CLI Reference

Complete command-line interface reference for SubdomainX.

Basic Usage

Single domain:

subdomainx <domain> [OPTIONS]

Multiple domains:

subdomainx --wildcard <domains_file> [OPTIONS]

Required: You must provide either a single domain as a positional argument or a file containing target domains using the --wildcard flag.

Important: Flags must be placed before the domain argument. For example:
subdomainx --subfinder --httpx example.com  # Correct
subdomainx example.com --subfinder --httpx  # Incorrect

Command Options

Required Options

Option	Description
`<domain>`	Target domain for single domain scan
`--wildcard FILE`	Path to file containing target domains (one per line)

Tool Selection details

Use specific tools, otherwise all available enumeration tools will be used by default (API tools and scanners are disabled by default).

Enumeration Tools

Option	Description
`--subfinder`	Use subfinder tool
`--amass`	Use amass tool
`--findomain`	Use findomain tool
`--assetfinder`	Use assetfinder tool
`--sublist3r`	Use sublist3r tool
`--knockpy`	Use knockpy tool
`--dnsrecon`	Use dnsrecon tool
`--fierce`	Use fierce tool
`--massdns`	Use massdns tool
`--altdns`	Use altdns tool
`--waybackurls`	Use waybackurls tool
`--linkheader`	Use Link Header enumeration

API Tools details

Option	Description
`--securitytrails`	Use SecurityTrails API
`--virustotal`	Use VirusTotal API
`--censys`	Use Censys API
`--crtsh`	Use crt.sh Certificate Transparency API
`--urlscan`	Use URLScan.io API
`--threatcrowd`	Use ThreatCrowd API
`--hackertarget`	Use HackerTarget API

Note: If no specific tools are specified, SubdomainX will use all available enumeration tools by default. API tools and scanners must be explicitly enabled.

Scanning Tools details

Option	Description
`--httpx`	Use httpx for HTTP scanning (discovers web services, extracts titles, status codes, and technologies)
`--smap`	Use smap for port scanning (identifies open ports and services on discovered hosts)

Filter Options

Filter results based on specific criteria:

Option	Default	Description	Example
`--status-codes`	All	Filter by HTTP status codes (comma-separated)	`--status-codes 200,301,302`
`--ports`	All	Filter by ports (comma-separated)	`--ports 80,443,8080`

Note: Filter options work with HTTP scanning (--httpx) and port scanning (--smap) results. Default values include all common HTTP status codes (100-511) and common ports (21,22,23,25,53,80,110,111,135,139,143,443,993,995,1723,3306,3389,5900,8080,8443).

Output Options

Option	Default	Description
`--name NAME`	`scan`	Unique name for output files
`--format FORMAT`	`json`	Output format: json, txt, html
`--output DIR`	`output`	Output directory for generated files

Performance Options

Option	Default	Description
`--threads N`	`10`	Number of concurrent threads
`--retries N`	`3`	Number of retry attempts
`--timeout N`	`30`	Timeout in seconds
`--rate-limit N`	`100`	Rate limit per second
`--wordlist FILE`	`""`	Custom wordlist file for brute-forcing
`--max-http-targets N`	`1000`	Maximum subdomains to scan with httpx
`--resume SCAN_ID`	`""`	Resume scan from checkpoint (scan ID)
`--list-checkpoints`	`false`	List available checkpoints

Utility Options

Option	Description
`--help`	Show help message
`--version`	Show version information
`--check-tools`	Check availability of enumeration tools
`--install-tools`	Show installation instructions for missing tools
`--config FILE`	Use custom configuration file
`--verbose`	Enable verbose output

Examples

Basic Scan

Single domain:

subdomainx example.com

Multiple domains:

subdomainx --wildcard domains.txt

Specific Tools

Single domain:

subdomainx --amass --subfinder --waybackurls example.com

Multiple domains:

subdomainx --wildcard domains.txt --amass --subfinder --waybackurls

Link Header Discovery

Single domain:

subdomainx --linkheader example.com

Multiple domains:

subdomainx --wildcard domains.txt --linkheader

API Tools

Single domain:

subdomainx --securitytrails --virustotal --censys --crtsh --urlscan --threatcrowd --hackertarget example.com

Multiple domains:

subdomainx --wildcard domains.txt --securitytrails --virustotal --censys --crtsh --urlscan --threatcrowd --hackertarget

Custom Wordlist

Single domain:

subdomainx --wordlist /path/to/wordlist.txt example.com

Multiple domains:

subdomainx --wildcard domains.txt --wordlist /path/to/wordlist.txt

Performance Optimization

Limit HTTP scanning for large subdomain lists:

subdomainx --subfinder --httpx --max-http-targets 500 example.com

High-performance scan with custom limits:

subdomainx --subfinder --httpx --max-http-targets 200 --threads 20 --timeout 60 example.com

Progress Monitoring

Enable verbose mode for resource monitoring:

subdomainx --verbose --subfinder --amass example.com

Resume Functionality

List available checkpoints:

subdomainx --list-checkpoints

Resume interrupted scan:

subdomainx --resume my_scan

Resume with additional scanning:

subdomainx --resume my_scan --httpx --smap

Multiple domains:

subdomainx --wildcard domains.txt --securitytrails --virustotal --censys

Mixed Approach

Single domain:

subdomainx --subfinder --securitytrails --linkheader example.com

Multiple domains:

subdomainx --wildcard domains.txt --amass --virustotal --censys --linkheader

With Filters

Single domain:

subdomainx --httpx --smap --status-codes 200,301,302 --ports 80,443,8080 example.com

Multiple domains:

subdomainx --wildcard domains.txt --httpx --smap --status-codes 200,301,302 --ports 80,443,8080

HTML Report

Single domain:

subdomainx --format html --name my_scan example.com

Multiple domains:

subdomainx --wildcard domains.txt --format html --name my_scan

High Performance

Single domain:

subdomainx --threads 20 --timeout 60 example.com

Multiple domains:

subdomainx --wildcard domains.txt --threads 20 --timeout 60

Tool Management

Check Tools

Check which tools are available and get installation help:

subdomainx --check-tools

Install Help

Get detailed installation instructions for missing tools:

subdomainx --install-tools

Examples