A comprehensive Python-based subdomain enumeration tool designed for bug bounty hunting and authorized security testing. This scanner uses multiple techniques to discover subdomains deeply and thoroughly.
IMPORTANT: This tool is for authorized security testing only. Only use on domains you have explicit permission to test, such as:
- Domains within scope of bug bounty programs
- Your own domains and infrastructure
- Authorized penetration testing engagements
- Educational purposes in controlled lab environments
Unauthorized scanning may be illegal in your jurisdiction.
- Queries crt.sh for historical SSL/TLS certificates
- Discovers subdomains from certificate records
- Fast and efficient passive reconnaissance
- Multi-threaded subdomain brute forcing
- Uses custom or built-in wordlist
- Multiple DNS resolver support for reliability
- Configurable threads and timeout
- Attempts zone transfer on all nameservers
- Discovers all DNS records if misconfigured
- Automatic nameserver enumeration
- Generates intelligent permutation variations
- Finds dev, staging, test, QA, backup, and other environments
- Performs reverse lookups on discovered IP addresses
- Finds subdomains sharing same infrastructure
- Tests all discovered subdomains for live services
- Extracts HTTP status codes and page titles
- Identifies actively responding hosts
- Automatically detects wildcard DNS
- Warns about false-positive risks
- Helps filter noisy results
- Multi-threaded scanning for speed
- Multiple DNS resolvers (Google, Cloudflare, Quad9, OpenDNS)
- Output formats: TXT, JSON, CSV
- Color-coded output
- Real-time progress tracking
- Deep Scan Mode
- Built-in 200+ common subdomains
- Python 3.7+
pip
pip install -r requirements.txt
Or manually:
pip install dnspython requests urllib3
python subdomain_scanner.py -d example.com
python subdomain_scanner.py -d example.com -w /path/to/wordlist.txt
python subdomain_scanner.py -d example.com --deep -w wordlist.txt -t 100
python subdomain_scanner.py -d example.com -o results
Creates:
results_YYYYMMDD_HHMMSS.txtresults_YYYYMMDD_HHMMSS.jsonresults_YYYYMMDD_HHMMSS.csv
python subdomain_scanner.py -d example.com -w subdomains.txt --deep -t 200 -o scan_results
| Argument | Short | Required | Description |
|---|---|---|---|
--domain |
-d |
✔ Yes | Target domain |
--wordlist |
-w |
No | Path to wordlist |
--threads |
-t |
No | Thread count (default 50) |
--timeout |
— | No | DNS timeout (default 3 sec) |
--output |
-o |
No | Output directory prefix |
--deep |
— | No | Enable deep mode |
- No interaction with target
- Fast
- Great for discovering forgotten subdomains
- Depends on wordlist quality
- Supports multi-threading and resolvers
- Rare but extremely powerful
- Complete zone file extraction
dev-,staging-,-test, etc.- Finds environment-specific hosts
- Identifies additional assets
- Reveals hidden subdomains
- Determines live vs dead hosts
- Grabs titles, redirects, status codes
- SecLists
https://github.com/danielmiessler/SecLists - Assetnote Wordlists
https://wordlists.assetnote.io/ - Jhaddix All.txt
https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056
- Start with CT logs (fastest)
- Increase threads gradually (50 → 100 → 200)
- Avoid very high thread counts on unstable networks
- Use quality wordlists
- Always output with
-ofor saving results - Use deep mode for maximum coverage
Subdomain Scan Results for example.com
Total Subdomains Found: 45
Live Subdomains: 32
{
"domain": "example.com",
"total_subdomains": 45,
"live_subdomains": 32
}Subdomain,Status,IP
api.example.com,Live,192.0.2.1
pip install dnspython
- Reduce threads
- Increase timeout
- Use smaller wordlist
- Wildcard DNS active
- Use HTTP probing to verify
chmod +x subdomain_scanner.py
python3 subdomain_scanner.py -d example.com
cat results_*.txt | grep "[LIVE]" | cut -d' ' -f1 > live_subs.txt
nmap -iL live_subs.txt -p 80,443,8080,8443
cat live_subs.txt | httpx -title -status-code
| Feature | This Scanner | Sublist3r | Amass | Subfinder |
|---|---|---|---|---|
| Certificate Transparency | ✔ | ✔ | ✔ | ✔ |
| DNS Brute Force | ✔ | ✔ | ✔ | ✔ |
| Zone Transfer | ✔ | ✖ | ✔ | ✖ |
| Permutations | ✔ | ✖ | ✔ | ✖ |
| HTTP Probing | ✔ | ✖ | ✔ | ✖ |
| Reverse DNS | ✔ | ✖ | ✔ | ✖ |
| Multiple Output Formats | ✔ | ✖ | ✔ | ✔ |
| Built-in Wordlist | ✔ | ✖ | ✖ | ✖ |
- Always check target scope
- Save results for reporting
- Look for forgotten environments
- Test for subdomain takeover
- Combine with screenshot & port scanning
- Re-scan periodically for new assets
- Use only with authorization
- Respect program rules
- Avoid causing service disruption
- Report responsibly
- Keep findings confidential
Suggestions and improvements welcome. Ideas:
- Additional passive OSINT sources
- Shodan / SecurityTrails integration
- Screenshot capability
- Subdomain takeover detection
- Port scanning integration
This tool is provided for educational and authorized security testing purposes only.
- Certificate Transparency (
crt.sh) - Public DNS resolvers (Google, Cloudflare, Quad9, OpenDNS)
- Bug bounty community
For issues or questions:
- Check troubleshooting section
- Ensure dependencies installed
- Test with known domain
- Verify Python version (3.7+)
v2.0 — Current Release
- Multi-technique enumeration
- Deep mode
- HTTP probing
- Multiple outputs
- Wildcard detection
Only scan domains you have permission to test!