From domain discovery to attack surface mapping — a realistic guide with real commands.

Why This Guide?

Most beginners dive into bug bounty hunting without a structured plan. This guide is designed as a ready-to-use reference for hunters — with practical commands, actual tool usage, and step-by-step explanations.

We focus purely on reconnaissance and asset discovery — the foundation of every bug bounty workflow.

Target for this guide: example.com

Step 1: Subdomain Enumeration

Finding subdomains expands your attack surface.

Using Sublist3r

sublist3r -d example.com -o subdomain1.txt
  • Scans using Sublist3r, collecting subdomains.
  • Saves results into subdomain1.txt.

Count How Many Found:

cat subdomain1.txt | wc -l

Using Subfinder

subfinder -d example.com -v -o subdomain2.txt
  • -v for verbose mode (shows progress).
  • Stores found subdomains in subdomain2.txt.

Count:

cat subdomain2.txt | wc -l

Using Chaos

chaos -d example.com -v > subdomain3.txt
  • chaos queries Project Discovery's Chaos DB for known subdomains.
  • Results go into subdomain3.txt.

Step 2: Merging Subdomains

cat subdomain1.txt subdomain2.txt subdomain3.txt > subfinal.txt

This combines all subdomain lists into one.

Check total count:

cat subfinal.txt | wc -l

Removing Duplicates

This ensures each subdomain appears only once.


sort subfinal.txt | uniq > subuniq.txt

Count unique subdomains:

cat subuniq.txt | wc -l

Step 3: Checking Live Subdomains

Use httpx to check which subdomains are actually online:

cat subuniq.txt | httpx-toolkit > subdomainlive.txt

Count live targets:

cat subdomainlive.txt | wc -l

This filters out offline/non-resolving domains.

Step 4: GitHub Recon (Secrets Hunting)

Using GitDorker to hunt sensitive information leaked in GitHub:

python3 GitDorker.py -d Dorks/medium_dorks.txt -tf tf/TOKENSFILE -q example.com -lb
  • -d: File with GitHub dorks.
  • -tf: File containing your GitHub tokens.
  • -q: Target domain.
  • -lb: Less banner (clean output).

GitHub often reveals API keys, credentials, configs.

Step 5: Directory Brute Forcing

Use Dirsearch to find hidden directories or sensitive files:

dirsearch -u https://example.com -e php,html,txt,log,conf,sql,json,xml,zip,rar,db,ini,backup -t 20 --random-agent --recursive -R 3 --exclude-status=404 --follow-redirects --delay=0.1

Explanation:

  • -e: Extensions to brute force.
  • -t: Threads.
  • --random-agent: Evade basic WAFs.
  • -R: Recursion depth.
  • --delay: Optional throttle for stealth.

Step 6: JavaScript & Endpoint Discovery

Using katana:

Find JS Files from a Single Domain:

katana -u https://example.com -jc | grep ".js$"

From Subdomains List:

katana -list subfinal.txt -jc | grep ".js$" | uniq | sort > jsfiles.txt

Collects JS files across all discovered subdomains.

Deep URL Collection:

katana -u https://example.com -d 5 -ps -pss waybackarchive,commoncrawl,alienvault -hf -jc -fx -ef woff,css,png,jpg,jpeg,gif,svg -o allurls.txt
  • Depth: 5
  • Sources: waybackarchive, commoncrawl, alienvault
  • Excludes static file extensions.

Step 7: Sensitive Files Hunting in Collected URLs

Filter collected URLs for sensitive files:

cat allurls.txt | grep -E "\.txt|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.json|\.gz|\.rar|\.zip|\.config"

JS files specifically:

cat allurls.txt | grep -E "\.js$" > js.txt

Step 8: Vulnerability Scanning Using Nuclei

Using the powerful nuclei to scan URLs for vulnerabilities:

cat js.txt | nuclei -t /home/kali/.local/nuclei-templates/ -severity critical,high,medium

Similarly:

cat allurls.txt | gf lfi | nuclei -tags lfi

Use GF patterns (gf lfi, gf xss) to find vulnerability patterns in URLs.

Step 9: Wayback URLs for Historical Endpoints

Collect historical URLs from Wayback Machine:

waybackurls https://example.com

Apply GF patterns to find XSS endpoints:

waybackurls https://example.com | gf xss

Why This Approach Works

  • Multiple tools for subdomain enumeration reduce blind spots.
  • De-duplication and live check focus only on active assets.
  • Deep directory and file fuzzing exposes sensitive data.
  • GitHub recon finds secrets and misconfigurations.
  • JS file analysis and historical URLs reveal hidden APIs.
  • Automated vulnerability scanning with Nuclei detects real-world issues fast.

This step-by-step process provides a complete attack surface map of your target — the most important step before testing for actual vulnerabilities.

Conclusion

Bug bounty hunting is recon-heavy. Automation combined with manual analysis uncovers more bugs — and earns more bounties.

With this workflow:

  • You'll never miss a subdomain.
  • You'll discover forgotten endpoints.
  • You'll identify vulnerable JS files and sensitive URLs.
  • And you'll have a ready-to-attack surface for deeper exploitation.