Bug Bounty Recon(Part-1)

Aswin Thambi Panikulangara
3 min readMay 31, 2023


In the future world of cybersecurity, bug bounty programs have emerged as a vital tool for organizations to identify and rectify vulnerabilities in their digital infrastructure. If you’re an aspiring bug bounty hunter, ready to embark on a thrilling adventure to find and report security flaws, understanding the crucial first steps of footprinting is essential.

This Article will be explaining my initial recon methods after getting a target for bug bounty hunting. This will be a series where i will be showing some techniques in this part.

Subdomain Enumeration

By mastering the art of subdomain enumeration, bug bounty hunters can gain a deeper understanding of their targets, enabling them to identify and report critical security flaws.

I personally use Subfinder for subdomain enumeration.

subfinder -d google.com -all > subdomain.txt

“-d” Specifies the target domain for which you want to discover subdomains. In this case, it’s set to “google.com.” You can replace it with any domain you want to enumerate.

“-all”: The “-all” flag instructs Subfinder to use all available sources and providers to maximize subdomain discovery. It ensures a comprehensive scan rather than limiting the search to specific sources.

“> subdomain.txt”: The “>” operator redirects the command’s output to a file named “subdomain.txt.” This allows you to capture and store the discovered subdomains in a text file for further analysis.

Here, on executing this i got 11690 results. You can use any tools for subdomain enumeration.

Identifying Active Subdomains And Port Scanning

After finding subdomains of target, the next step i follow is finding active subdomains. ”httpx” can be used to identify active subdomains associated with a target domain. By providing a list of subdomains, it can quickly determine which ones are reachable, helping to build a comprehensive picture of the target’s attack surface. Also, The tool enables scanning of specific ports on discovered subdomains, allowing for a deeper understanding of the services running on those ports. This information can be critical for identifying potential vulnerabilities or misconfiguration.

httpx -l subdomains.txt -ports 80,8080,8000,8888 -threads 200 > subdomains_alive.txt

“-l” Specifies the input file containing a list of subdomains that you want to scan. Make sure to replace “subdomains.txt” with the actual filename or path of your subdomain list.

“-ports 80,8080,8000,8888” Specifies the list of ports to scan for HTTP services. In this case, the command is configured to scan ports 80, 8080, 8000, and 8888. Modify the port list according to your requirements.

“-threads 200” Sets the number of concurrent threads to use during the scanning process. The value of 200 indicates that 200 threads will be used simultaneously to speed up the scanning process. You can adjust this value based on your system resources and network bandwidth.


This helped me to find multiple open dashboards and login pages with default credentials. Also, this will make the attack surface more wider for us to do bug bounty.

One of the findings in a program. They send me a T-shirt and Stickers as swag.

The next series will be explaining more techniques I usually use for bug bounty hunting. Thank you and Follow for more.

You can now Buy me a coffee:)