Subdomain Enumeration

Subdomain Enumeration Tools

Below is a list of powerful subdomain enumeration tools that can aid in reconnaissance and penetration testing:

1. Sublist3r - Fast subdomains enumeration tool for penetration testers
   • Repository: Sublist3r
2. Amass - In-depth Attack Surface Mapping and Asset Discovery
   • Repository: Amass
3. massdns - A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)
   • Repository: massdns
4. Findomain - The fastest and cross-platform subdomain enumerator, do not waste your time.
   • Repository: Findomain
5. Sudomy - Sudomy is a subdomain enumeration tool to collect subdomains and analyzing domains performing automated reconnaissance (recon) for bug hunting / pentesting
   • Repository: Sudomy
6. chaos-client - Go client to communicate with Chaos DNS API. domained
   • Repository: chaos-client
7. domained - Multi Tool Subdomain Enumeration
   • Repository: domained
8. bugcrowd-levelup-subdomain-enumeration - This repository contains all the material from the talk "Esoteric sub-domain enumeration techniques" given at Bugcrowd LevelUp 2017 virtual conference
   • Repository: bugcrowd-levelup-subdomain-enumeration
9. shuffledns - shuffleDNS is a wrapper around massdns written in Go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output…
   • Repository: shuffledns
10. censys-subdomain-finder - Perform subdomain enumeration using the certificate transparency logs from Censys.
    • Repository: censys-subdomain-finder
11. Turbolist3r - Subdomain enumeration tool with analysis features for discovered domains
    • Repository: Turbolist3r
12. censys-enumeration - A script to extract subdomains/emails for a given domain using SSL/TLS certificate dataset on Censys
    • Repository: censys-enumeration
13. tugarecon - Fast subdomains enumeration tool for penetration testers.
    • Repository: tugarecon
14. as3nt - Another Subdomain ENumeration Tool
    • Repository: as3nt
15. Subra - A Web-UI for subdomain enumeration (subfinder)
    • Repository: Subra
16. Substr3am - Passive reconnaissance/enumeration of interesting targets by watching for SSL certificates being issued
    • Repository: Substr3am
17. domain - enumall.py Setup script for Regon-ng
    • Repository: domain
18. altdns - Generates permutations, alterations, and mutations of subdomains and then resolves them
    • Repository: altdns
19. brutesubs - An automation framework for running multiple open sourced subdomain bruteforcing tools (in parallel) using your own wordlists via Docker Compose
    • Repository: brutesubs
20. dns-parallel-prober - This is a parallelized domain name prober to find as many subdomains of a given domain as fast as possible.
    • Repository: dns-parallel-prober
21. dnscan - dnscan is a python wordlist-based DNS subdomain scanner.
    • Repository: dnscan
22. knock - Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist.
    • Repository: knock
23. hakrevdns - Small, fast tool for performing reverse DNS lookups enmass
    • Repository: hakrevdns
24. dnsx - Dnsx is a fast and multi-purpose DNS toolkit that allows you to run multiple DNS queries of your choice with a list of user-supplied resolvers.
    • Repository: dnsx
25. subfinder - Subfinder is a subdomain discovery tool that discovers valid subdomains for websites.
    • Repository: subfinder
26. assetfinder - Find domains and subdomains related to a given domain
    • Repository: assetfinder
27. crtndstry - Yet another subdomain finder
    • Repository: crtndstry
28. VHostScan - A virtual host scanner that performs reverse lookups
    • Repository: VHostScan
29. scilla - Information Gathering tool - DNS / Subdomains / Ports / Directories enumeration
    • Repository: scilla
30. sub3suite - A research-grade suite of tools for subdomain enumeration, intelligence gathering, and attack surface mapping.
    • Repository: sub3suite

# Subdomain Enumeration Tools

Below is a list of powerful subdomain enumeration tools that can aid in reconnaissance and penetration testing:

1. Sublist3r - Fast subdomains enumeration tool for penetration testers
   - Repository: [Sublist3r](https://github.com/aboul3la/Sublist3r)

2. Amass - In-depth Attack Surface Mapping and Asset Discovery
   - Repository: [Amass](https://github.com/OWASP/Amass)

3. massdns - A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)
   - Repository: [massdns](https://github.com/blechschmidt/massdns)

4. Findomain - The fastest and cross-platform subdomain enumerator, do not waste your time.
   - Repository: [Findomain](https://github.com/Findomain/Findomain)

