Supported Tools
Comprehensive list of enumeration and scanning tools integrated with SubdomainX.
Enumeration Tools
Enumeration tools discover subdomains through various techniques including passive reconnaissance, DNS queries, and online sources.
subfinder
Description: Fast subdomain discovery tool that uses passive online sources to find subdomains. It queries various search engines, certificate transparency logs, and other public sources to discover subdomains without directly interacting with the target.
Website: GitHub (opens in a new tab)
Install: go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
Wordlist Support: Yes (-w flag)
amass
Description: Comprehensive network reconnaissance and attack surface mapping tool. It performs DNS enumeration, network mapping, and subdomain discovery using multiple techniques including brute forcing, certificate transparency, and passive reconnaissance.
Website: GitHub (opens in a new tab)
Install: go install -v github.com/owasp-amass/amass/v4/...@master
Wordlist Support: Yes (-w flag)
findomain
Description: Cross-platform subdomain enumeration tool that uses multiple sources including search engines, certificate transparency logs, and DNS bruteforcing. It's designed to be fast and efficient while providing comprehensive coverage.
Website: GitHub (opens in a new tab)
Install: curl -LO https://github.com/findomain/findomain/releases/latest/download/findomain-linux
assetfinder
Description: Find domains and subdomains potentially related to a given domain by querying various online sources. It's designed to discover assets that might be related to the target organization through passive reconnaissance.
Website: GitHub (opens in a new tab)
Install: go install github.com/tomnomnom/assetfinder@latest
sublist3r
Description: Fast subdomain enumeration tool for penetration testers that uses search engines and other online sources to discover subdomains. It's designed to be efficient and provide quick results for security assessments.
Website: GitHub (opens in a new tab)
Install: pip install sublist3r
knockpy
Description: Python3 tool designed to enumerate subdomains on a target domain through DNS bruteforcing and wordlist-based discovery. It's effective for finding subdomains that might not be publicly indexed.
Website: GitHub (opens in a new tab)
Install: pip install knockpy
dnsrecon
Description: DNS enumeration and reconnaissance tool that performs various DNS queries including zone transfers, reverse lookups, and bruteforcing. It's designed for comprehensive DNS reconnaissance and mapping.
Website: GitHub (opens in a new tab)
Install: pip install dnsrecon
fierce
Description: DNS reconnaissance tool for locating non-contiguous IP space and hostnames. It uses DNS queries to discover hosts and subdomains, making it effective for network mapping and reconnaissance.
Website: GitHub (opens in a new tab)
Install: pip install fierce
massdns
Description: High-performance DNS stub resolver designed for bulk DNS queries. It can process large wordlists efficiently and is often used in combination with other tools for subdomain enumeration and DNS bruteforcing.
Website: GitHub (opens in a new tab)
Install: git clone https://github.com/blechschmidt/massdns.git && cd massdns && make
Wordlist Support: Yes (custom wordlist for DNS brute-forcing)
altdns
Description: Generates permutations, alterations and mutations of subdomains to discover additional hosts. It takes existing subdomains and creates variations that might reveal additional assets through pattern-based discovery.
Website: GitHub (opens in a new tab)
Install: pip install py-altdns
Wordlist Support: Yes (-w flag for permutation words)
waybackurls
Description: Fetch all the URLs that the Wayback Machine knows about for a domain. It queries the Internet Archive's Wayback Machine to discover historical URLs and subdomains that may not be currently active but were previously accessible.
Website: GitHub (opens in a new tab)
Install: go install github.com/tomnomnom/waybackurls@latest
linkheader
Description: Discover subdomains by parsing HTTP Link headers from web services. This tool checks discovered subdomains for Link headers that often contain references to related services, APIs, and additional subdomains. It's particularly effective for finding hidden relationships between services.
Website: GitHub (opens in a new tab)
Install: Built-in (no installation required)
API Tools
API tools leverage external services and databases to discover subdomains through comprehensive data sources and threat intelligence.
SecurityTrails
Description: Comprehensive subdomain database and historical data provider. Offers extensive subdomain discovery through their massive database of DNS records, historical data, and passive reconnaissance sources.
Website: SecurityTrails (opens in a new tab)
Setup: Set SECURITYTRAILS_API_KEY environment variable
API: SecurityTrails API (opens in a new tab)
VirusTotal
Description: Security-focused subdomain discovery and threat intelligence platform. Provides subdomain enumeration through their comprehensive database of domains, IPs, and threat intelligence data.
Website: VirusTotal (opens in a new tab)
Setup: Set VIRUSTOTAL_API_KEY environment variable
API: VirusTotal API (opens in a new tab)
Censys
Description: Internet-wide scanning data for subdomain enumeration. Offers comprehensive data from their internet-wide scanning infrastructure, providing unique insights into subdomain discovery and infrastructure mapping.
Website: Censys (opens in a new tab)
Setup: Set CENSYS_API_ID and CENSYS_SECRET environment variables
API: Censys API (opens in a new tab)
crt.sh
Description: Certificate Transparency database for subdomain discovery. Queries the Certificate Transparency logs to find SSL certificates issued for subdomains, revealing hidden or forgotten subdomains through certificate data.
Website: crt.sh (opens in a new tab)
Setup: No setup required (public API)
API: crt.sh API (opens in a new tab)
URLScan.io
Description: Web scanning service for subdomain enumeration. Provides comprehensive data about websites and their infrastructure, including subdomain discovery through their extensive scanning database.
Website: URLScan.io (opens in a new tab)
Setup: Set URLSCAN_API_KEY environment variable (optional, for higher rate limits)
API: URLScan.io API (opens in a new tab)
ThreatCrowd
Description: Threat intelligence platform for subdomain enumeration. Provides subdomain discovery through their threat intelligence database, offering insights into malicious infrastructure and related domains.
Website: ThreatCrowd (opens in a new tab)
Setup: No setup required (public API)
API: ThreatCrowd API (opens in a new tab)
HackerTarget
Description: Security research platform for subdomain enumeration. Offers subdomain discovery through their comprehensive database of domains, IPs, and security research data.
Website: HackerTarget (opens in a new tab)
Setup: Set HACKERTARGET_API_KEY environment variable (optional, for higher rate limits)
API: HackerTarget API (opens in a new tab)
Scanning Tools
Scanning tools analyze discovered subdomains to identify open ports, web services, and gather additional information about the target infrastructure.
httpx
Description: Fast and multi-purpose HTTP probe for web services
Website: GitHub (opens in a new tab)
Install: go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
smap
Description: Port scanner and service discovery tool
Website: GitHub (opens in a new tab)
Install: pip install smap
Tool Management
Check Tool Availability
Verify which tools are available on your system:
subdomainx --check-toolsGet Installation Help
Get detailed installation instructions for missing tools:
subdomainx --install-toolsPro Tips
Tip:
- Install tools as needed - SubdomainX will work with any combination
- More tools = better coverage and results
- API tools provide additional discovery capabilities without local tool installation
- Some tools may require API keys for optimal performance
- Check tool documentation for specific configuration requirements