Subscan

<p align="center"> <img src="assets/images/subscan.png" alt="Subscan Logo"> </p>

Subscan is a fast and flexible CLI tool for subdomain enumeration.
Discover subdomains through passive intel & active DNS resolution.
Written in Go. Made for bug bounty hunters, red teamers, and automation.

---

🚀 Features

| Type | Description | |--------------------|-----------------------------------------------------------------------------| | 🔍 Passive Recon | Fetch subdomains from public sources like crt.sh, OTX, and ThreatCrowd | | 🌐 Active Scanning | Brute-force with wordlists + concurrent DNS resolution | | 🧠 Smart Wordlists | Intelligent permutation generation & pattern analysis | | 📊 Subdomain Scoring | HTTP response analysis, TLS cert validation & CNAME detection | | 🔬 Misconfiguration | Probe for subdomain takeovers, exposed files & open redirects | | 📄 Export Formats | Output as JSON, CSV, HTML report, Markdown, or plain text | | ⚡ Concurrency | Built-in goroutine worker pool for speed | | 💾 Flexible Output | Save results to file or print to terminal | | 🛠 Extensible (Soon) | Planned support for plugins and passive source modules |

---

🧱 Installation

git clone https://github.com/omerimzali/subscan.git
cd subscan
go build -o subscan
mv subscan /usr/local/bin/  # Optional

---

🧪 Usage

Basic passive+active scan:

subscan -d example.com

Passive only:

subscan -d example.com --passive-only

Active only (with wordlist):

subscan -d example.com --active-only -w wordlist.txt

Smart wordlist expansion:

subscan -d example.com --smart-bruteforce --dnstwist

Enable subdomain scoring and analysis:

subscan -d example.com --score

Probe for security issues and misconfigurations:

subscan -d example.com --probe

Probe with increased timeout (for slower connections):

subscan -d example.com --probe --probe-timeout 15

Generate a security findings report in HTML:

subscan -d example.com --probe --format html -o security-report.html

Export security findings as JSON for automation:

subscan -d example.com --probe --format json -o vulns.json

Export JSON results:

subscan -d example.com --score --format json

Generate HTML report:

subscan -d example.com --score --format html -o report.html

Complete scan with all features:

subscan -d example.com --smart-bruteforce --score --probe --verbose-scoring

Output to file:

subscan -d example.com -o out.txt

---

⚙️ CLI Options

| Flag | Description | |------------------------|------------------------------------------------------| | --domain, -d | Target domain to scan (required) | | --output, -o | Output file path | | --format, -f | Output format: plain, json, csv, html, markdown | | --passive-only | Only run passive enumeration | | --active-only | Only run active resolution from wordlist | | --wordlist, -w | Wordlist path for brute-forcing | | --smart-bruteforce | Enable intelligent wordlist expansion | | --commonspeak | Path to Commonspeak2 wordlist file | | --dnstwist | Generate typo-based variations | | --verbose-expansion | Show detailed output during wordlist expansion | | --score | Enable subdomain analysis and scoring | | --score-concurrency | Number of concurrent requests during scoring (10) | | --score-timeout | Timeout in seconds for HTTP requests (5) | | --verbose-scoring | Show detailed output during scoring process | | --probe | Enable probing for misconfigurations | | --probe-timeout | Timeout in seconds for probe requests (10) | | --probe-concurrency | Number of concurrent probes (10) | | --probe-verbose | Show detailed output during probing |

---

📄 Export Formats

Subscan supports multiple output formats for easy integration with other tools:

1. Plain Text (default)

   • Simple list of subdomains with basic info
   • Example: [GitHub-Pages][200] skyline.github.com [200] [Cloud: GitHub-Pages] [CNAME: github.github.io]

2. JSON

   • Structured data for programmatic processing
   • Complete subdomain metadata in JSON format

   [
     {
       "domain": "api.example.com",
       "status": 200,
       "content_length": 1024,
       "cname": "api.cdn.example.com",
       "cloud_provider": "AWS-CloudFront",
       "score": 4.5,
       "tags": ["200", "LARGE"],
       "is_tls": true
     }
   ]
   

3. CSV

   • Spreadsheet-friendly format with headers
   • Fields: Domain, Status, ContentLength, CNAME, CloudProvider, Score, Tags, IsTLS
   • Easy to import into Excel, Google Sheets, etc.

