Advanced subdomain enumeration tool designed for penetration testers and security researchers. Combines multiple reconnaissance techniques with intelligent analysis to discover and analyze subdomains with actionable pentesting insights.
- 8+ Passive Sources: Certificate Transparency, ThreatCrowd, HackerTarget, DNSDumpster, Wayback Machine, Anubis-DB, AlienVault OTX, RapidDNS
- DNS Bruteforce: High-performance wordlist-based discovery with SecLists integration
- Smart Deduplication: Intelligent filtering and validation
- Technology Detection: 20+ technologies (CMS, frameworks, servers, CDNs)
- Vulnerability Assessment: Risk scoring with actionable insights
- High-Value Target Identification: Automated prioritization for pentesting
- Security Headers Analysis: Missing security controls detection
- HTTP/HTTPS Probing: Enhanced title extraction like httpx
- Admin Panel Discovery: Automatic admin interface detection
- CMS Fingerprinting: WordPress, Joomla, Drupal, Magento identification
- Development Environment Detection: Staging/dev environment discovery
- Interactive HTML Report: Auto-opening with clickable subdomain links
- Multiple Output Formats: TXT, CSV, JSON for different use cases
- Technology Analysis Report: Detailed pentesting methodology
- Real-time Progress: Live subdomain discovery with tech stack info
- Multi-threaded: Optimized concurrent processing
- Cross-Platform: Windows, macOS, Linux support
- Auto-Browser Opening: Instant report viewing
- Intelligent Threading: Adaptive performance tuning
# Clone the repository
git clone https://github.com/ryuukhagetsu/subdomain-enumerator.git
cd subdomain-enumerator
# Install dependencies
pip3 install -r requirements.txt
# Run setup (downloads wordlists, creates directories)
python3 setup.py# Basic enumeration
python3 main.py -d example.com
# Fast scan with custom threading
python3 main.py -d example.com -t 100
# Skip passive sources (bruteforce only)
python3 main.py -d example.com --skip-passive
# Custom wordlist
python3 main.py -d example.com -w /path/to/wordlist.txt
# Disable auto-browser opening
python3 main.py -d example.com --no-browserpython3 main.py [OPTIONS] -d DOMAIN
Required Arguments:
-d, --domain DOMAIN Target domain to enumerate
Optional Arguments:
-w, --wordlist PATH Custom wordlist path (default: SecLists)
-o, --output DIR Output directory (default: results)
-t, --threads NUM Number of threads (default: 50)
--timeout SECONDS Request timeout (default: 10)
--skip-passive Skip passive enumeration sources
--skip-bruteforce Skip DNS bruteforce enumeration
--no-browser Skip auto-opening HTML report
--debug-browser Show browser opening debug info
-v, --verbose Enable verbose output
-h, --help Show help message# Comprehensive scan with high threading
python3 main.py -d target.com -t 150 --timeout 15 -v
# OSINT-only enumeration (no bruteforce)
python3 main.py -d target.com --skip-bruteforce -o osint_results
# Custom wordlist with specific output directory
python3 main.py -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -o custom_scan
# Debug browser opening issues
python3 main.py -d target.com --debug-browser
# Headless operation (CI/CD friendly)
python3 main.py -d target.com --no-browser > scan_results.logThe tool generates multiple output formats in timestamped directories:
results/
βββ example.com/
βββ all_subdomains_20250607_123456.txt # All discovered subdomains
βββ live_http_web_20250607_123456.txt # Live subdomains with details
βββ results_20250607_123456.csv # Structured data for analysis
βββ detailed_results_20250607_123456.json # Complete technical data
βββ technology_analysis_20250607_123456.txt # Pentesting insights
βββ report_20250607_123456.html # Interactive HTML report
βββ summary_20250607_123456.txt # Scan summary
admin.example.com [HTTPS] 200 "WordPress Admin Dashboard" (Apache/2.4.41)
ββ Technologies: WordPress v6.2, Apache v2.4.41, PHP v8.1, jQuery
ββ CMS: WordPress v6.2
ββ Admin: WordPress Admin
ββ Security: HSTS, CSP
api.example.com [HTTPS] 200 "API Documentation v2.1" (nginx/1.20.1)
ββ Technologies: Laravel v9.0, Nginx v1.20, PHP v8.1, Vue.js
ββ Security: HSTS, CSP, XSS Protection
π― HIGH VALUE TARGETS
----------------------------------------
1. admin.example.com (Score: 85)
Reasons: Admin panel detected, WordPress CMS, Admin-related subdomain
π¨ VULNERABILITY ASSESSMENT
----------------------------------------
Medium Risk Issues:
