Fast Sub Recon
bidhata
Enhanced Subdomain Discovery Tool with Shodan Integration
Fast, comprehensive, and intelligent subdomain enumeration for security researchers and bug bounty hunters
π― Overview
Fast Sub Recon is a powerful Python-based subdomain discovery tool designed for authorized security testing and bug bounty programs. It combines multiple reconnaissance techniques including passive enumeration, active scanning, and Shodan integration to provide comprehensive subdomain discovery with detailed analysis.
π Key Highlights
- Multi-threaded Performance: Up to 200+ concurrent threads for lightning-fast scanning
- Comprehensive Coverage: Combines passive and active reconnaissance techniques
- Shodan Integration: Leverages Shodan API for enhanced intelligence gathering
- Smart Enumeration: Uses multiple data sources including Certificate Transparency, DNS, and web archives
- Detailed Reporting: Generates JSON and text reports with comprehensive subdomain analysis
- Customizable Wordlists: Support for external wordlist files
- CDN Bypass Attempts: Tries to identify real IP addresses behind CDNs
π₯ Features
π Passive Reconnaissance
- Certificate Transparency Logs: Queries crt.sh and CertSpotter
- DNS Enumeration: Fast DNS resolution with custom resolvers
- Web Archives: Searches Archive.org and AlienVault OTX
- Shodan Search: Multiple query types for comprehensive coverage
β‘ Active Reconnaissance
- Zone Transfer Attempts: Tests for misconfigured DNS servers
- HTTP Enumeration: Identifies active web services
- SSL Certificate Analysis: Extracts hostnames from SSL certificates
- Real IP Discovery: Attempts to bypass CDN protection
π Intelligence Gathering
- Shodan Integration: Detailed host information including:
- Organization and ISP details
- Geographic location
- Open ports and services
- Last update timestamps
- HTTP Analysis: Status codes, server headers, page titles
- DNS Resolution: Multiple DNS server queries for accuracy
π Output Formats
- Comprehensive JSON: Detailed analysis with all metadata
- Active Subdomains: HTTP-accessible hosts only
- Inactive Subdomains: DNS-only discoverable hosts
- Combined Lists: All discovered subdomains
π Installation
Prerequisites
# Python 3.6+ required
python3 --version
Method 1: Clone Repository
git clone https://github.com/bidhata/fast-subrecon.git
cd fast-sub-recon
pip3 install -r requirements.txt
Method 2: Direct Download
wget https://raw.githubusercontent.com/bidhata/fast-subrecon/main/fast_sub_recon.py
pip3 install requests dnspython shodan
Dependencies
pip3 install requests dnspython shodan
π Usage
Basic Usage
# Simple subdomain discovery
python3 fast_sub_recon.py example.com
# With custom thread count
python3 fast_sub_recon.py example.com -t 300
# With Shodan integration
python3 fast_sub_recon.py example.com -s YOUR_SHODAN_API_KEY
Advanced Usage
# Custom wordlist
python3 fast_sub_recon.py example.com -w /path/to/wordlist.txt
# Fast mode (skip detailed Shodan lookups)
python3 fast_sub_recon.py example.com --fast
# Custom timeout
python3 fast_sub_recon.py example.com --timeout 5
# Save only active subdomains
python3 fast_sub_recon.py example.com -o active_subs.txt --active-only
Command Line Options
| Option | Description | Default |
|---|---|---|
domain |
Target domain to scan | Required |
-t, --threads |
Number of concurrent threads | 200 |
-s, --shodan |
Shodan API key for enhanced data | None |
-w, --wordlist |
Custom wordlist file path | Built-in list |
--timeout |
Request timeout in seconds | 3 |
--fast |
Skip detailed Shodan lookups | False |
-o, --output |
Legacy output file (deprecated) | Auto-generated |
--active-only |
Save only active subdomains | False |
--inactive-only |
Save only inactive subdomains | False |
π Examples
Example 1: Basic Scan
$ python3 fast_sub_recon.py example.com
[+] Starting subdomain discovery for example.com
[+] Starting passive reconnaissance for example.com
[+] Querying Certificate Transparency logs...
