Bug Bounty — Hacking with Subfinder the Right Way!
For Educational Purposes Only. Are you maximizing subfinder to it’s full potential to find all possible subdomains on your targets? The more hidden subdomains you find (in particular, the ones that others don’t find) the better chance you will find a bug that could lead to you collecting a bounty!
Today you will learn how to:
- run ‘subfinder’ against a real target
- get your own passive source API keys
- add your API keys to a config file to find more subdomains
- enable recursion to find even more subdomains on the subdomains ‘subfinder’ finds
- remove wildcards and ‘dead’ domains
In this article, I will describe how I use subfinder in the cloud on a virtual private server (VPS) to find more subdomains. So that you may follow along, and run the commands in tutorial without issue it would best if you set up your own VPS, which you can do quite easily using the step-by-step guide found HERE.
Subfinder is brought to you by the extremely generous and talented folks over at ProjectDiscovery, with of course, contributions from the hacker community. It is a fast and stealthy command-line tool that uses passive sources (meaning it does not directly connect to your target) to find subdomains (fancily known as “enumeration” in Ethical Hacking/Bug Bounty circles).
