Automating Bug Bounty Recon with Python
The Problem with Manual Recon
Bug bounty recon involves a lot of repetitive steps: subdomain enumeration, port scanning, technology fingerprinting, screenshot capture, and content discovery. Doing this manually for every target is slow and error-prone. But fully automated recon pipelines often generate noise without insight.
The Approach
I built a modular pipeline where each recon phase is a standalone Python script that reads from stdin and writes to stdout. This Unix-philosophy approach means I can chain tools together, swap components, and add new phases without rewriting the whole system.
Phase 1: Subdomain Enumeration
The first module wraps multiple subdomain enumeration tools (subfinder, amass, crt.sh API) and deduplicates the results. Running multiple sources increases coverage — no single tool finds everything.
Phase 2: HTTP Probing and Fingerprinting
Live subdomains get probed for HTTP services. The module checks response codes, extracts headers, and identifies technology stacks using Wappalyzer-style fingerprinting. Results get stored in a structured JSON format for downstream processing.
Phase 3: Targeted Content Discovery
Rather than running a generic wordlist against every subdomain, this module selects wordlists based on the identified technology stack. A WordPress site gets WordPress-specific paths. A Node.js API gets common API endpoint patterns.
Phase 4: Notification and Reporting
New findings get diff'd against previous runs. Only genuinely new subdomains, open ports, or interesting endpoints trigger notifications. This eliminates alert fatigue and keeps the signal-to-noise ratio manageable.
Results
The pipeline runs nightly against my target list. It's found several valid vulnerabilities by surfacing new assets before other researchers noticed them. The key insight is that automation should handle the boring parts so you can focus your manual effort where it actually matters — analyzing the interesting findings.