Post

Subdomain Recon Script: combining chaos, subfinder, amass and more

Posted
recon_subdomains logo
recon_subdomains logo
By adperem
2 min read
Subdomain Recon Script: combining chaos, subfinder, amass and more

πŸ” Introduction

Subdomain enumeration is a critical phase in reconnaissance. Automating it helps reduce time, avoid missing assets, and maintain consistency.
In this post, we break down each tool and API used in our subdomain recon script. You can find the full script here.

βš™οΈ Tools & APIs used

chaos

Chaos is a fast subdomain enumeration tool using ProjectDiscovery’s Chaos dataset. Useful for quickly fetching known subdomains.

1

chaos -d example.com -silent

subfinder

Subfinder gathers passive subdomains using public sources like VirusTotal, crt.sh, etc.

1

subfinder -d example.com --all --recursive -silent

httpx

A fast HTTP toolkit used to check live hosts.

1

httpx -l domains.txt -silent -status-code

alterx

Enhances wordlist-based recon by generating permutations and probing.

1

alterx -pp word=subdomains.txt -silent | httpx -silent

assetfinder

Fetches subdomains from public sources like domains indexed by search engines.

1

assetfinder --subs-only example.com

amass

Used in both passive and active modes for extensive subdomain enumeration.

1
2

amass enum -passive -d example.com
amass enum -active -d example.com

github-subdomains

Finds subdomains exposed in GitHub repositories. Requires a GitHub token.

1

github-subdomains -d example.com -t $GITHUB_TOKEN

crt.sh

Uses the Certificate Transparency logs to fetch subdomains.

1

curl -s "https://crt.sh?q=example.com&output=json" | jq -r '.[].name_value'

Wayback Machine

Gets historical URLs indexed by the Internet Archive.

1

curl -s "http://web.archive.org/cdx/search/cdx?url=*.example.com/*"

VirusTotal

Fetches subdomains and related IPs using the VirusTotal API.

1

curl -s "https://www.virustotal.com/vtapi/v2/domain/report?apikey=$VT_APIKEY&domain=example.com"

AlienVault OTX

Queries the OTX API for IP addresses associated with the domain.

1

curl -s "https://otx.alienvault.com/api/v1/indicators/hostname/$domain/url_list?limit=500&page=1" | jq -r '.url_list[]?.result?.urlworker?.ip // empty' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}'

urlscan.io

Looks for IPs tied to the domain using the urlscan.io public API.

1

curl -s "https://urlscan.io/api/v1/search/?q=domain:$domain&size=10000" | jq -r '.results[].page?.ip // empty' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}'

πŸ§ͺ The final script

Combining all the above tools, the script:

  1. Updates the tools
  2. Gathers subdomains from multiple sources
  3. Uses enrichment tools like alterx
  4. Resolves and checks for live hosts
  5. Stores all data in output_<domain>/
1

bash recon_subdomains.sh example.com

Example usage of recon_subdomains.sh

All data ends up in subdomains_alive.txt and final.txt for further analysis.

πŸ“ Output structure

1
2
3
4
5
6
7
8
9
10
11
12
13

output_example.com/
β”œβ”€β”€ subfinder.txt
β”œβ”€β”€ assetfinder.txt
β”œβ”€β”€ amass_passive.txt
β”œβ”€β”€ amass_active.txt
β”œβ”€β”€ github.txt
β”œβ”€β”€ crtsh.txt
β”œβ”€β”€ wayback.txt
β”œβ”€β”€ virustotal.txt
β”œβ”€β”€ alterx.txt
β”œβ”€β”€ ips.txt
β”œβ”€β”€ final.txt
└── subdomains_alive.txt

🧠 Conclusion

This script saves time and maximizes subdomain discovery by combining passive, active, and API-based methods.
Perfect for bug bounty hunters, red teamers, or anyone automating recon.

Want more tools like this? Follow me on LinkedIn

recon, automation, bugbounty
subdomains recon bash automation bugbounty
This post is licensed under CC BY 4.0 by the author.