Skip to content

g0bind4/subhunter

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
.github/workflows
.github/workflows
 
 
cmd
cmd
 
 
pkg
pkg
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 

Repository files navigation

🔍 SubHunter

Fast, multi-source subdomain enumeration tool written in Go — built for bug bounty hunters

Go Version License Build

 ____        _     _   _             _
/ ___| _   _| |__ | | | |_   _ _ __ | |_ ___ _ __
\___ \| | | | '_ \| |_| | | | | '_ \| __/ _ \ '__|
 ___) | |_| | |_) |  _  | |_| | | | | ||  __/ |
|____/ \__,_|_.__/|_| |_|\__,_|_| |_|\__\___|_|

✨ Features

  • 8+ passive sources — no loud scanning, stays under the radar
  • Concurrent — all sources run in parallel (goroutines)
  • GitHub dorking — finds subdomains in public code repositories
  • Chaos dataset — access to ProjectDiscovery's massive pre-indexed database
  • DNS Resolution — filter only alive subdomains
  • JSON output — pipe-friendly for automation
  • Auto-deduplication — no duplicate results
  • Cross-platform — Linux, macOS, Windows binaries

📡 Sources

Source Type API Key Needed
crt.sh Certificate Transparency ❌ Free
HackerTarget DNS search ❌ Free
ThreatCrowd Threat intel ❌ Free
RapidDNS DNS database ❌ Free
URLScan.io Web scanner ❌ Free
AlienVault OTX Threat intel ❌ Free
Anubis DNS database ❌ Free
GitHub Code search (OSINT) ✅ Free token
Chaos (ProjectDiscovery) Dataset ✅ Free key

📦 Installation

Option 1 — Go Install

go install github.com/mana404/subhunter/cmd@latest

Option 2 — Download Binary

# Linux (amd64)
wget https://github.com/mana404/subhunter/releases/latest/download/subhunter-linux-amd64
chmod +x subhunter-linux-amd64
sudo mv subhunter-linux-amd64 /usr/local/bin/subhunter

Option 3 — Build from Source

git clone https://github.com/mana404/subhunter
cd subhunter
make build
# or: go build -o subhunter ./cmd/

🚀 Usage

# Basic enumeration
subhunter -d hackerone.com

# Save to file + verbose output
subhunter -d hackerone.com -v -o subs.txt

# With GitHub token (finds more subs in code)
subhunter -d hackerone.com --github-token ghp_XXXX -o subs.txt

# With Chaos API key
subhunter -d nasa.gov --chaos-key YOUR_KEY -o subs.txt

# Resolve & filter alive subdomains only
subhunter -d hackerone.com -r -o live.txt

# JSON output (for automation/pipelines)
subhunter -d hackerone.com --json -o subs.json

# Silent mode (only subdomains, no banner)
subhunter -d hackerone.com -s | httpx -silent

# Full pipeline example
subhunter -d target.com -s | httpx -silent -o live.txt

🔧 All Flags

-d, --domain         Target domain (required)
-o, --output         Output file
-r, --resolve        DNS resolve to filter alive subdomains
-t, --threads        Concurrent threads (default: 50)
-v, --verbose        Show source info for each subdomain
-s, --silent         Silent mode — only print subdomains
    --json           JSON output format
    --all            Use all sources
    --github-token   GitHub PAT (or set GITHUB_TOKEN env)
    --chaos-key      Chaos API key (or set CHAOS_KEY env)

🔗 Pipeline Integration

# Combine with httpx to find live hosts
subhunter -d target.com -s | httpx -silent -o live.txt

# Combine with nuclei for vuln scanning
subhunter -d target.com -s | httpx -silent | nuclei -silent

# Pipe into nmap
subhunter -d target.com -s -r | nmap -iL - -p 80,443,8080

# Combine multiple tools output
subfinder -d target.com -silent > s1.txt
subhunter -d target.com -s >> s1.txt
cat s1.txt | sort -u | anew all_subs.txt

🌍 Environment Variables

export GITHUB_TOKEN="ghp_XXXXXXXXXXXXXXXX"
export CHAOS_KEY="XXXXXXXXXXXXXXXXXXXXXXXX"

# Now you can run without flags:
subhunter -d target.com -o subs.txt

📋 Get Free API Keys

Service Get Key
GitHub Token https://github.com/settings/tokens (no special scopes needed)
Chaos Key https://chaos.projectdiscovery.io (free signup)

🔨 Development

# Run tests
make test

# Build for all platforms
make cross

# Lint
make lint

📁 Project Structure

subhunter/
├── cmd/
│   └── main.go            ← CLI entry point
├── pkg/
│   ├── sources/
│   │   ├── runner.go      ← Concurrent source runner
│   │   └── sources.go     ← All source implementations
│   ├── resolver/
│   │   └── resolver.go    ← DNS resolution + alive check
│   └── output/
│       └── output.go      ← Output formatting (txt/json/file)
├── .github/
│   └── workflows/
│       └── release.yml    ← Auto build + release CI
├── Makefile
├── go.mod
└── README.md

⚠️ Legal Notice

This tool is for authorized security testing and bug bounty programs only.
Always stay within the defined scope. Never test without permission.

📜 License

MIT License — see LICENSE

Made with ❤️ for the bug bounty community
If this helped you find a bug, give it a ⭐ instagram: https://www.instagram.com/h4ck3r_gobinda/ https://www.instagram.com/0x_g0binda/

About

subhunter

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages