Become a patron and gain access to the dashboard, Schedule scans, API and Search

Online Subdomain finder using Sublist3r, DNScan, Anubis, Amass, Nmap-dns-brute.nse, Lepus, Findomain, Censys

Online Subdomain finder, enumerator and research tools to collect and gather DNS information about hosts

Host

Subdomain

Ip

ASN

Host

Subdomain

Ip

ASN

Host

Subdomain

Ip

ASN

Host

Subdomain

Ip

ASN

Host

Subdomain

Ip

ASN

Host

Subdomain

Ip

ASN

Host

Subdomain

Ip

ASN

Host

Subdomain

Ip

ASN

Subdomain finder options

You will not get ASN Results if unchecked

Enumerated domains management dashboard

  • Track your subdomains Track your subdomains
  • Keep your scan records Keep your scan records
  • Incredibly fancy dashboard Incredibly fancy dashboard
  • Multiple subdomain scanner tabs Multiple subdomain scanner tabs
  • Entirely free Entirely free
Online Subdomain finder management dashboard
Sublist3r

Fast subdomains enumeration tool for penetration testers

Dnscan

Dnscan is a python wordlist-based DNS subdomain scanner

SubBrute

A DNS meta-query spider that enumerates DNS records, and subdomains.

DNS reconnaissance using Fierce

Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains. It's really meant as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for. This does not perform exploitation and does not scan the whole internet indiscriminately. It is meant specifically to locate likely targets both inside and outside a corporate network. Because it uses DNS primarily you will often find mis-configured networks that leak internal address space. That's especially useful in targeted malware.

Installing Fierce

$ pip3 install fierce

$ fierce -h

Features of Fierce
  • Traverse IPs near discovered domains
  • Attempt an HTTP connection on domains discovered
  • Zone transfers
Anubis information gathering tool

Anubis is a subdomain enumeration and information gathering tool. Anubis collates data from a variety of sources, including HackerTarget, DNSDumpster, x509 certs, VirusTotal, Google, Pkey, and NetCraft. Anubis also has a sister project, AnubisDB, which serves as a centralized repository of subdomains.

How to install Installing

Prerequisites

If you are Linux user, the following modules or libraries are also required:

sudo apt-get install python3-pip python-dev libssl-dev libffi-dev

pip3 install anubis-netsec

snap install anubis

Features of Anubis subdomain enumeration
  • AnubisDB
  • Advanced features like using nmap
  • Uses Shodan
Subdomain scanning using Nmap dns-brute

Nmap can Attempts to enumerate DNS hostnames by brute force guessing of common subdomains. With the dns-brute.srv argument, dns-brute will also try to enumerate common DNS SRV records. Wildcard records are listed as "*A" and "*AAAA" for IPv4 and IPv6 respectively.

The dns-brute module of nmap request the following.

  • coroutine coroutine
  • dns dns
  • io io
  • math math
  • rand rand
Lepus

Lepus is a utility for identifying and collecting subdomains for a given domain. Subdomain discovery is a crucial part during the reconnaissance phase. One of the strength of Lepus lies at Performing several checks on identified domains for potential subdomain-takeover vulnerabilities. The module is enabled with --takeover and is executed after all others. If such a vulnerability is identified, the results are printed in the output and in a .csv file in the respective project folder under the directory with the results. Checks are performed for the following services. Lepus performs the following. Services (Collecting subdomains from the below services) Dictionary mode for identifying domains (optional) Permutations on discovered subdomains (optional) Reverse DNS lookups on identified public IPs (optional)

Features of Lepus
  • Wildcard IdentificationWildcard Identification
  • RDAP LookupsRDAP Lookups
  • Dictionary ModeDictionary Mode
  • Permutations ModePermutations Mode
  • Reverse ModeReverse Mode
  • PortscanPortscan
  • Subdomain TakeoverSubdomain Takeover

Tools developed for subdomain finding

SubFinder

SubFinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and has been aimed as a successor to sublist3r project. SubFinder uses Passive Sources, Search Engines, Pastebins, Internet Archives, etc to find subdomains and then it uses a permutation module inspired by altdns to generate permutations and resolve them quickly using a powerful bruteforcing engine. It can also perform plain bruteforce if needed. The tool is highly customizable, and the code is built with a modular approach in mind making it easy to add functionalities and remove errors

Written in: Go programming Author: None

RED HAWK

All in one tool for Information Gathering, Vulnerability Scanning and Crawling. A must have tool for all penetration testers

Written in: PHP Author: None

Th3inspector

Th3inspector best tool for Information Gathering All in one tool for Information Gathering

Written in: Perl Author: None

SubDomainizer

SubDomainizer is a tool designed to find hidden subdomains and secrets present is either webpage, Github, and external javascripts present in the given URL. This tool also finds S3 buckets, cloudfront URL's and more from those JS files which could be interesting like S3 bucket is open to read/write, or subdomain takeover and similar case for cloudfront. It also scans inside given folder which contains your files.

