Passive attack surface mapper using certificate transparency logs, DNS enumeration, and AI-powered risk analysis. Zero active scanning β completely safe to run against any target.
Before attacking or defending a system, you need to understand its attack surface β the sum of all externally accessible entry points. shadowmap automates this discovery using entirely passive techniques, meaning it never sends a single packet directly to the target infrastructure.
| Source | What it provides |
|---|---|
| crt.sh (Certificate Transparency) | Subdomains from TLS certificate issuance history |
| HackerTarget API | Additional subdomain enumeration |
| Google DNS-over-HTTPS | A, MX, TXT, NS, CNAME records |
| HTTP probing | Live status codes, page titles, technology hints |
| AI analysis | Risk classification, attack path recommendations |
- Zero active scanning β all data comes from public sources and passive HTTP probing
- Certificate transparency enumeration β discovers subdomains that DNS brute-forcing would miss
- Parallel enrichment β resolves IPs and probes HTTP for all subdomains concurrently
- Risk flagging β automatically highlights dev, staging, admin, and internal subdomains
- AI attack surface analysis β GPT-4.1 identifies high-risk assets and recommends investigation paths
- Multiple output formats β rich terminal tables, JSON (for pipeline integration), Markdown reports
- Configurable concurrency β tune worker count for speed vs. stealth
git clone https://github.com/rawqubit/shadowmap.git
cd shadowmap
pip install -r requirements.txt
export OPENAI_API_KEY="sk-..." # Required only for --ai-analysis# Basic passive recon
python main.py map example.com
# With AI risk analysis and report
python main.py map example.com --ai-analysis --report surface_report.md
# JSON output for pipeline integration
python main.py map example.com --output json | jq '.subdomains[] | select(.risk_flags | length > 0)'
# Faster scan without HTTP probing
python main.py map example.com --no-http --workers 50
# Filter high-risk subdomains
python main.py map example.com --output json | jq '.subdomains[] | select(.risk_flags | length > 0) | .subdomain'shadowmap/
βββ main.py # CLI entrypoint + AI analysis
βββ src/
β βββ recon.py # Passive recon engine
βββ requirements.txt
Domain Input
β
ββββΆ crt.sh (Certificate Transparency)
ββββΆ HackerTarget API
β β
β βΌ
β Subdomain List (deduplicated)
β β
β ββββββ΄βββββββββββββββββββββββββββββ
β β Parallel Enrichment (N workers) β
β β βββββββββββββββ ββββββββββββββ β
β β β DNS Resolve β β HTTP Probe β β
β β βββββββββββββββ ββββββββββββββ β
β ββββββββββββββββββββββββββββββββββ
β β
ββββΆ DNS Records (Google DoH)
β β
βΌ βΌ
AttackSurface Object
β
βΌ (--ai-analysis)
GPT-4.1 Risk Analysis
β
βΌ
Report / JSON / Table
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β shadowmap β passive recon for example.com β
β HTTP probing: enabled | Workers: 20 β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
DNS Records
ββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββ
β Type β Records β
ββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββ€
β A β 93.184.216.34 β
β MX β 0 . β
β NS β a.iana-servers.net. b.iana-servers.net. β
ββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββ
Subdomains (47 found)
ββββββββββββββββββββββββββββ¬ββββββββββββββββ¬βββββββ¬βββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββ
β Subdomain β IP β HTTP β Title β Risk Flags β
ββββββββββββββββββββββββββββΌββββββββββββββββΌβββββββΌβββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββ€
β admin.example.com β 93.184.216.35 β 200 β Admin Dashboard β Sensitive keyword: 'admin' β
β staging.example.com β 93.184.216.36 β 200 β Staging Environment β Sensitive keyword: 'staging' β
β jenkins.example.com β 93.184.216.37 β 200 β Jenkins CI β Sensitive keyword: 'jenkins' β
ββββββββββββββββββββββββββββ΄ββββββββββββββββ΄βββββββ΄βββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββββ
shadowmap is designed for:
- Security teams assessing their own organization's attack surface
- Penetration testers with written authorization
- Bug bounty hunters operating within program scope
- Security researchers studying internet-wide exposure
Do not use this tool against targets you do not have permission to assess.
$ shadowmap --target example.com --output report.md
shadowmap v1.0.0 Passive Attack Surface Mapper
Target: example.com
Mode: Passive only (zero packets sent to target)
Phase 1: Certificate Transparency Logs
Querying crt.sh... 23 certificates found
Querying Censys... 17 additional SANs discovered
Phase 2: DNS Enumeration
A records: 4 IP addresses
MX records: 2 mail servers
NS records: 4 nameservers (2 external DNS providers)
TXT records: SPF, DMARC, Google verification, 3 others
CNAMEs: 8 (CDN, SaaS, internal services)
Phase 3: AI Risk Analysis
Discovered 31 unique subdomains
High Priority Assets
api.example.com -> 203.0.113.42 [API endpoint, no WAF detected]
admin.example.com -> 203.0.113.51 [Admin panel, publicly accessible]
staging.example.com -> 203.0.113.19 [Staging env, may have weaker controls]
Report saved to report.md
Total assets mapped: 31 subdomains, 4 IPs, 2 mail servers
Contributions welcome. Priority areas:
- Additional passive data sources (Shodan free tier, SecurityTrails, etc.)
- Technology fingerprinting from HTTP headers
- Historical data comparison to detect new exposures
MIT License β see LICENSE for details.