β’ admin.example.com - WordPress
- Plugin vulnerabilities possible
- Theme exploits common
β Check: /wp-admin/, /wp-content/, /wp-json/wp/v2/users
β Try: admin:admin, admin:password, admin:123456
π‘ RECOMMENDATIONS
----------------------------------------
Immediate Actions:
β’ Test admin panels for default credentials and weak authentication
Suggested Tools:
WPScan, Nikto, Burp Suite, OWASP ZAP
- Python: 3.7+ (tested on 3.7-3.11)
- Operating System: Linux, macOS, Windows
- Memory: 512MB+ RAM
- Storage: 100MB+ free space
- Network: Internet connection for passive sources
requests>=2.31.0 # HTTP requests and web scraping
dnspython>=2.4.0 # DNS resolution and queries
tldextract>=3.6.0 # Domain parsing and validation
urllib3>=1.26.0 # HTTP client library
# Install prerequisites
sudo apt update
sudo apt install python3 python3-pip firefox-esr
# Install tool
pip3 install -r requirements.txt# Using Homebrew
brew install python3
pip3 install -r requirements.txt# Using Python from python.org
pip install -r requirements.txt- Auto-opening: Reports open automatically in your default browser
- Clickable Links: Click subdomain names to visit them directly
- Responsive Design: Works on desktop and mobile
- Real-time Stats: Live enumeration statistics
- Export Ready: Perfect for client reports
Technologies Detected:
β
CMS: WordPress, Joomla, Drupal, Magento
β
Frameworks: Laravel, React, Vue.js, Angular
β
Servers: Apache, Nginx, IIS, LiteSpeed
β
CDN: Cloudflare, Fastly, AWS CloudFront
β
Security: WAF detection, Security headersThe tool automatically scores and prioritizes targets based on:
- Admin panel presence
- CMS vulnerabilities
- Missing security headers
- Development environments
- Technology stack risks
We welcome contributions! Here's how to get started:
# Fork and clone the repository
git clone https://github.com/ryuukhagetsu/subdomain-enumerator.git
cd subdomain-enumerator
# Create development environment
python3 -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
# Install development dependencies
pip3 install -r requirements.txt
pip3 install -r requirements-dev.txt # If available
# Run tests
python3 -m pytest tests/ # If tests are available- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
- π New passive sources (Shodan, Censys, etc.)
- π§ Additional technology detection
- π¨ UI/UX improvements for HTML reports
- π New output formats (XML, YAML)
- π§ͺ Test coverage and CI/CD
- π Documentation improvements
- Subdomain Enumeration Techniques
- Technology Detection Methods
- Output Format Reference
- API Integration Guide
- β Only use on domains you own or have explicit permission to test
- β Respect rate limits and don't overload target servers
- β Follow responsible disclosure for any vulnerabilities found
- β Comply with local laws and regulations
- β Do not use for malicious purposes or unauthorized testing
The developers are not responsible for any misuse of this tool. Users are solely responsible for ensuring they have proper authorization before conducting any security testing.
- GitHub Issues: Report bugs
- Security Issues: Send privately to security@ryuukhagetsu.dev
- Discussions: GitHub Discussions
- GitHub: @ryuukhagetsu
- General Questions: Contact via GitHub Issues
- Collaboration: Open to collaboration via GitHub
| Domain Size | Avg Subdomains Found | Avg Execution Time | Success Rate |
|---|---|---|---|
| Small | 15-50 | 2-5 minutes | ~85% |
| Medium | 50-200 | 5-15 minutes | ~78% |
| Large | 200-1000 | 15-45 minutes | ~72% |
Results vary based on network conditions and target responsiveness
- 95%+ accuracy for major CMS platforms
- 20+ technology categories detected
- 50+ security indicators analyzed
- Real-time detection with minimal false positives
- Requests - HTTP library for Python
- dnspython - DNS toolkit for Python
- tldextract - Domain parsing
- SecLists - Security testing wordlists
- Certificate Transparency - SSL certificate logs
- Various OSINT Sources - Public reconnaissance databases
- httpx - HTTP toolkit inspiration
- subfinder - Subdomain discovery approach
- nuclei - Security scanning concepts
This project is licensed under the MIT License - see the LICENSE file for details.
MIT License
Copyright (c) 2025 RyuuKhagetsu
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
β Star this repository if you find it useful!
π Fork it to contribute or customize
π’ Share it with the security community