4. HTML Report

   • Beautiful, self-contained HTML page with styled table
   • Colorized status codes and tags
   • Summary statistics and metadata
   • Responsive design for easy viewing

5. Markdown

   • GitHub/GitLab-friendly format
   • Includes formatted table with results
   • Preserves all important metadata
   • Perfect for documentation and reports

Use the --format flag followed by your desired format (requires either --score or --probe option).

---

📂 Example Reports

Explore real-world output formats generated by Subscan:

🧪 HTML Security Report

Visual report showing detected issues with color-coded tags and metadata.

📷 Preview (add later)
🔗 View example report

📈 Scoring Report Formats

| Format | Description | Example | |--------|-------------|---------| | JSON | Structured data for programmatic analysis | View example | | Markdown | GitHub-friendly format with tables | View example | | CSV | Spreadsheet-compatible for data processing | View example | | HTML | Interactive web report with styling | View example | | Plain Text | Simple formatted output | View example |

🔍 Probe Report Formats

| Format | Description | Example | |--------|-------------|---------| | JSON | Complete vulnerability data for automation | View example | | Markdown | Structured reports for documentation | View example | | CSV | Tabular format for tracking findings | View example | | HTML | Visual dashboard with vulnerability details | View example | | Plain Text | Human-readable summary output | View example |

---

🧠 Smart Brute-Force

The smart brute-force feature analyzes passive enumeration results to generate intelligent wordlist permutations:

1. Base Wordlist Expansion

   • Extracts prefixes from discovered subdomains (e.g., "api", "dev", "staging")
   • Generates meaningful permutations and combinations

2. Commonspeak2 Integration

   • Merges with high-quality wordlists from the Commonspeak2 project
   • Automatically fetches the repository if not present locally

3. DNSTwist Integration

   • Creates typosquatting variations of discovered domains
   • Uses character substitution, addition, omission, and swapping

This approach dramatically improves discovery rates by creating contextually relevant subdomain candidates.

---

📊 Subdomain Scoring & Analysis

The scoring system analyzes each live subdomain to prioritize interesting targets:

1. HTTP Probing

   • Checks for both HTTP and HTTPS support
   • Records status codes and response sizes
   • Higher scores for 200 OK and interesting status codes (403, etc.)

2. TLS Certificate Analysis

   • Extracts certificate details when HTTPS is available
   • Identifies certificate issuers and Subject Alternative Names (SANs)
   • Validates certificate validity

3. CNAME Detection

   • Identifies cloud provider patterns in CNAME records
   • Detects potential cloud misconfigurations (S3 buckets, etc.)
   • Tags results with cloud provider information

4. Prioritized Output

   • Results sorted by relevance score
   • Tagged with informative labels like [200], [AWS-S3]
   • Detailed output includes status, size, and provider information

Example output:

[200][LARGE] admin.example.com [200] (256 KB)
[AWS-S3] backup.example.com [403] (15 KB) [Cloud: AWS-S3]
[301][REDIRECT] www.example.com [301] [CNAME: cdn.example.com]

---

📚 Wordlists

You can use any standard subdomain wordlists. Recommended:

• SecLists
• jhaddix's all.txt

---

🔬 Misconfiguration Detection

The misconfiguration detection module actively probes discovered subdomains for common security issues:

1. Subdomain Takeover Detection
   • Identifies dangling CNAMEs pointing to unclaimed services
   • Supports detection for 20+ services (AWS, Heroku, Gi