Kali linux most used subdomain finder
There are many subdomain finder tools out there on GitHub, if you search for subdomain finder you will find a backlog of repositories on GitHub all offering subdomain finder and enumerating tools.


Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS. This very nice tool is hosted on github, though when I last checked there were some complain about it failing with some of it's engine mentioned above.
Sublist3r scanning
How to set sublist3r
git clone
Then where you have cloned the repository python3 install Then you can just run it like usual linux commands sublist3r -d
This tool has been hosted online at


Dnscan is a python wordlist-based DNS subdomain scanner.The script will first try to perform a zone transfer using each of the target domain's nameservers. If this fails, it will lookup TXT and MX records for the domain, and then perform a recursive subudomain scan using the supplied wordlist.
Dnscan using it's internal wordlist to scan
The tool is wordlist based, which means it will use it's internal wordlist to attempt to check if the subdomain truely exists. Some of the wordlist it contains include
  • subdomains-1000.txt
  • subdomains-10000.txt
  • subdomains-500.txt
  • subdomains-uk-1000.txt
  • subdomains-uk-500.txt
  • subdomains.txt
As you can see it entirely depends on the above files to perform it's subdomain scanning. Also this tool is hosted online, you can test it out.
Anubis is a subdomain enumeration and information gathering tool. Anubis collates data from a variety of sources, including HackerTarget, DNSDumpster, x509 certs, VirusTotal, Google, Pkey, and NetCraft. Anubis also has a sister project, AnubisDB, which serves as a centralized repository of subdomains.
This Anubis is relatively easy and powerfull to use even error prone compared to others
Anubis as seen scanning for
How to install and use Anubis
If you want to use the famous nmap with anubis then you will need to have nmap installed on your system. And for linux folks you will need to also install the following
sudo apt-get install python3-pip python-dev libssl-dev libffi-dev
When it comes to installing anubis you have over two powerful choices to choose from
  • Pip3
  • Snap
To install with pip3 you will do something like this
pip3 install anubis-netsec
To install with snap
snap install anubis
That's all you need to install anubis pretty easy compared with others and after the installation you can use it like this;
anubis -t
Anubis has also been hosted online so you can test this online version.


The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery using open source information gathering and active reconnaissance techniques
Techniques used by Amass
  • DNS: Basic enumeration, Brute forcing(optional)...
  • Scraping: Ask, Baidu, Bing, DNSDumpster, DNSTable, Exalead, Google...
  • Certificates: Active pulls(optional), Censys, CertSpotter, Crtsh, Entrust, GoogleCT
  • APIs
  • Web Archives
Install Amass
To install amass you must have snap install on your system
sudo snap install amass
Add the Snap bin directory to your PATH:
export PATH=$PATH:/snap/bin
amass enum -d
amass scanning
Amass is also hosted online
This nmap's script attempts to enumerate DNS hostnames by brute force guessing of common subdomains. With the dns-brute.srv argument, dns-brute will also try to enumerate common DNS SRV records.
Wildcard records are listed as "A" and "AAAA" for IPv4 and IPv6 respectively. This tool can be really dangerous and it brute forces dns this can crush the server so please use it with care. This script can also be used to enumerate subdomains, and since nmap is available on kali linux then yes nmap can do subdomain finder. You can just run this script like this
nmap --script dns-brute
scanning with nmap's dns-brute
We have also hosted this tool online
Lepus is a utility for identifying and collecting subdomains for a given domain. Subdomain discovery is a crucial part during the reconnaissance phase. It uses four (4) modes
  • Services (Collecting subdomains from the below services)
  • Dictionary mode for identifying domains (optional)
  • Permutations on discovered subdomains (optional)
  • Reverse DNS lookups on identified public IPs (optional)
Features of Lepus
  • Dictionary Mode
  • Permutations Mode
  • Reverse Mode
  • Portscan
  • Subdomain takeover: Performs several checks on identified domains for potential subdomain-takeover vulnerabilities. The module is enabled with --takeover and is executed after all others. If such a vulnerability is identified, the results are printed in the output and in a .csv file in the respective project folder under the directory with the results.
This is a tool to enumerate subdomains using the Certificate Transparency logs stored by Censys. It should return any subdomain who has ever been issued a SSL certificate by a public CA.
It is good to note that this tool requires an API unless you are going to use censys non api library of it. The library uses censys but it does not require apis. It is good to note that this tool, may not bring all subdomains as the one which uses api
The fastest and cross-platform subdomain enumerator, don't waste your time. It's cross-platform makes it ideal for all users no matter the platform. Features of Findomain
  • Subdomains monitoring: put data to Discord, Slack or Telegram webhooks
  • Multi-thread support for API querying
  • Parallel support for subdomains resolution
  • DNS over TLS support
  • Specific IPv4 or IPv6 query support.
  • Discover subdomains without brute-force
  • Discover only resolved subdomains

Copy link
On this page
Anubis Subdomain Enumerator
Lepus Subdomain finder
Censys subdomain finder
Findomain subdomain finder