You, with your new subdomain scanner, literally punching clean through a laptop because you’re so awesome.

Sub-domain takeovers are all the rage in the bug bounty scene at the moment. You’ve probably heard about some bug bounty legends who are raking in the dough because they’ve managed to set up an automated sub-domain takeover scanner, if you haven’t, Google “Frans Rosén”. I’m going to let you in on a secret, it’s not as hard as it sounds.

Using a couple of free tools and some dodgy ghetto bash scripts, we can slap together our own poor-man’s version in under 5 minutes. Strap-in!

Gathering Wildcard Domains

First things first! We need to get a list of all the wildcard domains from all the public bug bounty programs on Bugcrowd and HackerOne. This sounds much harder than it is. You see, it would be hard, but someone has already done it for us (shoutout to arkadiyt). Fire up Kali, and run these commands:



mkdir subdomain_takeover;

cd subdomain_takeover;

git clone cd ~;mkdir subdomain_takeover;cd subdomain_takeover;git clone https://github.com/arkadiyt/bounty-targets-data

To view the wildcard domains simply run:

cat ./bounty-targets-data/data/wildcards.txt

This list is fairly exhaustive, and it’s updated hourly.

Enumerating Sub-domains

Sure, there’s a gazillion ways to enumerate sub-domains, but I’ve had the most success with a tool called subfinder. This tool is written by two of my internet mates, ice3man543 and codingo. To install it simply run the following commands:

apt install golang;

go get github.com/subfinder/subfinder;

This app will also require API keys from a bunch of different services, go ahead and sign up for free accounts at the following services:

Once you’ve signed up, go ahead and edit /root/.config/subfinder/config.json to contain the appropriate API keys, usernames and passwords.

Now, to enumerate sub-domains from all the wildcard targets, copy/pasta the following atrocity into your terminal:

localdir=`pwd`;

cd ~/subdomain_takeover/bounty-targets-data/;

git pull;

cd $localdir;

cp ~/subdomain_takeover/bounty-targets-data/data/wildcards.txt ./; cat wildcards.txt | sed 's/^*.//g' | grep -v '*' > wildcards_without_stars.txt;

while read host;

do file=$host && file+="_subfinder.out";

~/go/bin/subfinder -o $file -d $host;

done < ./wildcards_without_stars.txt

Like I said earlier, we are dealing with my own hacky bash ghetto voodoo programming here, don’t judge. You see, my programming skill lends itself more to the “if it works, we’re cool” approach. The code above will basically run subfinder on every wildcard domain included in the wildcards.txt file which we pulled down from GitHub earlier. It will take a very long time, depending on your internet connection, maybe 5 hours or more.

Last time I ran this script, I let it run overnight and woke up to 261873 sub-domains. Cha-ching. A word of warning though; the domains in the repository along with the sub-domains you’ve just enumerated are not necessarily in scope. Make sure you read the actual program on Bugcrowd or HackerOne to check the scope and rules before you start attacking anything.

Checking the Enumerated Sub-domains for Takeovers

Now we will use a tool called “Subover” written by the same folk as Subfinder. Subover is a tool which checks whether sub-domains are vulnerable to sub-domain takeovers. Installing the tool is as easy as running:

go get github.com/Ice3man543/SubOver

Using the Bash script below, we will run this tool on every sub-domain which we have enumerated.

cat ./*.out > all_subdomains.lst;

~/go/bin/SubOver -l ./all_subdomains.lst -timeout 5 -o subover.out;

This will also take an extremely long time, over 5 hours depending on your internet connection.

Streamlining the process

That’s it really, you have all the steps you need to enumerate every public bug bounty subdomain on Bugcrowd and HackerOne, then check if they’re vulnerable to subdomain takeovers. We can streamline this whole process in to two simple bash scripts.

The first bash script will set up the necessary tools and folder structure in Kali, you should only need to run this once:



cd ~/subdomain_takeover;

git clone

apt install golang;

go get github.com/subfinder/subfinder;

go get github.com/Ice3man543/SubOver; mkdir ~/subdomain_takeover;cd ~/subdomain_takeover;git clone https://github.com/arkadiyt/bounty-targets-data apt install golang;go get github.com/subfinder/subfinder;go get github.com/Ice3man543/SubOver;

The second bash script can be run as often as you like, it will re-enumerate all the sub-domains, then check them all to see if they’re vulnerable to takeovers:

cd ~/subdomain_takeover/bounty-targets-data/;

git pull;

cd ~/subdomain_takeover;

cp ~/subdomain_takeover/bounty-targets-data/data/wildcards.txt ./; cat wildcards.txt | sed 's/^*.//g' | grep -v '*' > wildcards_without_stars.txt;

while read host;

do file=$host && file+="_subfinder.out";

~/go/bin/subfinder -o $file -d $host;

done < ./wildcards_without_stars.txt;

cat ./*.out > all_subdomains.lst;

~/go/bin/SubOver -l ./all_subdomains.lst -timeout 5 -o subover.out;

Putting it on Auto-Pilot

If you want to go even more hardcore-Franz-Rosén style, you could schedule this script every 12 hours with a cronjob and email yourself the output using the “mail” command or something similar. Maybe I’ll save that for my next article.

Get More Top Notch Hacking Tips

Y’know, I really enjoy writing hacking articles. I make a lot of new internet mates, and I learn a lot too. If you want to get more hacking tips and be my internet mate, put your email in below and follow me on Twitter.