Written in: Python Author: None

censys-subdomain-finder

This is a tool to enumerate subdomains using the Certificate Transparency logs stored by Censys. It should return any subdomain who has ever been issued a SSL certificate by a public CA

Written in: Python Author: None

PentestEr_Fully-automatic-scanner

DNS Subdomain ● Brute force ● Web Spider ● Nmap Scan ● etc

Written in: Python Author: None

Rock-ON

Rock-On is a all in one recon tool that will help your Recon process give a boost. It is mainley aimed to automate the whole process of recon and save the time that is being wasted in doing all this stuffs manually. A thorough blog will be up in sometime. Stay tuned for the Stable version with a UI.

Written in: Ruby and Bash script Author: None

Subscraper

SubScraper uses DNS brute force, Google & Bing scraping, and DNSdumpster to enumerate subdomains of a given host. Written in Python3, SubScraper performs HTTP(S) requests and DNS "A" record lookups during the enumeration process to validate discovered subdomains. This provides further information to help prioritize targets and aid in potential next steps. Post-Enumeration, "CNAME" lookups are displayed to identify subdomain takeover opportunities.

Written in: Python Author: None

Horn3t

Horn3t is your Nr #1 tool for exploring subdomains visually. Building on the great Sublist3r framework (or extensible with your favorite one) it searches for subdomains and generates awesome picture previews. Get a fast overview of your target with http status codes, add custom found subdomains and directly access found urls with one click.

Written in: Python Author: None

Dnscan

dnscan is a python wordlist-based DNS subdomain scanner. The script will first try to perform a zone transfer using each of the target domain's nameservers. If this fails, it will lookup TXT and MX records for the domain, and then perform a recursive subudomain scan using the supplied wordlist.

Written in: Python Author: None

Gorecon

Gorecon is a All in one Reconnaissance Tool , a.k.a swiss knife for Reconnaissance , A tool that every pentester/bughunter might wanna consider into their arsenal

Written in: Go programming Author: None

Delator

DELATOR (lat. informer) is a tool to perform subdomain enumeration and initial reconnaissance through the abusing of certificate transparency (CT) logs. It expands on the original work done by Sheila A. Berta with her CTFR tool and leverages the speed and power of Go.

Written in: Go programming Author: None

findSubDomains

A tool finding sub-domains for penetesters

Written in: Python Author: None

Subrake

A Powerful Subdomain Scanner & Validator Written in sockets which makes it a lot more faster and easier to manage. It works by enumerating subdomains by searching them on web and by using local wordlists. It further identify the assets of a domain based on their ip and CNAME records and identify subdomains which are using the same IP addresses. It also scan ports if are given and enumerte possible server engines used on assets using the SERVER header returned in the response. It also enumerates possible returned HTTP status codes on port 80 and 443

Written in: Python Author: None

BlackBird Subdmaon Enumerator

Blackbird was designed to automate and handle the heavy lifting of recon for large domains. It currently uses the following tools to do the following functionalities. Blackbird also uses a slack legacy token to alert you whenever a certain segment from the functionalities listed above has been started or is finsihed. Finally you can also choose to run the BlackBird API, the API allows you to launch the scanner from slack or any other tool of choice!

Written in: Bash Shell Author: None

WHK Subdomains Scanner

WSS (WHK Subdomains Scanner) es una herramienta diseΓ±ada para pentesters, la cual realiza bΓΊsqueda de subdominios y realiza acciones sobre cada nombre de dominio encontrado

Written in: Python Author: None

Dnssubminer

Python DNS Subdomain Miner. Includes GeoLite data created by MaxMind.

Written in: Python Author: None

OneForAll

Subdomain finder supporting python 3+

Written in: Python3 Author: shmilylty

ESD

ESD(Enumeration Sub Domain)

Written in: Python Author: None

Rock-ON

Rock-On is a all in one recon tool that will help your Recon process give a boost. It is mainley aimed to automate the whole process of recon and save the time that is being wasted in doing all this stuffs manually. A thorough blog will be up in sometime. Stay tuned for the Stable version with a UI

Written in: Bash Shell Author: SilverPoision

Findomain

The fastest and cross-platform subdomain enumerator, don't waste your time. It has a Multi-thread support, it makes that the maximun time that Findomain will take to search subdomains for any target is 20 seconds. Discover subdomains without brute-force, it tool uses Certificate Transparency Logs and APIs. Discover subdomains with or without IP address according to user arguments

Written in: Rust Author: Edu4rdSHL

Subscraper

SubScraper uses DNS brute force, Google & Bing scraping, and DNSdumpster to enumerate subdomains of a given host. Written in Python3, SubScraper performs HTTP(S) requests and DNS "A" record lookups during the enumeration process to validate discovered subdomains. This provides further information to help prioritize targets and aid in potential next steps. Post-Enumeration, "CNAME" lookups are displayed to identify subdomain takeover opportunities

Written in: Python3 Author: m8r0wn

Recce

Domain status checker

Written in: Python3 Author: unstabl3

Sublist3r

Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS. subbrute was integrated with Sublist3r to increase the possibility of finding more subdomains using bruteforce with an improved wordlist. The credit goes to TheRook who is the author of subbrute

Written in: Python3 Author: aboul3la

Knockpy

Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist. It is designed to scan for DNS zone transfer and to try to bypass the wildcard DNS record automatically if it is enabled. Now knockpy supports queries to VirusTotal subdomains, you can setting the API_KEY within the config.json file

Written in: Python Author: guelfoweb