SubCat a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed.
SubCat is built for doing one thing only – passive subdomain enumeration, and it does that very well.
We have designed SubCat to comply with all passive sources licenses, and usage restrictions, as well as maintained a consistently passive model to make it useful to both penetration testers and bug bounty hunters alike.
Features
- Fast and powerful resolution and wildcard elimination module
- Curated passive sources to maximize results
- Optimized for speed, very fast and lightweight on resources
- STDIN/OUT support for integrating in workflows
- Scope limitation based on given IP ranges list
Install
# Linux, Windows, MacOS
pip3 install -r requirements.txt
Post Installation
API Key is needed before querying on third-party sites, such as Shodan, SecurityTrails, Virustotal,
and BinaryEdge
.
- The API key setting can be done via
config.yaml
.
An example provider config file
binaryedge:
- 0bf8919b-aab9-42e4-9574-d3b639324597
- ac244e2f-b635-4581-878a-33f4e79a2c13
virustotal:
- AAAAClP1bJJSRMEAAAAClP1bJJSRMEYJazgwhJKrggRwKAYJazgwhJKrggRwKA
securitytrails: []
shodan:
- AAAAClP1bJJSRMEYJazgwhJKrggRwKA
Usage
python3 subcat.py -h
This will display help for the tool. Here are all the switches it supports.
Flags:
INPUT:
-d --domain string domains to find subdomains for
-l DOMAINLIST file containing list of domains for subdomain discovery
--scope SCOPE show only subdomains in scope
OUTPUT:
-sc, --status-code show response status code
-ip, --ip resolve IP address
-title, --title show page title
-silent, --silent show only subdomains in output
-o OUTPUT, --output OUTPUT
file to write output to
CONFIG:
-t THREADS, --threads THREADS
number of concurrent threads for resolving (default 40)
DEBUG:
-v show verbose output
-h, --help show this help message and exit
Running SubCat
cat domains | python3 subcat.py
echo hackerone.com | python3 subcat.py -silent | httpx -silent
http://hackerone.com
http://www.hackerone.com
http://docs.hackerone.com
http://api.hackerone.com
https://docs.hackerone.com
http://mta-sts.managed.hackerone.com
python3 subcat.py -d hackerone.com
; ;
ρββΚ ;ββΝ
έΆχββββββββββββββββββΒ
;ΣΆχΜ΅΅ΫΝββββββββ Ϋ΅΅ΫβββΝ
όΆΆχβ Ά ββββ΅ Ά΅ βββββ
χΆΆΆφβΒ; Ϋ΅;έββββΒ; Ϋ΅ ρββββββ
ΆΆΆΆδβββββββββ;χββββββμβββββββ
ΪχχχχΧβββββββββββββββββββθθθθΚ
·ϊβθβζ Ϊθθβββββββββββββββμ ;όβΫ΅
·΅ ΅ΫΫΫΆΆθβββββββββθθΫ΅ ΅Ϋ΅
;ΣΆθββββΒΝρρρμ
;ΣΆΆβββββββββββμ
▄∞∞∞∞∞▄, ╒∞∞▄ ∞∞▄ ▄∞∞∞∞∞∞▄ ,▄∞∞∞∞▄ ▄∞∞4▄ ╒∞∞∞∞∞∞∞▄,
▐▄ ═▄▄▄ ▐█▐ ,▀ j' █▌█ ▄▄▄ ▀█▌█▀ ╓▄▄ ▀▄ ¡█ , ▐█ ▐▄▄▄ ▄▄██
▐▄ `'""▀██▐ █▌ j █▌█ `"" ▄█▌█ ▐█▀`▀▄██' M $██ █, `█ ▐█```
j▀▀███▌ ▐█▐ ▀▌▄█ ▀▀█ ▐███ █▌▄ ▀█▄▄▀ ▐█M▀. ▀█▄.▀ J▀
╚▄,,¬¬⌐▄█▌ ▀▄,,, ▄██ █,,,,,▓██▌ ▀▄,,,,▄█╩j▌,██▀▀▀▀▌,█▌`█,▐█
▀▀▀▀▀▀▀ ▀▀▀▀▀▀ ""▀▀▀▀▀▀ ▀▀▀""` ▀▀▀ ▀▀▀ ▀▀▀
΅qΆΆΆΆβββββββββββββββββββββΡ΅
ΫθΆΆΆββββββββββββββββΡ΅
΅ΫΫΫΫΝNNΝΫΫΫΐ΅΅
v{1.1.1#dev}@duty1g
[13:05:51] [INFO]: binaryedge.io 13 asset
[13:05:52] [INFO]: virustotal 18 asset
[13:05:53] [INFO]: urlscan.io 98 asset
[13:05:54] [INFO]: alienvault.com 59 asset
[13:06:28] [INFO]: wayback 193046 asset
[13:06:29] [INFO]: hackertarget.com 4 asset
[13:06:31] [INFO]: crt.sh 268 asset
[13:06:32] [INFO]: certspotter.com 12 asset
[13:06:33] [INFO]: bufferover.run 11 asset
[13:06:33] [INFO]: threatcrowd.org 4 asset
[13:06:33] [INFO]: Found 21 for hackerone.com
mta-sts.managed.hackerone.com
mta-sts.hackerone.com
mta-sts.forwarding.hackerone.com
a.ns.hackerone.com
b.ns.hackerone.com
docs.hackerone.com
go.hackerone.com
info.hackerone.com
links.hackerone.com
support.hackerone.com
api.hackerone.com
www.hackerone.com
hackerone.com
zendesk1.hackerone.com
zendesk3.hackerone.com
gslink.hackerone.com
zendesk4.hackerone.com
resources.hackerone.com
events.hackerone.com
zendesk2.hackerone.com
3d.hackerone.com