover hidden assets efficiently.
You can install the tool easily via GitHub. The official repository is available on GitHub under the ProjectDiscovery organization.
Practical Usage:
You can see more about the tool and its available options by running :
subfinder -h To enumerate subdomains of a target domain:
subfinder -d example.com
"However, we notice that some discovered subdomains return 404 responses or appear inactive. Therefore, we filter the results to show only live hosts using
subfinder -d vulnweb.com | httpx -silent -mc 200,301
httpx (a probing tool from ProjectDiscovery) is used to check which subdomains are actually reachable.
-silent flag hides extra output to keep results clean,
-mc 200,301 filters responses to only show status codes 200 (OK) and 301 (redirect), indicating potentially active targets."
At this stage, we can now observe all active subdomains that responded successfully after filtering the results.
2:Assetfinder:
Assetfinder: It is a passive subdomain enumeration tool developed by Tomnomnom that collects subdomains from various public sources. The tool is known for its speed, simplicity, and effectiveness, making it a useful addition during the reconnaissance phase to discover additional subdomains.
You can download the tool via its official repository on GitHub.
Practical Usage:
assetfinder vulnweb.comRetrieves results related to the target domain
assetfinder --subs-only vulnweb.comProduces cleaner output by showing only the relevant results without additional noise.
cat domain.txt | assetfinder --subs-onlyThis approach is more efficient when dealing with multiple domains, as it allows processing them automatically instead of running the command for each domain individually.
Reads a list of domains from the domain.txt file and passes them directly to the tool, producing clean results while saving time and simplifying the workflow
3:FFUF:
FFUF (Fuzz Faster U Fool) :is a web fuzzing tool commonly used during reconnaissance and security testing to discover hidden directories, files, parameters, and other resources by sending automated requests with wordlists. The tool is available through its official repository on GitHub and is widely used for fast and efficient fuzzing tasks.
This tool can also be downloaded through its official repository on GitHub
Practical Usage (Subdomain Fuzzing):
ffuf -u https://FUZZ.vulnweb.com -w wordlist.txt -H "Host: FUZZ.vulnweb.comPerforms subdomain fuzzing by replacing the FUZZ keyword with entries from the wordlist to discover potential subdomains.
-u → Specifies the target URL pattern where the subdomain will be fuzzed.
-w → Defines the wordlist containing possible subdomain names
-H "Host: FUZZ.vulnweb.com" → Sends requests with different Host headers to test valid subdomains.
This technique helps identify hidden or unlisted subdomains that may not appear during passive enumeration.
4:amass:
Amass: It is a comprehensive subdomain enumeration tool developed by OWASP, used to discover subdomains through passive and active reconnaissance techniques. Amass is known for its accuracy and depth, making it particularly useful for expanding the attack surface during reconnaissance.
This tool can also be downloaded through its official repository on GitHub
Practical Usage:
amass enum -d vulnweb.comPerforms subdomain enumeration for the target domain using both passive and active techniques.
amass enum -passive -d vulnweb.comUses only passive data sources, avoiding direct interaction with the target
-d → Specifies the target domain for enumeration.
-passive → Limits enumeration to public sources without active probing.
Amass, maintained under OWASP, is often preferred when deeper and more comprehensive subdomain discovery is required
In conclusion, subdomain enumeration plays a crucial role in the reconnaissance phase, helping to uncover hidden assets and expand the overall attack surface. By combining multiple tools such as Subfinder, Assetfinder, FFUF, and Amass, we can achieve more comprehensive and accurate results. Each tool offers unique strengths, and using them together significantly improves the effectiveness of the discovery process."
"Thank you for reading — and feel free to follow me on LinkedIn for more cybersecurity write‑ups and content." 👍