Install • Usage • Doc • Book • Docker • Development
Subscan is a powerful subdomain enumeration tool built with Rust, specifically designed for penetration testing purposes. It combines various discovery techniques into a single, lightweight binary, making subdomain hunting easier and faster for security researchers
- 🕵️ Smart Discovery Tricks
- Use multiple search engines (
Google,Yahoo,Bing,DuckDuckGo, etc.) - Integrate with APIs like
Shodan,Censys,VirusTotaland more - Perform zone transfer checks
- Subdomain brute-forcing with optimized wordlists
- Use multiple search engines (
- 🔍 Resolve IP addresses for all subdomains
- 📎 Export reports in
CSV,HTML,JSON, orTXTformats - 🛠️ Configurable
- Customize HTTP requests (user-agent, timeout, etc.)
- Rotate requests via proxies (
--proxyargument) - Fine-tune IP resolver with
--resolverarguments - Filter and run specific modules with
--skipsand--modules
- 🐳 Docker Friendly
- Native support for
amd64andarm64Linux platforms - A tiny container that won't eat up your storage — under 1GB and ready to roll 🚀
- Native support for
- 💻 Compatible with multiple platforms and easy to install as a single binary
🦀 Install the subscan tool using Cargo, Rust's package manager. Make sure you have Rust installed on your system. Then, run
~$ cargo install subscan✨ Here's a quick overview of how to use it
~$ subscan
_
| |
___ _ _| |__ ___ ___ __ _ _ __
/ __| | | | '_ \/ __|/ __/ _` | '_ \
\__ \ |_| | |_) \__ \ (_| (_| | | | |
|___/\__,_|_.__/|___/\___\__,_|_| |_|
Usage: subscan [OPTIONS] <COMMAND>
Commands:
scan Start scan on any domain address
brute Start brute force attack with a given wordlist
module Subcommand to manage implemented modules
help Print this message or the help of the given subcommand(s)
Options:
-v, --verbose... Increase logging verbosity
-q, --quiet... Decrease logging verbosity
-h, --help Print help (see more with '--help')
-V, --version Print versionTo scan a domain using all available modules, use the following command
~$ subscan scan -d example.comYou can also choose specific modules to run or skip using the --skips and --modules arguments. Module names should be provided as a comma-separated list
~$ # skip the commoncrawl and google modules during the scan
~$ subscan scan -d example.com --skips=commoncrawl,google~$ # run only the virustotal module
~$ subscan scan -d example.com --modules=virustotalNote
If a module is included in both the --skips and --modules arguments, it will be skipped and not executed
Use the brute command to start a brute force attack with a specific wordlist
~$ subscan brute -d example.com --wordlist file.txtAll environments are managed by the .env file. Subscan can read your environments from this .env file. You can refer to the .env.template file to see how to create them
Tip
Also you can specify your environments from shell
SUBSCAN_VIRUSTOTAL_APIKEY=foo subscan scan -d foo.com --modules=virustotal| Name | Required | Description |
|---|---|---|
SUBSCAN_CHROME_PATH |
false |
Specify your Chrome executable. If not specified, the Chrome binary will be fetched automatically by headless_chrome based on your system architecture |
SUBSCAN_<MODULE_NAME>_HOST |
false |
Some API integration modules can provide user specific host, for these cases, set module specific host |
SUBSCAN_<MODULE_NAME>_APIKEY |
false |
Some modules may include API integration and require an API key for authentication. Set the API key in these cases |
SUBSCAN_<MODULE_NAME>_USERNAME |
false |
Set the username for a module if it uses HTTP basic authentication |
SUBSCAN_<MODULE_NAME>_PASSWORD |
false |
Set the password for a module if it uses HTTP basic authentication |
🐳 For containerized usage, you can pull the eredotpkfr/subscan Docker image directly from Docker Hub
~$ docker pull eredotpkfr/subscan:latestAfter pulling the pre-built image, you can easily run the container to perform subdomain enumeration
~$ docker run -it --rm eredotpkfr/subscan scan -d example.comSpecify environment variable via docker --env
~$ docker run -it --rm \
--env SUBSCAN_VIRUSTOTAL_APIKEY=foo \
eredotpkfr/subscan scan -d example.com --modules=virustotalSaving output reports to host machine, use /data folder
~$ docker run -it --rm \
--volume="$PWD/data:/data" \
eredotpkfr/subscan scan -d example.comTo specify wordlist into docker container, use /data folder
~$ docker run -it --rm \
--volume="$PWD/wordlist.txt:/data/wordlist.txt" \
eredotpkfr/subscan brute -d example.com \
-w wordlist.txt --print📚 You can find all the resources and documentation for developing Subscan in the Development chapter of the project's book page
🙏 Parts of the codebase are inspired by
- subfinder - Fast passive subdomain enumeration tool
- Sublist3r - Fast subdomains enumeration tool for penetration testers
- subbrute - A DNS meta-query spider that enumerates DNS records, and subdomains
- knock - Knock subdomain scan
- dnsrecon - DNS enumeration script
📢 All contributors are welcome! Whether you're fixing bugs, adding new features, improving documentation, or sharing ideas, your contributions are highly valued and appreciated
To get started, please check out the CONTRIBUTING.md file
Blog - erdoganyoksul.com
Mail - erdoganyoksul3@gmail.com