SubScraper is a fast subdomain enumeration tool that combines brute-forcing with scraping (Certificate Transparency logs, VirusTotal, crt.sh, and more).
pip install subscraper # or git clone https://github.com/Cillian-Collins/subscraper cd subscraper && pip install -r requirements.txt
# Basic subdomain enumeration subscraper -t target.com # With DNS brute-force + passive sources subscraper -t target.com -b -w /usr/share/wordlists/subdomains.txt # Output to file subscraper -t target.com -o subdomains.txt # With all passive modules subscraper -t target.com --all
subscraper -t hackxpert.com --all -o hackxpert_subs.txt cat hackxpert_subs.txt | httpx -status-code -title -tech-detect
How many live subdomains can you find? Look for hidden admin panels, dev environments, or exposed APIs.
# Pipe to httpx for live host detection subscraper -t target.com | httpx -silent # Pipe to nuclei for vulnerability scanning subscraper -t target.com | httpx -silent | nuclei -t exposures/ # Feed into nmap subscraper -t target.com -o subs.txt && nmap -iL subs.txt -p 80,443,8080,8443