How To Setup an Automated Sub-domain Takeover Scanner for All Bug Bounty Programs in 5 Minutes

Luke Stephens (@hakluke)
4 min readAug 21, 2018
You, with your new subdomain scanner, literally punching clean through a laptop because you’re so awesome.

Sub-domain takeovers are all the rage in the bug bounty scene at the moment. You’ve probably heard about some bug bounty legends who are raking in the dough because they’ve managed to set up an automated sub-domain takeover scanner, if you haven’t, Google “Frans Rosén”. I’m going to let you in on a secret, it’s not as hard as it sounds.

Using a couple of free tools and some dodgy ghetto bash scripts, we can slap together our own poor-man’s version in under 5 minutes. Strap-in!

Gathering Wildcard Domains

First things first! We need to get a list of all the wildcard domains from all the public bug bounty programs on Bugcrowd and HackerOne. This sounds much harder than it is. You see, it would be hard, but someone has already done it for us (shoutout to arkadiyt). Fire up Kali, and run these commands:

cd ~;
mkdir subdomain_takeover;
cd subdomain_takeover;
git clone;

To view the wildcard domains simply run:

cat ./bounty-targets-data/data/wildcards.txt

This list is fairly exhaustive, and it’s updated hourly.

Enumerating Sub-domains