eredotpkfr
subscan
Rust

⚡ A subdomain enumeration tool leveraging diverse techniques, designed for advanced pentesting operations

Last updated Jun 21, 2026
52
Stars
2
Forks
17
Issues
0
Stars/day
Attention Score
30
Language breakdown
Rust 99.2%
Makefile 0.6%
Dockerfile 0.2%
JavaScript 0.0%
Files click to expand
README

Subscan Logo

GitHub Actions Test Workflow Status

Codecov Status

Crates.io

Docs.rs

GitHub Actions Docker Workflow Status

GitHub Actions Test Workflow Status

Pre-commit Badge

Gitleaks Badge

Unsafe Forbidden

License Badge


InstallUsageDocBookDockerDevelopment


Subscan is a powerful subdomain enumeration tool built with Rust, specifically designed for penetration testing purposes. It combines various discovery techniques into a single, lightweight binary, making subdomain hunting easier and faster for security researchers

Features

  • 🕵️ Smart Discovery Tricks
- Use multiple search engines (Google, Yahoo, Bing, DuckDuckGo, etc.) - Integrate with APIs like Shodan, Censys, VirusTotal and more - Perform zone transfer checks - Subdomain brute-forcing with optimized wordlists
  • 🔍 Resolve IP addresses for all subdomains
  • 📎 Export reports in CSV, HTML, JSON, or TXT formats
  • 🛠️ Configurable
- Customize HTTP requests (user-agent, timeout, etc.) - Rotate requests via proxies (--proxy argument) - Fine-tune IP resolver with --resolver arguments - Filter and run specific modules with --skips and --modules
  • 🐳 Docker Friendly
- Native support for amd64 and arm64 Linux platforms - A tiny container that won't eat up your storage — under 1GB and ready to roll 🚀
  • 💻 Compatible with multiple platforms and easy to install as a single binary

Install

🦀 Install the subscan tool using Cargo, Rust's package manager. Make sure you have Rust installed on your system. Then, run

~$ cargo install subscan

Usage

✨ Here's a quick overview of how to use it

~$ subscan
            _
           | |
      | |       _ 
 / | | | | ' \/ |/ /  | '_ \
 \ \ || | |) \ \ (| (| | | | |
 |/\,|./|/\\,|| ||

Usage: subscan [OPTIONS] <COMMAND>

Commands: scan Start scan on any domain address brute Start brute force attack with a given wordlist module Subcommand to manage implemented modules help Print this message or the help of the given subcommand(s)

Options: -v, --verbose... Increase logging verbosity -q, --quiet... Decrease logging verbosity -h, --help Print help (see more with &#39;--help&#39;) -V, --version Print version</code></pre>

Start Scan

To scan a domain using all available modules, use the following command

<pre><code class="lang-bash">~$ subscan scan -d example.com</code></pre>

You can also choose specific modules to run or skip using the --skips and --modules arguments. Module names should be provided as a comma-separated list

<pre><code class="lang-bash">~$ # skip the commoncrawl and google modules during the scan ~$ subscan scan -d example.com --skips=commoncrawl,google</code></pre>

<pre><code class="lang-bash">~$ # run only the virustotal module ~$ subscan scan -d example.com --modules=virustotal</code></pre>

> [!NOTE] > If a module is included in both the --skips and --modules arguments, it will be skipped and not executed

Brute Force

Use the brute command to start a brute force attack with a specific wordlist

<pre><code class="lang-bash">~$ subscan brute -d example.com --wordlist file.txt</code></pre>

Environments

All environments are managed by the .env file. Subscan can read your environments from this .env file. You can refer to the .env.template file to see how to create them

> [!TIP] > Also you can specify your environments from shell > > <pre><code class="lang-bash">&gt; SUBSCANVIRUSTOTALAPIKEY=foo subscan scan -d foo.com --modules=virustotal &gt;</code></pre>

<!-- markdownlint-disable MD033 MD041 --> <div align="center">

| Name | Required | Description | | :----------------------------- | :------: | :---------: | | SUBSCANCHROMEPATH | false | Specify your Chrome executable. If not specified, the Chrome binary will be fetched automatically by <a href="https://github.com/rust-headless-chrome/rust-headless-chrome/">headless_chrome<a/> based on your system architecture | | SUBSCANNAME>_HOST | false | Some API integration modules can provide user specific host, for these cases, set module specific host | | SUBSCANNAME>_APIKEY | false | Some modules may include API integration and require an API key for authentication. Set the API key in these cases | | SUBSCANNAME>_USERNAME | false | Set the username for a module if it uses HTTP basic authentication | | SUBSCANNAME>_PASSWORD | false | Set the password for a module if it uses HTTP basic authentication |

</div> <!-- markdownlint-enable MD033 MD041 -->

Docker

🐳 For containerized usage, you can pull the eredotpkfr/subscan Docker image directly from Docker Hub

<pre><code class="lang-bash">~$ docker pull eredotpkfr/subscan:latest</code></pre>

After pulling the pre-built image, you can easily run the container to perform subdomain enumeration

<pre><code class="lang-bash">~$ docker run -it --rm eredotpkfr/subscan scan -d example.com</code></pre>

Specify environment variable via docker --env

<pre><code class="lang-bash">~$ docker run -it --rm \ --env SUBSCANVIRUSTOTALAPIKEY=foo \ eredotpkfr/subscan scan -d example.com --modules=virustotal</code></pre>

Saving output reports to host machine, use /data folder

<pre><code class="lang-bash">~$ docker run -it --rm \ --volume=&quot;$PWD/data:/data&quot; \ eredotpkfr/subscan scan -d example.com</code></pre>

To specify wordlist into docker container, use /data` folder

~$ docker run -it --rm \
    --volume="$PWD/wordlist.txt:/data/wordlist.txt" \
    eredotpkfr/subscan brute -d example.com \
    -w wordlist.txt --print

Development

📚 You can find all the resources and documentation for developing Subscan in the Development chapter of the project's book page

Credits

🙏 Parts of the codebase are inspired by

  • subfinder - Fast passive subdomain enumeration tool
  • Sublist3r - Fast subdomains enumeration tool for penetration testers
  • subbrute - A DNS meta-query spider that enumerates DNS records, and subdomains
  • knock - Knock subdomain scan
  • dnsrecon - DNS enumeration script

Contributing

📢 All contributors are welcome! Whether you're fixing bugs, adding new features, improving documentation, or sharing ideas, your contributions are highly valued and appreciated

To get started, please check out the CONTRIBUTING.md file

Donate

Buy Me A Coffee

Contact

Blog - erdoganyoksul.com
Mail -
🔗 More in this category

© 2026 GitRepoTrend · eredotpkfr/subscan · Updated daily from GitHub