SubCat – A Fast And Efficient Subdomain Enumeration Tool

SubCat a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed.

SubCat is built for doing one thing only – passive subdomain enumeration, and it does that very well.

We have designed SubCat to comply with all passive sources licenses, and usage restrictions, as well as maintained a consistently passive model to make it useful to both penetration testers and bug bounty hunters alike.

Features

Fast and powerful resolution and wildcard elimination module
Curated passive sources to maximize results
Optimized for speed, very fast and lightweight on resources
STDIN/OUT support for integrating in workflows
Scope limitation based on given IP ranges list

Install

# Linux, Windows, MacOS
pip3 install -r requirements.txt

Post Installation

API Key is needed before querying on third-party sites, such as Shodan, SecurityTrails, Virustotal, and BinaryEdge.

The API key setting can be done via config.yaml.

An example provider config file


binaryedge:
  - 0bf8919b-aab9-42e4-9574-d3b639324597
  - ac244e2f-b635-4581-878a-33f4e79a2c13

virustotal:
  - AAAAClP1bJJSRMEAAAAClP1bJJSRMEYJazgwhJKrggRwKAYJazgwhJKrggRwKA
securitytrails: []
shodan:
  - AAAAClP1bJJSRMEYJazgwhJKrggRwKA

Usage

python3 subcat.py -h

This will display help for the tool. Here are all the switches it supports.

Flags:
INPUT:
   -d --domain string    domains to find subdomains for
   -l DOMAINLIST         file containing list of domains for subdomain discovery
   --scope SCOPE         show only subdomains in scope

OUTPUT:
   -sc, --status-code    show response status code
   -ip, --ip             resolve IP address
   -title, --title       show page title
   -silent, --silent     show only subdomains in output
   -o OUTPUT, --output OUTPUT
                        file to write output to
   
CONFIG:
   -t THREADS, --threads THREADS
                        number of concurrent threads for resolving (default 40)

DEBUG:
   -v                    show verbose output
   -h, --help            show this help message and exit

Running SubCat

cat domains | python3 subcat.py

echo hackerone.com | python3 subcat.py -silent | httpx -silent

http://hackerone.com
http://www.hackerone.com
http://docs.hackerone.com
http://api.hackerone.com
https://docs.hackerone.com
http://mta-sts.managed.hackerone.com

python3 subcat.py -d hackerone.com

 
                       ;            ;                  
                     ρββΚ          ;ββΝ                
                   έΆχββββββββββββββββββΒ              
                 ;ΣΆχΜ΅΅ΫΝββββββββ Ϋ΅΅ΫβββΝ            
                όΆΆχβ   Ά   ββββ΅  Ά΅  βββββ           
               χΆΆΆφβΒ; Ϋ΅;έββββΒ; Ϋ΅ ρββββββ          
               ΆΆΆΆδβββββββββ;χββββββμβββββββ          
               ΪχχχχΧβββββββββββββββββββθθθθΚ          
              ·ϊβθβζ  Ϊθθβββββββββββββββμ ;όβΫ΅        
               ·΅   ΅ΫΫΫΆΆθβββββββββθθΫ΅   ΅Ϋ΅         
                       ;ΣΆθββββΒΝρρρμ                  
                      ;ΣΆΆβββββββββββμ
  ▄∞∞∞∞∞▄, ╒∞∞▄   ∞∞▄ ▄∞∞∞∞∞∞▄   ,▄∞∞∞∞▄      ▄∞∞4▄  ╒∞∞∞∞∞∞∞▄,
 ▐▄ ═▄▄▄ ▐█▐ ,▀  j' █▌█  ▄▄▄ ▀█▌█▀ ╓▄▄  ▀▄  ¡█  , ▐█ ▐▄▄▄  ▄▄██
 ▐▄ `'""▀██▐  █▌ j  █▌█  `"" ▄█▌█ ▐█▀`▀▄██' M  $██  █, `█ ▐█```
 j▀▀███▌ ▐█▐  ▀▌▄█  ▀▀█ ▐███  █▌▄ ▀█▄▄▀ ▐█M▀.       ▀█▄.▀ J▀
 ╚▄,,¬¬⌐▄█▌ ▀▄,,, ▄██ █,,,,,▓██▌ ▀▄,,,,▄█╩j▌,██▀▀▀▀▌,█▌`█,▐█
   ▀▀▀▀▀▀▀    ▀▀▀▀▀▀ ""▀▀▀▀▀▀      ▀▀▀""`  ▀▀▀     ▀▀▀   ▀▀▀
                ΅qΆΆΆΆβββββββββββββββββββββΡ΅  
                   ΫθΆΆΆββββββββββββββββΡ΅         
                       ΅ΫΫΫΫΝNNΝΫΫΫΐ΅΅      
                     
                     
                     v{1.1.1#dev}@duty1g
                             


[13:05:51] [INFO]: binaryedge.io 13 asset                                             
[13:05:52] [INFO]: virustotal 18 asset                                             
[13:05:53] [INFO]: urlscan.io 98 asset                                             
[13:05:54] [INFO]: alienvault.com 59 asset                                             
[13:06:28] [INFO]: wayback 193046 asset                                             
[13:06:29] [INFO]: hackertarget.com 4 asset                                             
[13:06:31] [INFO]: crt.sh 268 asset                                             
[13:06:32] [INFO]: certspotter.com 12 asset                                             
[13:06:33] [INFO]: bufferover.run 11 asset                                             
[13:06:33] [INFO]: threatcrowd.org 4 asset                                             
[13:06:33] [INFO]: Found 21 for hackerone.com

mta-sts.managed.hackerone.com
mta-sts.hackerone.com
mta-sts.forwarding.hackerone.com
a.ns.hackerone.com
b.ns.hackerone.com
docs.hackerone.com
go.hackerone.com
info.hackerone.com
links.hackerone.com
support.hackerone.com
api.hackerone.com
www.hackerone.com
hackerone.com
zendesk1.hackerone.com
zendesk3.hackerone.com
gslink.hackerone.com
zendesk4.hackerone.com
resources.hackerone.com
events.hackerone.com
zendesk2.hackerone.com
3d.hackerone.com

Subfinder – A New Tool to Discover Subdomains for Websites

April 4, 2023

In "Cyber security"

Sudomy : Subdomain Enumeration Tool Created Using A Bash Script

August 30, 2019

In "Kali Linux"

Subdominator – Unleash The Power Of Subdomain Enumeration

March 26, 2025

In "Cyber security"

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.