[CT] Found: www.example.com
[CT] Found: mail.example.com
[+] Performing fast DNS enumeration...
[+] Testing 127 subdomains with 200 threads...
[DNS] Found: api.example.com
[+] Starting active reconnaissance...
[HTTP-Active] www.example.com [200] via https
[+] Found 15 total subdomains
[+] Active subdomains: 8
[+] Inactive subdomains: 7
Example 2: With Shodan Integration
$ python3 fast_sub_recon.py example.com -s YOUR_API_KEY
[+] Shodan API initialized
[+] Starting subdomain discovery for example.com
[Shodan] Found: api.example.com
[Shodan-SSL] Found: secure.example.com
[ACTIVE] www.example.com
Status: 200
Scheme: https
[DNS] 93.184.216.34
Org: EdgeCast Networks
ISP: EdgeCast Networks
Location: Los Angeles, United States
Open Ports: 80, 443
Example 3: Custom Wordlist
$ python3 fast_sub_recon.py example.com -w subdomains.txt -t 500
[+] Loading wordlist from subdomains.txt
[+] Loaded 50000 subdomains from wordlist
[+] Total wordlist size: 50089 subdomains
[+] Testing 50089 subdomains with 500 threads...
π Output Files
The tool automatically generates timestamped output files:
example.com_subdomains_20241225_143022.json # Comprehensive JSON report
example.com_active_20241225_143022.txt # Active subdomains only
example.com_inactive_20241225_143022.txt # Inactive subdomains only
example.com_all_20241225_143022.txt # All discovered subdomains
JSON Output Structure
{
"domain": "example.com",
"timestamp": "2024-12-25 14:30:22",
"total_subdomains": 23,
"active_subdomains": 12,
"inactive_subdomains": 11,
"subdomains": {
"active": [
{
"subdomain": "www.example.com",
"status": "active",
"http_status": 200,
"scheme": "https",
"server": "nginx/1.18.0",
"title": "Example Domain",
"ips": [
{
"source": "DNS",
"ip": "93.184.216.34",
"shodan": {
"org": "EdgeCast Networks",
"isp": "EdgeCast Networks",
"country": "United States",
"city": "Los Angeles",
"ports": [80, 443],
"last_update": "2024-12-20T10:30:00.000000"
}
}
]
}
]
}
}
π― Wordlists
Built-in Wordlist
The tool includes a comprehensive built-in wordlist with:
- Common subdomain patterns (www, mail, api, etc.)
- Numbered variations (api1, api2, cdn1, etc.)
- Technical subdomains (staging, dev, test, etc.)
- Infrastructure subdomains (vpn, proxy, gateway, etc.)
Custom Wordlists
You can use external wordlist files:
# SecLists subdomain wordlist
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/subdomains-top1million-110000.txt
python3 fast_sub_recon.py example.com -w subdomains-top1million-110000.txt
# Assetnote wordlist
wget https://wordlists-cdn.assetnote.io/data/manual/best-dns-wordlist.txt
python3 fast_sub_recon.py example.com -w best-dns-wordlist.txt
π§ Configuration
Shodan API Setup
- Sign up at Shodan.io
- Get your API key from your account dashboard
- Use it with the
-sparameter:
python3 fast_sub_recon.py example.com -s YOUR_SHODAN_API_KEY
Performance Tuning
# High-performance scan (use with caution)
python3 fast_sub_recon.py example.com -t 500 --timeout 2
# Conservative scan for slower networks
python3 fast_sub_recon.py example.com -t 50 --timeout 10
# Fast mode for quick results
python3 fast_sub_recon.py example.com --fast
β οΈLegal Disclaimer
IMPORTANT: This tool is designed for authorized security testing and bug bounty programs only.
- β Authorized Use: Only scan domains you own or have explicit permission to test
- β Unauthorized Use: Scanning domains without permission may be illegal
- π Compliance: Ensure compliance with local laws and regulations
- π‘οΈ Responsibility: Users are responsible for their actions
- Certificate Transparency Logs: crt.sh, CertSpotter
- Shodan: For comprehensive host intelligence
- DNS Libraries: dnspython for robust DNS operations
- Community: Security researchers and bug bounty hunters