Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/eredotpkfr/subscan

⚡ A subdomain enumeration tool leveraging diverse techniques, designed for advanced pentesting operations
https://github.com/eredotpkfr/subscan

brute-force bruteforce crawler pentest pentest-tool pentesting pentesting-tool rust rust-crate rust-lang scanner searchengines subdomain subdomain-bruteforcing subdomain-enumeration subdomain-finder subdomain-scanner zonetransfer

Last synced: about 2 months ago
JSON representation

⚡ A subdomain enumeration tool leveraging diverse techniques, designed for advanced pentesting operations

Awesome Lists containing this project

README 

          




  

    

    Subscan Logo

  








  

    

      

      GitHub Actions Test Workflow Status

    

  



  

    

      

      Codecov Status

    

  



  

    

      

      Crates.io

    

  



  

    

      

      Docs.rs

    

  





  

    

      

      GitHub Actions Docker Workflow Status

    

  



  

    

      

      GitHub Actions Test Workflow Status

    

  





  

    

      

      Pre-commit Badge

    

  



  

    

      

      Gitleaks Badge

    

  



  

    

      

      Unsafe Forbidden

    

  



  

    

      

      License Badge

    

  








  Install
  Usage
  Doc
  Book
  Docker
  Development







Subscan is a powerful subdomain enumeration tool built with [Rust](https://www.rust-lang.org/), specifically designed for penetration testing purposes. It combines various discovery techniques into a single, lightweight binary, making subdomain hunting easier and faster for security researchers



## Features



- 🕵️ Smart Discovery Tricks

  - Use multiple search engines (`Google`, `Yahoo`, `Bing`, `DuckDuckGo`, etc.)

  - Integrate with APIs like `Shodan`, `Censys`, `VirusTotal` and more

  - Perform zone transfer checks

  - Subdomain brute-forcing with optimized wordlists

- 🔍 Resolve IP addresses for all subdomains

- 📎 Export reports in `CSV`, `HTML`, `JSON`, or `TXT` formats

- 🛠️ Configurable

  - Customize HTTP requests (user-agent, timeout, etc.)

  - Rotate requests via proxies (`--proxy` argument)

  - Fine-tune IP resolver with `--resolver` arguments

  - Filter and run specific modules with `--skips` and `--modules`

- 🐳 Docker Friendly

  - Native support for `amd64` and `arm64` Linux platforms

  - A tiny container that won't eat up your storage — under 1GB and ready to roll 🚀

- 💻 Compatible with multiple platforms and easy to install as a single binary



## Install



🦀 Install the `subscan` tool using Cargo, Rust's package manager. Make sure you have [Rust](https://www.rust-lang.org/) installed on your system. Then, run



```bash

~$ cargo install subscan

```



## Usage



✨ Here's a quick overview of how to use it



```bash

~$ subscan

            _

           | |

  ___ _   _| |__  ___  ___ __ _ _ __

 / __| | | | '_ \/ __|/ __/ _` | '_ \

 \__ \ |_| | |_) \__ \ (_| (_| | | | |

 |___/\__,_|_.__/|___/\___\__,_|_| |_|



Usage: subscan [OPTIONS] 



Commands:

  scan    Start scan on any domain address

  brute   Start brute force attack with a given wordlist

  module  Subcommand to manage implemented modules

  help    Print this message or the help of the given subcommand(s)



Options:

  -v, --verbose...  Increase logging verbosity

  -q, --quiet...    Decrease logging verbosity

  -h, --help        Print help (see more with '--help')

  -V, --version     Print version

```



### Start Scan



To scan a domain using all available modules, use the following command



```bash

~$ subscan scan -d example.com

```



You can also choose specific modules to run or skip using the `--skips` and `--modules` arguments. Module names should be provided as a comma-separated list



```bash

~$ # skip the commoncrawl and google modules during the scan

~$ subscan scan -d example.com --skips=commoncrawl,google

```



```bash

~$ # run only the virustotal module

~$ subscan scan -d example.com --modules=virustotal

```



> [!NOTE]

> If a module is included in both the `--skips` and `--modules` arguments, it will be skipped and not executed



### Brute Force



Use the `brute` command to start a brute force attack with a specific wordlist



```bash

~$ subscan brute -d example.com --wordlist file.txt

```



## Environments



All environments are managed by the `.env` file. Subscan can read your environments from this `.env` file. You can refer to the `.env.template` file to see how to create them



> [!TIP]

> Also you can specify your environments from shell

>

> ```bash

> SUBSCAN_VIRUSTOTAL_APIKEY=foo subscan scan -d foo.com --modules=virustotal

> ```






| Name                           | Required | Description |

| :----------------------------- | :------: | :---------: |

| `SUBSCAN_CHROME_PATH`          | `false`  | Specify your Chrome executable. If not specified, the Chrome binary will be fetched automatically by headless_chrome based on your system architecture |

| `SUBSCAN__HOST` | `false`  | Some API integration modules can provide user specific host, for these cases, set module specific host |

| `SUBSCAN__APIKEY` | `false`  | Some modules may include API integration and require an API key for authentication. Set the API key in these cases |

| `SUBSCAN__USERNAME` | `false`  | Set the username for a module if it uses HTTP basic authentication |

| `SUBSCAN__PASSWORD` | `false`  | Set the password for a module if it uses HTTP basic authentication |






## Docker



🐳 For containerized usage, you can pull the `eredotpkfr/subscan` Docker image directly from [Docker Hub](https://hub.docker.com/)



```bash

~$ docker pull eredotpkfr/subscan:latest

```



After pulling the pre-built image, you can easily run the container to perform subdomain enumeration



```bash

~$ docker run -it --rm eredotpkfr/subscan scan -d example.com

```



Specify environment variable via docker `--env`



```bash

~$ docker run -it --rm \

    --env SUBSCAN_VIRUSTOTAL_APIKEY=foo \

    eredotpkfr/subscan scan -d example.com --modules=virustotal

```



Saving output reports to host machine, use `/data` folder



```bash

~$ docker run -it --rm \

    --volume="$PWD/data:/data" \

    eredotpkfr/subscan scan -d example.com

```



To specify wordlist into docker container, use `/data` folder



```bash

~$ docker run -it --rm \

    --volume="$PWD/wordlist.txt:/data/wordlist.txt" \

    eredotpkfr/subscan brute -d example.com \

    -w wordlist.txt --print

```



## Development



📚 You can find all the resources and documentation for developing Subscan in the [Development](https://www.erdoganyoksul.com/subscan/development/index.html) chapter of the project's book page



## Credits



🙏 Parts of the codebase are inspired by



- [subfinder](https://github.com/projectdiscovery/subfinder) - Fast passive subdomain enumeration tool

- [Sublist3r](https://github.com/aboul3la/Sublist3r) - Fast subdomains enumeration tool for penetration testers

- [subbrute](https://github.com/TheRook/subbrute) - A DNS meta-query spider that enumerates DNS records, and subdomains

- [knock](https://github.com/guelfoweb/knock) - Knock subdomain scan

- [dnsrecon](https://github.com/darkoperator/dnsrecon) - DNS enumeration script



## Contributing



📢 All contributors are welcome! Whether you're fixing bugs, adding new features, improving documentation, or sharing ideas, your contributions are highly valued and appreciated



To get started, please check out the [CONTRIBUTING.md](https://github.com/eredotpkfr/subscan/blob/main/.github/CONTRIBUTING.md) file



## Donate



Buy Me A Coffee



## Contact



Blog - [erdoganyoksul.com](https://www.erdoganyoksul.com)


Mail -