Home / Companies / Bugcrowd / Blog / Post Details
Content Deep Dive

Discovering Subdomains

Blog post from Bugcrowd

Post Details
Company
Date Published
Author
Shpend Kurtishaj
Word Count
903
Company Posts That Month
9
Language
English
Hacker News Points
-
Post removed?
No
Summary

When coming across a *.target.com scope, it's often beneficial to explore less-traveled applications running on unusual subdomains to uncover critical vulnerabilities and potential high payouts. Various techniques can be employed for subdomain discovery, including utilizing public resources such as search engines or scanning IP blocks and doing reverse lookups. One popular method is using Google Dorks to filter results, while other tools like Virustotal, DNSDumpster, and Shodan provide extensive information on subdomains. Bruteforce techniques can also be effective in discovering subdomains, with various tools available for automation, such as Subbrute, dnscan, Nmap, and Recon-Ng. A script called Enumall.sh can automate the process of harvesting subdomains from public resources and bruteforcing them, utilizing a combination of Google scraping, Bing scraping, Baidu scraping, Netcraft, and the SecLists project subdomain list.

Trends Found in this Post

No tracked trend matches for this post yet.

Use This Data

Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.