#subdomains

alterx
sponsor
alterx

Fast and customizable subdomain wordlist generator using DSL.

Chaos
sponsor
Chaos

Collect and maintain internet-wide assets data for public Bug Bounty programs.

dnsX
sponsor
dnsX

Fast and multi-purpose DNS toolkit designed for running DNS queries.

tlsx
sponsor
tlsx

Fast and configurable TLS grabber focused on TLS based data collection.

uncover
sponsor
uncover

Quickly discover exposed hosts on the internet using multiple search engines.

DNSProbe
sponsor
DNSProbe

Allows you to perform multiple dns queries of your choice with a list of user supplied resolvers.

shuffleDNS
sponsor
shuffleDNS

Enumerate valid subdomains using active bruteforce and DNS resolution.

Subfinder
sponsor
Subfinder

Discovery tool that discovers valid subdomains for websites.

celerystalk
featured
celerystalk

An asynchronous enumeration & vulnerability scanner.

DNSRecon
featured
DNSRecon

DNS Enumeration Script.

puredns
featured
puredns

Puredns is a fast domain resolver & subdomain bruteforcing tool.

FinalRecon
FinalRecon

All In One Web Recon.

Lookyloo
Lookyloo

Allows users to capture a website page and then display a tree of domains that call each other.

certs.io
certs.io

Search the entire internet by data in TLS certificates.

dmut
dmut

Perform permutations, mutations and alteration of subdomains.

subzy
subzy

Subdomain takeover vulnerability checker.

WhoisXMLAPI
WhoisXMLAPI

Domain & IP data intelligence for greater enterprise security.

resolvers
resolvers

The most exhaustive list of reliable DNS resolvers.

Kaeferjaeger
Kaeferjaeger

Lists of resources: cdn ranges, ips ranges, sni ip ranges...

ripgen
ripgen

Rust-based high performance domain permutation generator.

karma v2
karma v2

Passive open source intelligence automated reconnaissance.

shosubgo
shosubgo

Small tool to grab subdomains using Shodan API.

bbot
bbot

OSINT automation for hackers.

FavFreak
FavFreak

Making favicon.ico based recon great again.

SubScraper
SubScraper

Perform subdomain enumeration through various techniques and retrieve detailed output.

Fresh Resolvers
Fresh Resolvers

List of fresh DNS resolvers updated every 12h.

subnerium
subnerium

A fast passive subdomain enumeration tool that uses various sources to gather data.

hakip2host
hakip2host

Takes a list of IP addresses then does a series of checks to return associated domain names.

hakoriginfinder
hakoriginfinder

Discover the origin host behind a reverse proxy, useful for bypassing cloud WAFs!.

haktrails
haktrails

Golang client for querying SecurityTrails API data.

SubGPT
SubGPT

Find subdomains with GPT, for free.

wildcrawl
wildcrawl

Crawls URL to get a better image of what is tied to a website.

fastsub
fastsub

A DNS bruteforcer with multi-threading, and handling of bad resolvers.

subtake
subtake

Extension of sublister tool to check for subdomain takeovers.

SubdomainFinder
SubdomainFinder

Find subdomains by searching public certificate records.

GPT_Vuln-Analyzer
GPT_Vuln-Analyzer

A powerful network scanner, DNS recon, subdomain enumeration and IP Geolocator tool powered by GPT.

github-regexp
github-regexp

Basically a regexp over a GitHub search.

sub404
sub404

A fast tool to check subdomain takeover vulnerability.

SDBF
SDBF

Smart DNS Brute Forcer.

SQLMutant
SQLMutant

Searches for automated subdomain enumeration and runs SQLi tests.

moniorg
moniorg

Leverage crt.sh website to monitor domains of a target.

hunter.how
hunter.how

Internet search engines for security researchers.

Striker
Striker

Offensive information and vulnerability scanner.

Rock-ON
Rock-ON

All in one recon tool that just get a single domain name and do all of the work alone.

Domain Hunter
Domain Hunter

Checks expired domains to determine good candidates for phishing and C2 domain names.

Vajra
Vajra

UI-based tool with multiple techniques for attacking and enumerating Azure and AWS environment.

RED HAWK
RED HAWK

All in one tool for information gathering, vulnerability scanning and crawling.

Dome
Dome

Script that makes active and/or passive scan to obtain subdomains and search for open ports.

