subscan 0.1.9

A subdomain enumeration tool leveraging diverse techniques, designed for advanced pentesting operations
Documentation

🔍🕵️ Subscan is a powerful subdomain enumeration tool built with Rust, specifically designed for penetration testing purposes. It combines various discovery techniques into a single, lightweight binary, making subdomain hunting easier and faster for security researchers

Features

🎯 Let's Dive Into What Makes Subscan Super Cool

  • 🕵️ Smart Discovery Tricks:
    • Leverage multiple search engines including Google, Yahoo, Bing, and Duckduckgo for extensive subdomain discovery
    • Integrate seamlessly with leading reconnaissance APIs such as Shodan, Censys, VirusTotal and more
    • Perform a zone transfer check on the target domain
    • Execute subdomain brute-forcing with optimized wordlists
  • 🔍 IP Detective: Resolve IP addresses for all discovered subdomains
  • 🛠️ Completely Configurable:
    • Customize HTTP requests, such as user-agent, timeout, and more
    • Rotate HTTP requests through proxies using the --proxy argument
    • Fine-tune the IP resolver component with arguments that start with --resolver
    • Use the --skips and --modules arguments to filter and run only the specific modules you want
  • 📎 Flexible Reporting:
    • Generate reports in CSV, HTML, JSON, or TXT formats
    • Generate detailed JSON reports for technical analysis and insights
  • 🐳 Docker Friendly:
    • Native support for Linux architectures, including amd64 and arm64 platforms
    • A tiny container that won't eat up your storage — under 1GB and ready to roll
  • 💻 Cross Platform: Install effortlessly as a single binary compatible across multiple platforms
  • 🚀 Super Lightweight: A minimalist design with a small Docker image size and an even smaller binary

Install

cargo install subscan

Usage

Usage: subscan [OPTIONS] <COMMAND>

Commands:
  scan    Start scan on any domain address
  brute   Start brute force attack with a given wordlist
  module  Subcommand to manage implemented modules
  help    Print this message or the help of the given subcommand(s)

Options:
  -v, --verbose...  Increase logging verbosity
  -q, --quiet...    Decrease logging verbosity
  -h, --help        Print help (see more with '--help')
  -V, --version     Print version

Environments

All environments are managed by the .env file. Subscan can read your environments from this .env file. You can refer to the .env.template file to see how to create them. Also you can specify your environments from shell:

SUBSCAN_VIRUSTOTAL_APIKEY=foo subscan scan -d foo.com --modules=virustotal
Name Required Description
SUBSCAN_CHROME_PATH false Specify your Chrome executable. If not specified, the Chrome binary will be fetched automatically by headless_chrome based on your system architecture
SUBSCAN_<MODULE_NAME>_HOST  false Some API integration modules can provide user specific host, for these cases, set module specific host
SUBSCAN_<MODULE_NAME>_APIKEY  false Some modules may include API integration and require an API key for authentication. Set the API key in these cases
SUBSCAN_<MODULE_NAME>_USERNAME  false Set the username for a module if it uses HTTP basic authentication
SUBSCAN_<MODULE_NAME>_PASSWORD  false Set the password for a module if it uses HTTP basic authentication