📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
← 60-DAY BUG BOUNTY COURSE
DAY 6 OF 60
SUBDOMAIN ENUMERATION
🔐
In-scope targets only. Read the programme scope on HackerOne or Bugcrowd before running any tool. Passive tools (crt.sh, Subfinder passive mode) are safe on any in-scope target. Active DNS brute-forcing may be restricted — check programme policy explicitly before using Amass active mode.
60-DAY BUG BOUNTY COURSE PROGRESS
Day 6 / 60 — 10%
✅ D1:Intro
✅ D2:Burp Setup
✅ D3:HTTP
✅ D4:OWASP Top 10
✅ D5:Burp Deep Dive
▶ D6:Subdomain Enum
D7:XSS Hunting
D8–60:···
🗺️
In Day 5 you went deep on Burp Suite — Repeater, Intruder, the Proxy workflow, and how to intercept and modify every request flowing through the application. You now have the tool that will confirm every bug you find for the rest of this course.
Before you start firing Burp at request parameters, Day 6 answers the most important question in bug bounty: which targets are actually worth your time? The biggest mistake beginners make is going straight to the main domain and testing the same endpoints as every other hunter. The bugs that pay are almost never on the homepage. They live on dev.target.com that nobody discovered, staging.target.com still running PHP 7.1, api-v2.target.com the security team forgot to harden, and internal.target.com that appears nowhere on the public site. Day 6 teaches you to build the full map before you test a single thing.
This lesson covers the complete active recon workflow — crt.sh certificate transparency, Subfinder, Amass, httpx live host filtering, ffuf directory fuzzing, and how to organise everything into a prioritised attack surface document that feeds directly into your Burp Suite testing workflow from Day 5.
📋 What You’ll Master in Day 6
Why Subdomains Are Where Bugs Live
Passive: crt.sh Certificate Transparency
Subfinder — 40+ Source Aggregation
ffuf — Directory Fuzz Live Targets
Why Subdomains Are Where Bugs Actually Live
The main domain is the most tested, most monitored, and most hardened part of any programme. Security teams audit it constantly. Automated scanners run on it around the clock. Finding an original, unreported vulnerability there requires deep expertise and patience. Subdomains are a completely different story.
A programme with *.target.com in scope can have 300+ valid subdomains. Most hunters test fewer than 10. The hunter who maps all 300, filters to live hosts, and investigates the unusual ones consistently finds bugs others walk straight past.
🎯 HIGH-VALUE PATTERNS
dev. · staging. · test.
uat. · internal. · admin.
api-v2. · beta. · legacy.
corp. · old. · backup.
✅ WHY THEY PAY
Older software with known CVEs
Debug mode enabled in production
Weak or no authentication
Default credentials not changed
Internal APIs publicly exposed
Forgotten after project ends
No automated scanner coverage
Step 0 — Read Programme Scope Before Running Anything
⚠️ Scope first, always. On HackerOne and Bugcrowd, every programme has an Assets section listing in-scope and out-of-scope targets. A wildcard (*.target.com) covers all subdomains. Many programmes explicitly exclude specific assets. Testing out-of-scope gets your report closed and may get you banned from the programme.
✅ IN SCOPE: *.target.com # wildcard = all subdomains
✅ IN SCOPE: api.target.com # specific subdomain
❌ OUT OF SCOPE: careers.target.com # third-party ATS
❌ OUT OF SCOPE: blog.target.com # hosted on external platform
Three questions to answer before starting: Is active DNS brute-forcing / automated scanning permitted? Are acquired / subsidiary domains in scope? What is the safe harbour / responsible disclosure policy?
Passive Discovery — crt.sh Certificate Transparency
Certificate transparency logs are public records of every SSL/TLS certificate ever issued for a domain. Every new subdomain deployed with HTTPS gets a certificate logged permanently in these public logs. crt.sh indexes them — completely passive, no rate limits, zero traffic to the target. Run this first on every programme target.
─── Query crt.sh via API (command line) ────────────────────────
curl -s “https://crt.sh/?q=%.target.com&output=json” \
| jq -r ‘.[].name_value’ \
| sort -u \
| grep -v ‘^*’ > crt.txt # strip wildcard entries
wc -l crt.txt # count unique subdomains found
─── Browser alternative ──────────────────────────────────────── # Visit: https://crt.sh/?q=%.target.com # Look for dev., staging., internal., admin. patterns immediately 💡 crt.sh reveals historical subdomains. Certificate logs include subdomains from years ago — including decommissioned assets that still respond to HTTP but receive zero monitoring. Forgotten subdomains with outdated software are a consistent source of high-value bug bounty findings. Run crt.sh before any active tool.
Subfinder — 40+ Passive Sources in One Command
Subfinder by ProjectDiscovery queries over 40 passive sources simultaneously — certificate transparency, DNS databases, Shodan, VirusTotal, search engine indices, and more — returning a clean deduplicated list. The industry-standard passive subdomain enumeration tool for bug bounty hunters. Pre-installed on Kali Linux.
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)