Automating Subdomain Enumeration to Discover Critical Vulnerabilities

Shubham Tiwari
3 min readSep 15, 2024

--

Hello, I’m Shubham Tiwari, commonly known as Rooter in the cybersecurity space. Today, I’m going to share how I identified a critical vulnerability using automated tools and earned a bounty of $3000 on a target, example.com. While the term critical can vary based on individual perspectives, here’s the exact process I followed, along with the commands used.

Step 1: Subdomain Enumeration

The first step in bug bounty hunting is to discover all possible subdomains of the target. For this, I used two highly effective tools: Subfinder and Amass.

  • Subfinder: This tool helps in passive subdomain discovery.
  • Amass: Another powerful tool for enumerating subdomains.Commands:

Commands:

subfinder -d example.com -o subdomains.txtbash
amass enum -passive -d example.com -o amass_subdomains.txt

These commands saved the discovered subdomains into subdomains.txt and amass_subdomains.txt, respectively.

Step 2: HTTP Probing with HTTPX

After gathering the subdomains, the next step was to identify which ones were live. I used HTTPX to check the status of these subdomains.

Command:

httpx -l subdomains.txt -o live_subdomains.txt

This command quickly checked for live HTTP(S) services on the discovered subdomains and saved the results to live_subdomains.txt.

Step 3: URL Crawling with waybackurls, Go, and Katana

Once I had the live subdomains, I crawled them to extract URLs that could have vulnerabilities. I used a combination of tools: waybackurls, Go, and Katana to gather potential attack points.

Commands:

katana -u https://example.com -o urls.txtbash
cat live_subdomains.txt | waybackurls > waybackurls.txt

Waybackurls gathers archived URLs from Wayback Machine and Katana performs deeper crawling to discover potential attack surfaces.

Step 4: Vulnerability Scanning with Nuclei

Next, I used Nuclei to scan the URLs for vulnerabilities. Instead of relying only on default templates, I used custom Nuclei templates that I had previously created, stored in /opt/rooter/. This was key to finding a Local File Inclusion (LFI) vulnerability.

Command:

nuclei -l live_subdomains.txt -t /opt/rooter/custom_templates/ -o nuclei_report.txt

This command ran Nuclei using my custom templates and output the results to nuclei_report.txt.

Step 5: Vulnerability Verification

After the automated scan, I manually verified the vulnerability by exploiting the LFI using standard file inclusion payloads, confirming that sensitive server files could be accessed through the vulnerable endpoint.

Step 6: Reporting and Reward

After confirming the LFI vulnerability, I submitted it through the target’s bug bounty program. The vulnerability was validated quickly, and I received a bounty of $3000.

Conclusion

Automation is a powerful tool in the world of bug bounty hunting. By using tools like Subfinder, HTTPX, Waybackurls, Katana, and Nuclei, I was able to identify a critical vulnerability that might have been missed during manual testing. This approach not only saves time but also increases accuracy in finding hidden security flaws.

Best regards,
Shubham Tiwari (Rooter)

Connect with Shubham via:
- Email: shubhamrooter@gmail.com
- LinkedIn: https://www.linkedin.com/in/shubham-tiwari09
- Twitter: https://twitter.com/shubhamtiwari_r

Happy bug hunting! 🐞✨

--

--

Responses (3)