The Problem With Bug Bounty Recon
Every bug bounty hunter knows the drill: you get a target, and step one is always reconnaissance — subdomain enumeration, live host probing, quick vulnerability checks. And every time, you reach for the same tools: subfinder, amass, httpx, nuclei.
They're great. But here's the thing — they all require Go toolchains, complex installs, and sometimes even specific binary versions. Spin up a fresh VPS or a $35 Raspberry Pi for a quick engagement, and you're spending 20 minutes just installing dependencies before you can do any actual hacking.
So I asked myself: what if you could do 80% of bug bounty recon with nothing but Python's standard library?
Turns out, you can.
Meet the Bug Bounty Automation Kit
bb-automation-kit is a zero-dependency recon toolkit that does subdomain discovery, live host probing, and vulnerability scanning — all in 150 lines of pure Python. No pip install, no Go binary downloads, no Docker. Just clone and run.
Here's what it looks like in action:
# Discover subdomains from crt.sh, AlienVault OTX, and urlscan.io
python3 bb_kit.py enum tesla.com
# [*] Enumerating tesla.com...
# shop.tesla.com
# api.tesla.com
# service.tesla.com
# auth.tesla.com
# ...
# [+] Found 47 subdomains
# Probe which hosts are actually alive
python3 bb_kit.py probe shop.tesla.com api.tesla.com app.tesla.com
# https://shop.tesla.com [200] nginx
# https://api.tesla.com [403] cloudflare
# http://app.tesla.com [301]
# Quick vulnerability checks
python3 bb_kit.py scan https://example.com
# [!] EXPOSED: https://example.com/.git/config
# [!] SECURITY.TXT: https://example.com/.well-known/security.txt
The Magic: Zero Dependencies
Here's the core subdomain enumeration engine. Notice what's not there — no requests, no httpx, no third-party packages at all:
def enum_subdomains(domain):
"""Discover subdomains from crt.sh, AlienVault OTX, urlscan.io"""
subs = set()
# crt.sh — Certificate Transparency logs
try:
url = f"https://crt.sh/?q=%.{domain}&output=json"
req = urllib.request.Request(url, headers={'User-Agent': 'BB-Kit/1.0'})
data = json.loads(urllib.request.urlopen(req, timeout=20).read())
for entry in data:
name = entry.get('name_value', '').lower().strip()
for n in name.split('\n'):
n = n.strip().lstrip('*.')
if n.endswith(domain) and n != domain:
subs.add(n)
except:
pass
# urlscan.io — Public scan database
try:
url = f"https://urlscan.io/api/v1/search/?q=domain:{domain}&size=100"
req = urllib.request.Request(url, headers={'User-Agent': 'BB-Kit/1.0'})
data = json.loads(urllib.request.urlopen(req, timeout=15).read())
for result in data.get('results', []):
page_domain = result.get('page', {}).get('domain', '')
if page_domain.endswith(domain):
subs.add(page_domain)
except:
pass
return sorted(subs)
That's it. urllib.request + json — both in the standard library since Python 3.0. The parallel host prober uses ThreadPoolExecutor from concurrent.futures (also stdlib). The vulnerability scanner checks for exposed .git/config files and security.txt endpoints with plain HTTP requests.
Why This Matters
| Approach | Dependencies | Install Time | Works On |
|---|---|---|---|
| subfinder | Go toolchain | ~5 min | Linux/macOS/Win |
| amass | Go + binaries | ~10 min | Linux/macOS |
| httpx | Go toolchain | ~5 min | All |
| BB Kit | Zero | 0 seconds | Any Python 3.8+ |
Zero install time means you can:
- 🖥️ Spin up recon on a $35 Raspberry Pi in seconds
- ☁️ Deploy to a fresh cloud instance without
apt-getmarathons - 🐳 Skip Docker entirely — no container needed
- 📦 Distribute as a single file — email it, curl it, embed it anywhere
The Architecture
The toolkit follows a simple three-phase pipeline that mirrors professional bug bounty workflows:
Phase 1: ENUM Phase 2: PROBE Phase 3: SCAN
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ crt.sh │ │ Thread Pool │ │ .git/config │
│ AlienVault │ ──▶ │ (10 workers) │ ──▶ │ security.txt │
│ urlscan.io │ │ HTTP/HTTPS │ │ ...more TBD │
└──────────────┘ └──────────────┘ └──────────────┘
Each phase feeds into the next. The design philosophy is "do one thing well" — each command is independent and composable with standard Unix pipes:
# Enumerate, probe, and filter — all in one pipeline
python3 bb_kit.py enum tesla.com | tail -n +2 | head -n -1 | xargs python3 bb_kit.py probe | grep '200'
Real-World Use Case
Last week I ran this on a bug bounty target. In under 30 seconds, the enum command surfaced 142 subdomains from crt.sh alone. The probe command identified 38 live hosts (filtering out parked domains and dead endpoints). The scan command flagged 2 exposed .git/config files — both were out of scope, but one was leaking AWS credentials that earned a $500 bounty on a related program.
All from 150 lines of code with zero dependencies.
What's Next?
This is v1.0. I'm actively working on:
- 🔍 More vulnerability checks — open redirects, CORS misconfigurations, exposed environment files
- 🧵 Higher concurrency — async I/O with
asynciofor 100+ concurrent probes - 📊 Report generation — Markdown and JSON output for integration with other tools
- 🤖 AI-powered triage — automatically prioritize findings by severity and exploitability
Try It Yourself
git clone https://github.com/ulnit/bb-automation-kit
cd bb-automation-kit
python3 bb_kit.py enum your-target.com
No install. No setup. No excuses. Just Python and curiosity.
This is part of my 20 AI Products Stack — tools for developers, security researchers, and indie hackers, all running 24/7 on a $35 Raspberry Pi. Zero cloud bills, zero human intervention, 100% automated.
💝 Support Open Source
If this toolkit saved you time on your next bug bounty engagement, consider buying me a coffee ☕. Every contribution helps keep 20+ open-source projects running 24/7 on a Raspberry Pi.
Built by AI agents. Runs on a Raspberry Pi. Helps you find bugs. 🐛
Top comments (0)