Examples

Examples

Practical examples and use cases for SubdomainX.

Basic Examples

Single Domain Scan

Run a basic scan with all available tools on a single domain:

subdomainx example.com

Note: Uses all available enumeration tools by default and generates JSON output

Multiple Domains Scan

Run a scan on multiple domains from a file:

subdomainx --wildcard domains.txt

Note: Uses all available enumeration tools by default and generates JSON output

Specific Tools

Use only specific enumeration tools for targeted scanning:

Single domain:

subdomainx --subfinder --amass --findomain example.com

Multiple domains:

subdomainx --wildcard domains.txt --subfinder --amass --findomain

Note: Limits the scan to only the specified tools for faster execution

API Tools

Use API-based enumeration tools for enhanced discovery:

Single domain:

subdomainx --securitytrails --virustotal --censys --crtsh --urlscan --threatcrowd --hackertarget example.com

Multiple domains:

subdomainx --wildcard domains.txt --securitytrails --virustotal --censys --crtsh --urlscan --threatcrowd --hackertarget

Note: Requires API keys to be set as environment variables. Some APIs (crt.sh, ThreatCrowd) work without API keys.

Mixed Approach

Combine command-line tools with API tools for maximum coverage:

Single domain:

subdomainx --subfinder --securitytrails --waybackurls --linkheader example.com

Multiple domains:

subdomainx --wildcard domains.txt --amass --virustotal --censys --waybackurls --linkheader

Note: Combines the speed of local tools with the breadth of API databases, historical data, and HTTP Link header discovery

Custom Wordlist Discovery

Use custom wordlists for targeted brute-forcing:

Single domain:

subdomainx --wordlist /path/to/wordlist.txt example.com

Multiple domains:

subdomainx --wildcard domains.txt --wordlist /path/to/wordlist.txt

Performance Optimization

Limit HTTP scanning for large subdomain lists to improve performance:

Single domain:

subdomainx --subfinder --httpx --max-http-targets 500 example.com

Multiple domains:

subdomainx --wildcard domains.txt --subfinder --httpx --max-http-targets 200

Note: Use --max-http-targets to limit the number of subdomains scanned with httpx for better performance with large subdomain lists

Combined with specific tools:

subdomainx --subfinder --amass --wordlist /path/to/wordlist.txt example.com

Note: Uses custom wordlist for brute-forcing with tools that support it (subfinder, amass, massdns, altdns)

With HTTP Scanning

Include HTTP scanning to discover web services:

Single domain:

subdomainx --httpx example.com

Multiple domains:

subdomainx --wildcard domains.txt --httpx

Note: Discovers web services, extracts titles, status codes, and technologies

Complete Scan

Full enumeration with both HTTP and port scanning:

Single domain:

subdomainx --httpx --smap example.com

Multiple domains:

subdomainx --wildcard domains.txt --httpx --smap

Note: Comprehensive scan including port discovery and service identification

Filtered Results

Filter results by specific status codes and ports:

Single domain:

subdomainx --httpx --smap --status-codes 200,301,302 --ports 80,443,8080 example.com

Multiple domains:

subdomainx --wildcard domains.txt --httpx --smap --status-codes 200,301,302 --ports 80,443,8080

Note: Only shows results with specified HTTP status codes and open ports

Advanced Examples

Custom Output Format

Generate a beautiful HTML report with custom naming:

Single domain:

subdomainx --format html --name my_scan --output reports/ example.com

Multiple domains:

subdomainx --wildcard domains.txt --format html --name my_scan --output reports/

Note: Creates an HTML report in the reports/ directory with custom filename

High Performance

Optimize for speed with increased threads and timeout:

Single domain:

subdomainx --threads 20 --timeout 60 --rate-limit 200 --max-http-targets 1000 example.com

Multiple domains:

subdomainx --wildcard domains.txt --threads 20 --timeout 60 --rate-limit 200 --max-http-targets 500

Note: Uses more threads, higher rate limits, and optimized HTTP scanning for faster execution

Verbose Output

Get detailed information about the scanning process with resource monitoring:

# Enable verbose mode for progress and resource monitoring
subdomainx --verbose --subfinder --amass example.com
 
# Monitor with custom wordlist
subdomainx --verbose --wordlist /path/to/wordlist.txt example.com
 
# Monitor with multiple domains
subdomainx --verbose --wildcard domains.txt --subfinder --amass

Note: Shows real-time progress bars, ETA, memory usage, CPU cores, and goroutine count

Resume Interrupted Scans

Resume scans that were interrupted or failed:

List available checkpoints:

subdomainx --list-checkpoints

Resume from checkpoint:

subdomainx --resume my_scan

Resume with additional tools:

subdomainx --resume my_scan --httpx --smap

Note: Checkpoints are automatically saved during scans and when interrupted with Ctrl+C. Resume functionality skips completed steps and continues from where it left off.

