How can I automate recon and detect subdomain takeovers using tools like Amass, Subfinder, and Nuclei?
Subdomain takeovers are a high-severity issue in bug bounty and security assessments. By automating reconnaissance using tools like Amass, Subfinder, and Nuclei, security researchers can systematically uncover abandoned DNS entries pointing to unclaimed services. These tools streamline subdomain enumeration, vulnerability scanning, and takeover detection—making the process scalable across large attack surfaces. This guide shows how a hacker combined automation and intelligence to identify 30+ vulnerable subdomains.
Table of Contents
- What is a Subdomain Takeover?
- Why Automate Recon?
- Step-by-Step Breakdown of My Automated Recon Workflow
- Tools I Used
- Key Takeaways
- Conclusion
- Frequently Asked Questions (FAQs)
In today’s bug bounty landscape, automation is key to staying ahead. As programs grow and scope widens, manual recon becomes time-consuming and inefficient. In this blog, I’ll walk you through how I automated my recon process using open-source tools and custom scripts—and how it led me to discover over 30 subdomain takeover vulnerabilities. These findings not only helped organizations patch critical issues but also earned me significant bug bounty rewards.
What is a Subdomain Takeover?
A subdomain takeover occurs when a subdomain (like blog.example.com) points to an external service (e.g., GitHub Pages, Heroku, AWS) that is no longer in use. If the service is unclaimed, an attacker can register it and gain control of the subdomain, potentially launching phishing attacks or hosting malicious content.
Why Automate Recon?
Manual subdomain enumeration and validation can take hours, if not days. By automating the process, I was able to:
-
Continuously scan targets in scope.
-
Identify unclaimed third-party services.
-
Cross-check for known takeover signatures.
-
Reduce noise with smart filters.
Step-by-Step Breakdown of My Automated Recon Workflow
1. Domain Enumeration using Subfinder and Amass
The first step was to gather as many subdomains as possible. I used tools like:
-
Subfinder – Fast passive subdomain discovery
-
Amass – Deep enumeration including brute-force and passive methods
subfinder -d example.com -o subdomains.txt
amass enum -passive -d example.com -o amass_subs.txt
cat subdomains.txt amass_subs.txt | sort -u > all_subs.txt
2. Live Subdomain Detection with HTTPX
To check which subdomains were live, I used httpx:
cat all_subs.txt | httpx -silent -status-code -title -tech-detect > live_subs.txt
This filtered out dead endpoints and gave me titles, HTTP status codes, and technology stack information.
3. Takeover Fingerprint Matching with Nuclei
Now that I had live subdomains, I scanned them for takeover vulnerabilities using Nuclei with subdomain takeover templates:
nuclei -l live_subs.txt -t cves/subdomain-takeover -o nuclei_results.txt
Nuclei has great community-powered templates that identify services vulnerable to takeover—like GitHub Pages, AWS S3, Bitbucket, and Heroku.
4. Automation with Bash & Cron Jobs
To automate the entire workflow, I wrote a bash script and set it on a daily cron job. Every morning, I would get a fresh report in my inbox with potential takeovers.
#!/bin/bash
TARGET=example.com
DATE=$(date +%Y-%m-%d)
subfinder -d $TARGET -o subs1.txt
amass enum -passive -d $TARGET -o subs2.txt
cat subs1.txt subs2.txt | sort -u > all_subs.txt
cat all_subs.txt | httpx -silent > live.txt
nuclei -l live.txt -t cves/subdomain-takeover -o report_$DATE.txtReal-World Impact: 30+ Valid Takeovers
Using this setup across multiple bug bounty programs, I was able to:
-
Find misconfigured GitHub Pages, where the repo was deleted but the DNS record was still active.
-
Identify Heroku apps no longer deployed but DNS still pointed.
-
Catch abandoned AWS S3 buckets exposing corporate branding.
One of my highest rewards came from a finance-based platform where I gained control over their help subdomain (support.example.com) that still pointed to an unclaimed Freshdesk instance. This led to a $1500 bounty.
Tools I Used
| Tool | Purpose |
|---|---|
| Subfinder | Fast passive subdomain discovery |
| Amass | In-depth subdomain enumeration |
| HTTPX | Alive check & technology detection |
| Nuclei | Vulnerability scanning with templates |
| Bash | Script automation |
| Cron | Scheduled daily recon |
Key Takeaways
-
Automation lets you scale recon across multiple targets.
-
Subdomain takeovers are low-hanging fruit if you know where to look.
-
Combine passive enumeration with smart filtering for best results.
-
Nuclei is a powerful tool for matching takeover fingerprints.
Conclusion
Recon doesn’t need to be a slow, manual process. With the right tools and automation, you can run scalable, efficient, and continuous subdomain discovery—boosting your chances of finding valid bugs. This method has helped me not only discover over 30 takeovers but also gain recognition and payouts from top platforms.
