Sudomy: When Bash Orchestration Beats Microservices for Bug Bounty Recon

Hook

While the industry obsesses over Go microservices and Python frameworks, one of the most effective bug bounty reconnaissance tools is written entirely in bash—and it's orchestrating more data sources than most enterprise solutions.

Context

Subdomain enumeration is the unglamorous foundation of offensive security work. Before you can test for vulnerabilities, you need to know what exists. A modern organization might have hundreds or thousands of subdomains—staging environments, forgotten dev servers, third-party integrations, legacy infrastructure—each representing potential attack surface. Manual discovery through certificate transparency logs, DNS records, and archived web pages is tedious and error-prone.

The problem isn't finding individual tools. Security researchers have built excellent specialized utilities: Sublist3r for passive DNS aggregation, Gobuster for bruteforcing, httprobe for validation. The real challenge is orchestration. You need to query multiple APIs (each with different rate limits and authentication schemes), deduplicate results, validate live hosts, resolve IPs, detect virtual hosts to avoid redundant scanning, fingerprint technologies, and capture screenshots—all while managing API quotas and avoiding detection. Most bug bounty hunters cobble together custom bash scripts or settle for tools that only handle one stage. Sudomy emerged from this gap: a single framework that chains the entire reconnaissance workflow into an automated pipeline, written in the lingua franca of security tooling.

Technical Insight

Sudomy's architecture is deceptively simple: it's a bash orchestrator that coordinates external tools through subprocess invocation and file-based state management. The core workflow operates in sequential stages, with each stage reading from and writing to standardized text files in a results directory. This design choice—using the filesystem as a message bus—enables transparency and debuggability that complex state management systems often obscure.

The passive enumeration stage queries 22+ third-party services through a combination of API calls and scraping. Here's how it handles Shodan integration:

# Simplified from sudomy's Shodan module
shodan_enum() {
    domain=$1
    api_key=$(grep "SHODAN_API" ~/.sudomy/sudomy.api | cut -d'=' -f2)
    
    # Query Shodan's hostname search
    curl -s "https://api.shodan.io/dns/domain/${domain}?key=${api_key}" \
        | jq -r '.data[]? | .subdomain + "." + .value' \
        | grep -v "^\.$domain$" >> ${OUT_DIR}/shodan_subdomains.txt
    
    # Also query historical DNS data
    curl -s "https://api.shodan.io/dns/resolve?hostnames=${domain}&key=${api_key}" \
        | jq -r 'keys[]' >> ${OUT_DIR}/shodan_subdomains.txt
}

This pattern repeats across SecurityTrails, VirusTotal, Censys, and 20 other sources. Each runs independently, writing results to separate files. The aggregation stage then deduplicates using basic sort -u operations—brutally simple, but effective for datasets with millions of entries. The filesystem-based approach means you can inspect intermediate results at any point, re-run individual stages without starting over, or manually add discovered subdomains to the pipeline.

Parallelization happens through bash backgrounding and wait primitives. When querying multiple APIs, Sudomy spawns concurrent subshells:

# Conceptual parallelization pattern
for source in ${PASSIVE_SOURCES[@]}; do
    ${source}_enum $domain &
done
wait  # Block until all background jobs complete

# Aggregate results
cat ${OUT_DIR}/*_subdomains.txt | sort -u > ${OUT_DIR}/all_subdomains.txt

The validation pipeline demonstrates Sudomy's real intelligence. Raw subdomain lists are notoriously noisy—expired domains, typos in certificate records, internal-only hostnames. Sudomy chains multiple validation tools to filter false positives early. It first runs dnsprobe to verify DNS resolution, pipes survivors to httprobe to identify HTTP/HTTPS services, then uses httpx for technology fingerprinting and gowitness for screenshot capture. Each stage filters the dataset, preventing wasted effort on dead hosts.

The virtual host detection stage showcases domain-specific optimization. After resolving subdomains to IPs, Sudomy groups them by address to detect shared hosting:

# Virtual host correlation
awk '{print $2,$1}' ${OUT_DIR}/resolved_ips.txt | sort \
    | awk '{ip=$1; sub(/^[^ ]+ /,""); 
           if(ip in hosts) hosts[ip]=hosts[ip]","$0; 
           else hosts[ip]=$0} 
         END {for(ip in hosts) print ip,hosts[ip]}' \
    > ${OUT_DIR}/vhosts.txt

This prevents redundant port scanning. If 50 subdomains resolve to the same Cloudflare IP, Sudomy scans once and correlates findings across all associated domains. For bug bounty hunters working with large-scale targets, this optimization saves hours of scanning time.

The technology fingerprinting stage extracts actionable intelligence through integration with Wappalyzer and custom regex patterns. It identifies CMS platforms, web frameworks, CDN providers, and JavaScript libraries—information that guides subsequent exploitation efforts. Similarly, the takeover detection module checks for dangling DNS records pointing to unclaimed services (AWS S3, GitHub Pages, Heroku), a common source of subdomain hijacking vulnerabilities.

Gotcha

Sudomy's effectiveness is directly proportional to your API budget. The documentation prominently lists supported services—Shodan, SecurityTrails, Censys, Bufferover, PassiveTotal—but most require paid subscriptions for meaningful rate limits. With only free-tier access, you'll hit quota limits within minutes when scanning large domains. The tool doesn't gracefully degrade; it simply skips sources when API keys are missing. This creates a tiered experience: researchers with enterprise Shodan access get comprehensive results, while those relying on free services see a fraction of potential coverage.

The bash implementation introduces practical maintenance challenges. Error handling is minimal—failed API calls often write empty files or partial JSON that breaks downstream parsing. There's no retry logic for transient network failures, no incremental checkpointing for long-running scans, and limited input validation. The 3-million-entry bruteforce wordlist can run for days on large domains, with no ability to resume if interrupted. For production security operations or continuous monitoring scenarios, you'd need to wrap Sudomy in additional orchestration logic to handle failures and restarts. The screenshot capture stage using gowitness can generate gigabytes of PNG files with no automatic cleanup or archival strategy, quickly exhausting disk space on constrained systems.

Verdict

Use if: You're conducting comprehensive reconnaissance for bug bounty programs where breadth matters more than depth, have API access to premium intelligence services (Shodan, SecurityTrails, Censys), need an all-in-one framework that reduces manual tool-chaining overhead, or operate in environments where bash's ubiquity and minimal dependencies are advantages (Kali Linux, penetration testing distributions). Sudomy excels at initial asset discovery phases where automation and aggregation provide immediate value. Skip if: You lack paid API subscriptions to key data sources (the tool's effectiveness drops dramatically), require production-grade reliability with error handling and resume capabilities, need stealth reconnaissance where massive DNS bruteforce attempts would trigger alerts, want fine-grained control over individual recon stages rather than a monolithic pipeline, or prefer modern type-safe tooling with better testability. For those scenarios, ProjectDiscovery's modular Go suite (subfinder + httpx + nuclei) or OWASP Amass offers better architectural foundations.