When it comes to bug bounty hunting, one of the most important things to do is to gather as much information as possible about your target website. This can include understanding the architecture of the website, identifying all of the subdomains, and scanning for potential vulnerabilities. In this document, we will explore some of the most useful tools for subdomain enumeration, live subdomain checking, subdomain flyovers, port scanning, vulnerability scanning, and targeted scanning.
1. Subdomain Enumeration with Sublist3r
Sublist3r is a powerful tool that can help you collect subdomains of your target website. It does so by scraping various web sources and also using other tools like SubBrute and DNSdumpster. You can use it to create a comprehensive list of subdomains for your target website.
To install Sublist3r, you need to follow some simple steps. First, install python-pip using the following command:
bash
sudo apt-get install python-pip
Next, clone the Sublist3r repository using the following command:
bash
git clone <https://github.com/aboul3la/Sublist3r.git>
Then, navigate to the Sublist3r directory using the following command:
bash
cd Sublist3r
Finally, install the required packages using the following command:
bash
sudo pip install -r requirements.txt
To use Sublist3r at its full potential, you can use different switches. For example, you can specify the use of engines (like Google, Bing, etc.) with the -e switch or enable the use of brute force with the -b switch. Here is an example command to use Sublist3r:
bash
python sublist3r.py -d example.com -e google,bing -b
2. Checking Live Subdomains with httprobe
Httprobe is a tool written in Go that probes for working HTTP and HTTPS servers from a list of domains. You can use it to check which subdomains are live and running.
To install httprobe, you need to follow some simple steps. First, install golang-go using the following command:
bash
sudo apt-get install golang-go
Next, install httprobe using the following command: