Subdomain Enumeration
Subdomain Enumeration Tools
Below is a list of powerful subdomain enumeration tools that can aid in reconnaissance and penetration testing:
- Sublist3r - Fast subdomains enumeration tool for penetration testers
- Repository: Sublist3r
- Amass - In-depth Attack Surface Mapping and Asset Discovery
- Repository: Amass
- massdns - A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)
- Repository: massdns
- Findomain - The fastest and cross-platform subdomain enumerator, do not waste your time.
- Repository: Findomain
- Sudomy - Sudomy is a subdomain enumeration tool to collect subdomains and analyzing domains performing automated reconnaissance (recon) for bug hunting / pentesting
- Repository: Sudomy
- chaos-client - Go client to communicate with Chaos DNS API. domained
- Repository: chaos-client
- domained - Multi Tool Subdomain Enumeration
- Repository: domained
- bugcrowd-levelup-subdomain-enumeration - This repository contains all the material from the talk "Esoteric sub-domain enumeration techniques" given at Bugcrowd LevelUp 2017 virtual conference
- Repository: bugcrowd-levelup-subdomain-enumeration
- shuffledns - shuffleDNS is a wrapper around massdns written in Go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output…
- Repository: shuffledns
- censys-subdomain-finder - Perform subdomain enumeration using the certificate transparency logs from Censys.
- Repository: censys-subdomain-finder
- Turbolist3r - Subdomain enumeration tool with analysis features for discovered domains
- Repository: Turbolist3r
- censys-enumeration - A script to extract subdomains/emails for a given domain using SSL/TLS certificate dataset on Censys
- Repository: censys-enumeration
- tugarecon - Fast subdomains enumeration tool for penetration testers.
- Repository: tugarecon
- as3nt - Another Subdomain ENumeration Tool
- Repository: as3nt
- Subra - A Web-UI for subdomain enumeration (subfinder)
- Repository: Subra
- Substr3am - Passive reconnaissance/enumeration of interesting targets by watching for SSL certificates being issued
- Repository: Substr3am
- domain - enumall.py Setup script for Regon-ng
- Repository: domain
- altdns - Generates permutations, alterations, and mutations of subdomains and then resolves them
- Repository: altdns
- brutesubs - An automation framework for running multiple open sourced subdomain bruteforcing tools (in parallel) using your own wordlists via Docker Compose
- Repository: brutesubs
- dns-parallel-prober - This is a parallelized domain name prober to find as many subdomains of a given domain as fast as possible.
- Repository: dns-parallel-prober
- dnscan - dnscan is a python wordlist-based DNS subdomain scanner.
- Repository: dnscan
- knock - Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist.
- Repository: knock
- hakrevdns - Small, fast tool for performing reverse DNS lookups enmass
- Repository: hakrevdns
- dnsx - Dnsx is a fast and multi-purpose DNS toolkit that allows you to run multiple DNS queries of your choice with a list of user-supplied resolvers.
- Repository: dnsx
- subfinder - Subfinder is a subdomain discovery tool that discovers valid subdomains for websites.
- Repository: subfinder
- assetfinder - Find domains and subdomains related to a given domain
- Repository: assetfinder
- crtndstry - Yet another subdomain finder
- Repository: crtndstry
- VHostScan - A virtual host scanner that performs reverse lookups
- Repository: VHostScan
- scilla - Information Gathering tool - DNS / Subdomains / Ports / Directories enumeration
- Repository: scilla
- sub3suite - A research-grade suite of tools for subdomain enumeration, intelligence gathering, and attack surface mapping.
- Repository: sub3suite
# Subdomain Enumeration Tools
Below is a list of powerful subdomain enumeration tools that can aid in reconnaissance and penetration testing:
1. Sublist3r - Fast subdomains enumeration tool for penetration testers
- Repository: [Sublist3r](https://github.com/aboul3la/Sublist3r)
2. Amass - In-depth Attack Surface Mapping and Asset Discovery
- Repository: [Amass](https://github.com/OWASP/Amass)
3. massdns - A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)
- Repository: [massdns](https://github.com/blechschmidt/massdns)
4. Findomain - The fastest and cross-platform subdomain enumerator, do not waste your time.
- Repository: [Findomain](https://github.com/Findomain/Findomain)
5. Sudomy - Sudomy is a subdomain enumeration tool to collect subdomains and analyzing domains performing automated reconnaissance (recon) for bug hunting / pentesting
- Repository: [Sudomy](https://github.com/Screetsec/Sudomy)
6. chaos-client - Go client to communicate with Chaos DNS API. domained
- Repository: [chaos-client](https://github.com/projectdiscovery/chaos-client)
7. domained - Multi Tool Subdomain Enumeration
- Repository: [domained](https://github.com/TypeError/domained)
8. bugcrowd-levelup-subdomain-enumeration - This repository contains all the material from the talk "Esoteric sub-domain enumeration techniques" given at Bugcrowd LevelUp 2017 virtual conference
- Repository: [bugcrowd-levelup-subdomain-enumeration](https://github.com/appsecco/bugcrowd-levelup-subdomain-enumeration)
9. shuffledns - shuffleDNS is a wrapper around massdns written in Go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output…
- Repository: [shuffledns](https://github.com/projectdiscovery/shuffledns)
10. censys-subdomain-finder - Perform subdomain enumeration using the certificate transparency logs from Censys.
- Repository: [censys-subdomain-finder](https://github.com/christophetd/censys-subdomain-finder)
11. Turbolist3r - Subdomain enumeration tool with analysis features for discovered domains
- Repository: [Turbolist3r](https://github.com/fleetcaptain/Turbolist3r)
12. censys-enumeration - A script to extract subdomains/emails for a given domain using SSL/TLS certificate dataset on Censys
- Repository: [censys-enumeration](https://github.com/0xbharath/censys-enumeration)
13. tugarecon - Fast subdomains enumeration tool for penetration testers.
- Repository: [tugarecon](https://github.com/LordNeoStark/tugarecon)
14. as3nt - Another Subdomain ENumeration Tool
- Repository: [as3nt](https://github.com/cinerieus/as3nt)
15. Subra - A Web-UI for subdomain enumeration (subfinder)
- Repository: [Subra](https://github.com/si9int/Subra)
16. Substr3am - Passive reconnaissance/enumeration of interesting targets by watching for SSL certificates being issued
- Repository: [Substr3am](https://github.com/nexxai/Substr3am)
17. domain - enumall.py Setup script for Regon-ng
- Repository: [domain](https://github.com/jhaddix/domain/)
18. altdns - Generates permutations, alterations, and mutations of subdomains and then resolves them
- Repository: [altdns](https://github.com/infosec-au/altdns)
19. brutesubs - An automation framework for running multiple open sourced subdomain bruteforcing tools (in parallel) using your own wordlists via Docker Compose
- Repository: [brutesubs](https://github.com/anshumanbh/brutesubs)
20. dns-parallel-prober - This is a parallelized domain name prober to find as many subdomains of a given domain as fast as possible.
- Repository: [dns-parallel-prober](https://github.com/lorenzog/dns-parallel-prober)
21. dnscan - dnscan is a python wordlist-based DNS subdomain scanner.
- Repository: [dnscan](https://github.com/rbsec/dnscan)
22. knock - Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist.
- Repository: [knock](https://github.com/guelfoweb/knock)
23. hakrevdns - Small, fast tool for performing reverse DNS lookups enmass
- Repository: [hakrevdns](https://github.com/hakluke/hakrevdns)
24. dnsx - Dnsx is a fast and multi-purpose DNS toolkit that allows you to run multiple DNS queries of your choice with a list of user-supplied resolvers.
- Repository: [dnsx](https://github.com/projectdiscovery/dnsx)
25. subfinder - Subfinder is a subdomain discovery tool that discovers valid subdomains for websites.
- Repository: [subfinder](https://github.com/projectdiscovery/subfinder)
26. assetfinder - Find domains and subdomains related to a given domain
- Repository: [assetfinder](https://github.com/tomnomnom/assetfinder)
27. crtndstry - Yet another subdomain finder
- Repository: [crtndstry](https://github.com/nahamsec/crtndstry)
28. VHostScan - A virtual host scanner that performs reverse lookups
- Repository: [VHostScan](https://github.com/codingo/VHostScan)
29. scilla - Information Gathering tool - DNS / Subdomains / Ports / Directories enumeration
- Repository: [scilla](https://github.com/edoardottt/scilla)
30. sub3suite - A research-grade suite of tools for subdomain enumeration, intelligence gathering, and attack surface mapping.
- Repository: [sub3suite](https://github.com/3nock/sub3suite)
Feel free to explore these tools and choose the one that best fits your needs for subdomain enumeration. Happy hunting!😄