Shodan
Shodan

Search engine for Internet-connected devices.

Netlas.io
Netlas.io

Netlas.io is the network atlas of Internet. IP, DNS, Web, IoT devices, and etc.

AORT
AORT

All in one recon tool for bug bounty.

Sub-Drill
Sub-Drill

A very (very) FAST and simple subdomain finder based on online & free services.

Oculus
Oculus

OSINT tool used to discover environments, directories, and subdomains of a particular domain.

LiveTargetsFinder
LiveTargetsFinder

Generates lists of live hosts and URLs.

fprobe
fprobe

Take a list of domains/subdomains and probe for working http/https server.

Subra
Subra

A Web-UI for subdomain enumeration.

IntelSpy
IntelSpy

Perform automated network reconnaissance scans to gather network intelligence.

Async DNS Brute
Async DNS Brute

DNS asynchronous brute force utility.

gwdomains
gwdomains

Sub domain wild card filtering tool.

haktldextract
haktldextract

Extract domains/subdomains from URLs en masse.

MagicRecon
MagicRecon

A powerful shell script to maximize the recon and data collection process.

SonarSearch
SonarSearch

A rapid API for the project Sonar dataset.

vhosts-sieve
vhosts-sieve

Searching for virtual hosts among non-resolvable domains.

Certificate Search
Certificate Search

Get informations about SSL certificates.

SecurityTrails
SecurityTrails

Data for Security companies, researchers and teams.

GoAltdns
GoAltdns

A permutation generation tool written in golang.

CertCrunchy
CertCrunchy

Uses data from SSL Certificates to find potential host names.

GSAN
GSAN

Extract subdomains from SSL certificates in HTTPS sites.

Raccoon
Raccoon

A high performance offensive security tool for reconnaissance and vulnerability scanning.

Photon
Photon

Incredibly fast crawler designed for OSINT.

ScreenShooter
ScreenShooter

Convert your masscan/subdomain-scan results into screenshots for better analysis.

domain_hunter
domain_hunter

Try to find all subdomains, similar-domains and related-domains of an organization.

Domain Analyzer
Domain Analyzer

Analyze the security of any domain by finding all the information possible. Made in python.

GyoiThon
GyoiThon

Growing penetration test tool using Machine Learning.

CTFR
CTFR

Abusing Certificate Transparency logs for getting HTTPS websites subdomains.

Scout
Scout

Discover a web server's undisclosed files, directories and VHOSTs.

SiteBroker
SiteBroker

Utility for information gathering and penetration testing automation.

AttackSurfaceMapper
AttackSurfaceMapper

AttackSurfaceMapper is a tool that aims to automate the reconnaissance process.

AutoRecon
AutoRecon

Multi-threaded network reconnaissance tool which performs automated enumeration of services.

Certificate Ripper
Certificate Ripper

A CLI tool to extract server certificates.

Hackingtool
Hackingtool

ALL IN ONE Hacking Tool For Hackers.

OneForAll
OneForAll

A powerful subdomain integration tool.

csprecon
csprecon

Discover new target domains using Content Security Policy.

BlackWidow
BlackWidow

Web application scanner to gather OSINT and fuzz for OWASP vulnerabilities on a target website.

takeover
takeover

A tool for testing subdomain takeover possibilities at a mass scale.

Second Order
Second Order

Second-order subdomain takeover scanner.

HostileSubBruteforcer
HostileSubBruteforcer

Bruteforce existing subdomains and provide informations about them.

tko-subs
tko-subs

A tool that can help detect and takeover subdomains with dead DNS records.

subHijack
subHijack

Hijacking forgotten & misconfigured subdomains.

cnames
cnames

Take a list of resolved subdomains and output any corresponding CNAMES en masse.

Can I take over XYZ?
Can I take over XYZ?

A list of services and how to claim (sub)domains with dangling DNS records.

NSBrute
NSBrute

Python utility to takeover domains vulnerable to AWS NS Takeover.

autoSubTakeover
autoSubTakeover

A tool used to check if a CNAME resolves to the scope address.

SubOver
SubOver

A Powerful Subdomain Takeover Tool.

Burp-AnonymousCloud
Burp-AnonymousCloud

Performs passive scan to identify buckets and test them for publicly accessible vulnerabilities.

s3cario
s3cario

Performs buckets checks from a given list of subdomains.