Single domain:

subdomainx --verbose example.com

Multiple domains:

subdomainx --wildcard domains.txt --verbose

Note: Shows detailed progress and debugging information

Custom Configuration

Use a custom configuration file:

Single domain:

subdomainx --config my-config.yaml example.com

Multiple domains:

subdomainx --wildcard domains.txt --config my-config.yaml

Note: Loads settings from a custom YAML configuration file

Advanced Filtering

Combine multiple filters for precise results:

Single domain:

subdomainx --httpx --smap --status-codes 200,403 --ports 80,443,8080,8443 --max-http-targets 500 --verbose example.com

Multiple domains:

subdomainx --wildcard domains.txt --httpx --smap --status-codes 200,403 --ports 80,443,8080,8443 --max-http-targets 200

Multiple domains:

subdomainx --wildcard domains.txt --httpx --smap --status-codes 200,403 --ports 80,443,8080,8443 --verbose

Note: Filters for specific status codes and ports while showing detailed output

Sample Files

domains.txt

A simple text file containing target domains:

example.com
test.com
demo.org
sample.net

config.yaml

Custom configuration file:

threads: 15
timeout: 45
retries: 5
rate_limit: 150
output_format: html
output_dir: scans/

Best Practices

  • Start Small: Begin with a few domains and specific tools to test your setup
  • Use Appropriate Rate Limits: Set reasonable rate limits to avoid being blocked by services
  • Monitor Resources: Keep an eye on system resources when using high thread counts
  • Organize Output: Use meaningful names and organize output directories
  • Verify Results: Always verify discovered subdomains and validate findings
  • Use Filters: Leverage status code and port filters to focus on relevant results
  • Combine Tools: Use both enumeration and scanning tools for comprehensive results

Common Use Cases

Bug Bounty

Comprehensive subdomain discovery for bug bounty programs:

Single target:

subdomainx --httpx --smap --format html --name bugbounty_scan target.com

Multiple targets:

subdomainx --wildcard targets.txt --httpx --smap --format html --name bugbounty_scan

Security Assessment

Quick reconnaissance for security assessments:

Single domain:

subdomainx --subfinder --amass --httpx --threads 10 example.com

Multiple domains:

subdomainx --wildcard domains.txt --subfinder --amass --httpx --threads 10

API-Enhanced Discovery

Leverage external APIs for comprehensive subdomain discovery:

Single domain:

subdomainx --securitytrails --virustotal --censys --crtsh --urlscan --threatcrowd --hackertarget --linkheader example.com

Multiple domains:

subdomainx --wildcard domains.txt --securitytrails --virustotal --censys --crtsh --urlscan --threatcrowd --hackertarget --linkheader

Maximum Coverage

Combine all available tools for maximum subdomain discovery:

Single domain:

subdomainx --subfinder --amass --securitytrails --virustotal --censys --crtsh --urlscan --threatcrowd --hackertarget --waybackurls --linkheader --httpx --smap example.com

Multiple domains:

subdomainx --wildcard domains.txt --subfinder --amass --securitytrails --virustotal --censys --crtsh --urlscan --threatcrowd --hackertarget --waybackurls --linkheader --httpx --smap

Asset Discovery

Discover all assets belonging to an organization:

Single domain:

subdomainx --format json --output assets/ example.com

Multiple domains:

subdomainx --wildcard org_domains.txt --format json --output assets/

Web Application Testing

Focus on web applications with specific status codes:

Single domain:

subdomainx --httpx --status-codes 200,301,302,403 --format html --name webapp_scan example.com

Multiple domains:

subdomainx --wildcard webapps.txt --httpx --status-codes 200,301,302,403 --format html --name webapp_scan

Port Scanning

Comprehensive port discovery for network assessment:

Single domain:

subdomainx --smap --ports 21,22,23,25,53,80,443,8080 --verbose example.com

Multiple domains:

subdomainx --wildcard network.txt --smap --ports 21,22,23,25,53,80,443,8080 --verbose
Configuration
Made with ❤️ by ZeeshanStar us