If you're into bug bounty hunting or just looking to harden your organization’s cloud footprint, automating your recon is the smartest move you can make.
FAQs
What is a subdomain takeover?
A subdomain takeover happens when a subdomain points to a service (like AWS S3 or GitHub Pages) that has been deleted or unclaimed, allowing an attacker to claim it and serve malicious content.
How can I detect subdomain takeovers?
You can use tools like Subfinder and Amass to find subdomains, then verify their status using HTTP responses or fingerprints with tools like Nuclei or Takeover.sh.
What tools are best for automated subdomain reconnaissance?
Popular tools include Amass, Subfinder, Assetfinder, and Nuclei for scanning and template-based detection.
What services are commonly involved in takeovers?
AWS S3, GitHub Pages, Heroku, Azure Blob Storage, and Shopify are frequently misconfigured and susceptible to takeovers.
How does Nuclei help in finding takeover vulnerabilities?
Nuclei uses templates to scan for known fingerprints of vulnerable services, making it easy to identify misconfigured or orphaned domains.
Is subdomain takeover still a valid bug bounty vector in 2025?
Yes, it remains one of the top misconfiguration issues targeted by bounty hunters globally.
What is the role of DNS in subdomain takeovers?
Incorrect DNS configurations, such as CNAMEs pointing to decommissioned services, are the root cause of subdomain takeover vulnerabilities.
Can automation reduce manual recon effort?
Absolutely. Automation using bash scripts, cron jobs, and recon tools significantly reduces time spent on repetitive tasks.
What is a good workflow for subdomain takeover hunting?
Enumerate → Resolve → Probe → Match fingerprints → Verify takeover status → Report.
Can I get paid for finding subdomain takeovers?
Yes. Bug bounty platforms like HackerOne and Bugcrowd offer payouts for responsibly disclosed takeovers.
Is Amass better than Subfinder?
Amass offers deeper DNS mapping, while Subfinder is faster. Many hunters use both together.
What is the importance of HTTP response codes in recon?
They help identify potential takeovers by highlighting unreachable or error-prone domains (like 404, NXDOMAIN, etc.).
Should I run recon continuously?
Yes. Set up periodic scans using cron or GitHub Actions to keep recon updated.
What are signs of a successful takeover?
Custom error messages, service-specific headers, and takeover template matches indicate a vulnerable subdomain.
How can I automate alerts for newly vulnerable subdomains?
Integrate Nuclei output with Slack/Discord or use services like Shodan/Graylog for real-time alerts.
What is DNS monitoring?
It involves tracking DNS record changes to catch abandoned entries early.
How do I avoid false positives?
Use multiple validation layers—resolve DNS, probe with HTTP tools, and verify with service-specific fingerprints.
Can subdomain takeover lead to full account compromise?
Yes. If the subdomain hosts login pages or receives OAuth callbacks, it could allow phishing or session hijacking.
What are custom Nuclei templates?
These are user-written rules for specific vulnerabilities not yet in the official Nuclei template repo.
What scripting language is best for recon automation?
Python and Bash are widely used due to their simplicity and tool integration.
What platforms help manage recon?
ProjectDiscovery's Chaos, GitHub Actions, and SecurityTrails are popular for large-scale monitoring.
How does asset inventory help in bug hunting?
It gives a complete map of an organization’s exposed infrastructure, increasing takeover discovery rates.
Can I use GitHub for storing recon data?
Yes, with private repos and encrypted secrets, GitHub is a safe and collaborative place for recon storage.
What is HTTPx?
HTTPx is a tool that checks live status, redirects, and content-type—useful in takeover detection.
Should I use VPS or local machine for recon?
Use VPS for scalability and persistence, especially when running scripts 24/7.
Can I get rate-limited during recon?
Yes. Use rate control, proxy rotation, and retry logic to avoid bans.
How do I responsibly disclose subdomain takeovers?
Use the company’s vulnerability disclosure policy or platforms like HackerOne, and avoid exploiting the vulnerability.
What is the common bounty range for subdomain takeovers?
Payouts vary from $100 to $10,000+ depending on the impact and affected service.
What if I find a government subdomain takeover?
Report immediately to the national CERT or relevant authority—do not attempt to exploit it.
Are there any legal risks in scanning?
Recon is legal if done passively or with permission. Avoid intrusive scanning without scope.
![Top 10 Ethical Hackers in the World [2025]](https://www.webasha.com/blog/uploads/images/202408/image_100x75_66c2f983c207b.webp)
![[2025] Top 100+ VAPT Interview Questions and Answers](https://www.webasha.com/blog/uploads/images/image_100x75_6512b1e4b64f7.jpg)