MSDNSScan
MSDNSScan

Identify DNS records, check for zone transfers and conduct subdomain enumeration.

sub-domain enumeration techniques
sub-domain enumeration techniques

Esoteric sub-domain enumeration techniques - Bugcrowd LevelUp

WitnessMe
WitnessMe

Web Inventory tool, takes screenshots and provides some extra bells&whistles to make life easier.

Sub3 Suite
Sub3 Suite

A free, open source, cross platform Intelligence gathering tool.

Scilla
Scilla

Information Gathering tool - DNS / Subdomains / Ports / Directories enumeration.

crtndtry
crtndtry

Yet another subdomain finder.

brutesubs
brutesubs

Automation framework for running multiple open sourced subdomain bruteforcing tools in parallel.

Substr3am
Substr3am

Passive reconnaissance/enumeration of interesting targets by watching for SSL certificates.

As3nt
As3nt

Another Subdomain ENumeration Tool.

TugaRecon
TugaRecon

Subdomains enumeration tool for penetration testers.

Censys Enumeration
Censys Enumeration

Extract subdomains/emails for a given domain using SSL/TLS certificate dataset on Censys.

Turbolist3r
Turbolist3r

Subdomain enumeration tool with analysis features for discovered domains.

Censys subdomain finder
Censys subdomain finder

Perform subdomain enumeration using the certificate transparency logs from Censys.

domained
domained

Multi Tool Subdomain Enumeration.

dnsenum
dnsenum

Enumerates DNS information of a domain and to discover non-contiguous ip blocks.

cero
cero

Scrape domain names from SSL certificates of arbitrary hosts.

mx-takeover
mx-takeover

Focuses DNS MX records and detects misconfigured MX records.

DataExtractor
DataExtractor

A Burp Suite extension to extract data from source code while browsing.

Sudomy
Sudomy

Collects subdomains and analyzes domains performing automated reconnaissance.

dnsReaper
dnsReaper

Subdomain takeover tool for attackers, bug bounty hunters and the blue team!

DNSTake
DNSTake

A fast tool to check missing hosted DNS zones that can lead to subdomain takeover.

Rengine
Rengine

Automated reconnaissance framework for webapps, highly configurable streamlined recon process.

GET-ACQ
GET-ACQ

Gather all companies acquired by a given company domain name.

mksub
mksub

Generate tens of thousands of subdomain combinations in a matter of seconds.

Th3inspector
Th3inspector

All in one tool for Information Gathering.

theHarvester
theHarvester

E-mails, subdomains and names Harvester.

github-subdomains
github-subdomains

Find subdomains on GitHub.

gotator
gotator

Generates DNS wordlists through permutations.

SpiderFoot
SpiderFoot

Automates OSINT for threat intelligence and mapping your attack surface.

favicon-hashtrick
favicon-hashtrick

Python script implementing the favicon hash trick to find subdomains.

cloudflare-origin-ip
cloudflare-origin-ip

Try to find the origin IP of a webapp protected by Cloudflare.

Altdns
Altdns

Generates permutations, alterations and mutations of subdomains and then resolves them.

Sublert
Sublert

Monitor new subdomains deployed by specific organizations and issued TLS/SSL certificate.

dnscan
dnscan

Python wordlist-based DNS subdomain scanner.

dnsgen
dnsgen

Generates combination of domain names from the provided input.

Virtual host scanner
Virtual host scanner

A script to enumerate virtual hosts on a server.

Findomain
Findomain

The complete solution for domain recognition.

subzuf
subzuf

A smart DNS response-guided subdomain fuzzer.

GRecon
GRecon

Run a Google based passive recon against your scope.

hakrevdns
hakrevdns

Small, fast tool for performing reverse DNS lookups en masse.

dsieve
dsieve

Filter and enrich a list of subdomains by level.

regulator
regulator

Automated learning of regexes for DNS discovery.

gitlab-subdomains
gitlab-subdomains

Find subdomains on GitLab.

SubBrute
SubBrute

A DNS meta-query spider that enumerates DNS records, and subdomains.

Knockpy
Knockpy

Knock Subdomain Scan.

assetfinder
assetfinder

Find domains and subdomains related to a given domain.

Sublist3r
Sublist3r

Fast subdomains enumeration tool for penetration testers.

Amass
Amass

In-depth Attack Surface Mapping and Asset Discovery.