5. Sudomy - Sudomy is a subdomain enumeration tool to collect subdomains and analyzing domains performing automated reconnaissance (recon) for bug hunting / pentesting
   - Repository: [Sudomy](https://github.com/Screetsec/Sudomy)

6. chaos-client - Go client to communicate with Chaos DNS API. domained
   - Repository: [chaos-client](https://github.com/projectdiscovery/chaos-client)

7. domained - Multi Tool Subdomain Enumeration
   - Repository: [domained](https://github.com/TypeError/domained)

8. bugcrowd-levelup-subdomain-enumeration - This repository contains all the material from the talk "Esoteric sub-domain enumeration techniques" given at Bugcrowd LevelUp 2017 virtual conference
   - Repository: [bugcrowd-levelup-subdomain-enumeration](https://github.com/appsecco/bugcrowd-levelup-subdomain-enumeration)

9. shuffledns - shuffleDNS is a wrapper around massdns written in Go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output…
   - Repository: [shuffledns](https://github.com/projectdiscovery/shuffledns)

10. censys-subdomain-finder - Perform subdomain enumeration using the certificate transparency logs from Censys.
    - Repository: [censys-subdomain-finder](https://github.com/christophetd/censys-subdomain-finder)

11. Turbolist3r - Subdomain enumeration tool with analysis features for discovered domains
    - Repository: [Turbolist3r](https://github.com/fleetcaptain/Turbolist3r)

12. censys-enumeration - A script to extract subdomains/emails for a given domain using SSL/TLS certificate dataset on Censys
    - Repository: [censys-enumeration](https://github.com/0xbharath/censys-enumeration)

13. tugarecon - Fast subdomains enumeration tool for penetration testers.
    - Repository: [tugarecon](https://github.com/LordNeoStark/tugarecon)

14. as3nt - Another Subdomain ENumeration Tool
    - Repository: [as3nt](https://github.com/cinerieus/as3nt)

15. Subra - A Web-UI for subdomain enumeration (subfinder)
    - Repository: [Subra](https://github.com/si9int/Subra)

16. Substr3am - Passive reconnaissance/enumeration of interesting targets by watching for SSL certificates being issued
    - Repository: [Substr3am](https://github.com/nexxai/Substr3am)

17. domain - enumall.py Setup script for Regon-ng
    - Repository: [domain](https://github.com/jhaddix/domain/)

18. altdns - Generates permutations, alterations, and mutations of subdomains and then resolves them
    - Repository: [altdns](https://github.com/infosec-au/altdns)

19. brutesubs - An automation framework for running multiple open sourced subdomain bruteforcing tools (in parallel) using your own wordlists via Docker Compose
    - Repository: [brutesubs](https://github.com/anshumanbh/brutesubs)

20. dns-parallel-prober - This is a parallelized domain name prober to find as many subdomains of a given domain as fast as possible.
    - Repository: [dns-parallel-prober](https://github.com/lorenzog/dns-parallel-prober)

21. dnscan - dnscan is a python wordlist-based DNS subdomain scanner.
    - Repository: [dnscan](https://github.com/rbsec/dnscan)

22. knock - Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist.
    - Repository: [knock](https://github.com/guelfoweb/knock)

23. hakrevdns - Small, fast tool for performing reverse DNS lookups enmass
    - Repository: [hakrevdns](https://github.com/hakluke/hakrevdns)

24. dnsx - Dnsx is a fast and multi-purpose DNS toolkit that allows you to run multiple DNS queries of your choice with a list of user-supplied resolvers.
    - Repository: [dnsx](https://github.com/projectdiscovery/dnsx)

25. subfinder - Subfinder is a subdomain discovery tool that discovers valid subdomains for websites.
    - Repository: [subfinder](https://github.com/projectdiscovery/subfinder)

26. assetfinder - Find domains and subdomains related to a given domain
    - Repository: [assetfinder](https://github.com/tomnomnom/assetfinder)

27. crtndstry - Yet another subdomain finder
    - Repository: [crtndstry](https://github.com/nahamsec/crtndstry)

28. VHostScan - A virtual host scanner that performs reverse lookups
    - Repository: [VHostScan](https://github.com/codingo/VHostScan)

29. scilla - Information Gathering tool - DNS / Subdomains / Ports / Directories enumeration
    - Repository: [scilla](https://github.com/edoardottt/scilla)

30. sub3suite - A research-grade suite of tools for subdomain enumeration, intelligence gathering, and attack surface mapping.
    - Repository: [sub3suite](https://github.com/3nock/sub3suite)

Feel free to explore these tools and choose the one that best fits your needs for subdomain enumeration. Happy hunting!😄