An advanced, comprehensive subdomain enumeration and reconnaissance tool designed for penetration testers and security researchers. SerphunterRecon leverages multiple passive sources and APIs to efficiently discover subdomains while providing detailed metrics and reporting.
✨ Core Features
- 🔍 Multi-source passive subdomain enumeration
- ⚡ Parallel execution for faster results
- 🌐 HTTP/HTTPS probing for live server detection
- 📊 Comprehensive metrics and reporting
- 🔑 API key support for extended capabilities
- 📁 Organized output with per-source results
- 🎯 Deduplication of results across all sources
- 📈 Execution statistics and recommendations
SerphunterRecon integrates with the following sources for comprehensive subdomain discovery:
| Source | Type | Coverage |
|---|---|---|
| CRT.SH | Certificate Transparency | High |
| Alienvault OTX | Passive DNS | High |
| Certspotter | Certificate API | High |
| JLDC Anubis | Subdomain API | Medium |
| Subdomain.center | Aggregator API | Medium |
| VirusTotal | Enterprise API | High (API Key Required) |
| Shodan | Search Engine API | High (API Key Required) |
| HackerTarget | Host Search | Medium |
| Wayback Machine | Web Archive | High (Historical) |
| URLScan.io | Web Scanner | Medium |
| RapidDNS | DNS DB | Medium |
| Subdomain.center | Aggregator API | Medium |
- Bash 4.0 or higher
- curl
- Common Unix utilities (grep, sort, uniq)
git clone https://github.com/yourusername/serphunter-recon.git
cd serphunter-recon
chmod +x serphunter.sh./serphunter.sh -d example.com# Run enumeration in parallel mode (faster)
./serphunter.sh -d example.com --parallel
# Enable HTTP probing to find live servers
./serphunter.sh -d example.com --http-probe
# Combine options
./serphunter.sh -d example.com -p -hpUsage: serphunter.sh -d <domain> [OPTIONS]
Options:
-d, --domain Target domain for enumeration (required)
-p, --parallel Run enumeration sources in parallel
-hp, --http-probe Probe for live HTTP/HTTPS servers
-h, --help Show this help message
-v, --version Show version information
Edit config.txt to add API keys for enhanced functionality:
# VirusTotal API Key
VIRUSTOTAL_API_KEY="your_api_key_here"
# Shodan API Key
SHODAN_API_KEY="your_api_key_here"
# Censys API Credentials
CENSYS_API_ID="your_id_here"
CENSYS_API_SECRET="your_secret_here"
# HTTP Probe Settings
HTTP_PROBE_TIMEOUT=10
MAX_PARALLEL_JOBS=5SerphunterRecon generates the following outputs in the results/ directory:
- {domain}combined{timestamp}.txt - All unique subdomains
- {domain}crtsh{timestamp}.txt - CRT.SH results
- {domain}otx{timestamp}.txt - Alienvault OTX results
- {domain}certspotter{timestamp}.txt - Certspotter results
- {domain}anubis{timestamp}.txt - JLDC Anubis results
- {domain}subdomaincenter{timestamp}.txt - Subdomain.center results
- {domain}virustotal{timestamp}.txt - VirusTotal results (if API key configured)
- {domain}shodan{timestamp}.txt - Shodan results (if API key configured)
- {domain}http_probe{timestamp}.txt - Live servers found (if probing enabled)
- {domain}metrics{timestamp}.txt - Detailed execution report
After enumeration, SerphunterRecon provides:
-
Execution Statistics
- Total execution time
- Results per enumeration source
- Total unique subdomains discovered
-
Source Breakdown
- Number of subdomains from each source
- Statistical analysis
- Performance metrics
-
Live Server Discovery
- HTTP status codes
- Responsive protocols (HTTP/HTTPS)
- Server statistics
-
Recommendations
- Guidance based on discovery count
- Next steps for reconnaissance
- Best practices
$ ./serphunter.sh -d google.com
╔════════════════════════════════════╗
║ SerphunterRecon - Enumeration ║
╚════════════════════════════════════╝
Target: google.com
Mode: Sequential
[*] Querying crt.sh for google.com
[+] Found subdomains: 245
[*] Querying Alienvault OTX for google.com
[+] Found subdomains: 128
... (other sources)
[+] Final results saved to: results/google.com_combined_20251210_153022.txt
[+] Total unique subdomains: 487$ ./serphunter.sh -d target.com --parallel --http-probe
[...enumeration output with metrics...]
[+] Live servers found: 23Execution Times (varies based on domain popularity):
- Sequential mode: 30-60 seconds
- Parallel mode: 10-20 seconds
- With HTTP probing: +30-120 seconds (depends on subdomain count)
1. Parse arguments and load configuration
2. Initialize output directories
3. Run enumeration from multiple sources
4. Combine and deduplicate results
5. (Optional) Probe for live servers
6. Generate comprehensive metrics report
7. Save all results to organized file structure
- ✅ Passive reconnaissance only - no active scanning
- ✅ Respects rate limits of target services
- ✅ No exploitation or malicious activity
⚠️ Always obtain proper authorization before using on any system⚠️ Review your local laws and regulations regarding security testing
- ✅ Passive reconnaissance only - no active scanning
- ✅ Respects rate limits of target services
- ✅ No exploitation or malicious activity
⚠️ Always obtain proper authorization before using on any system
This project is licensed under the MIT License - see LICENSE file for details.
Happy Hunting! 🎯