How to Make a Subdomain Scanner in Python

Learning how to build a Python script to scan for subdomains of a given domain using requests library.
  · 3 min read · Updated jul 2020 · Ethical Hacking

Finding subdomains of a particular website let you explore the full domain infrastructure of it. Building such a tool is really handy when it comes to information gathering phase in penetration testing for ethical hackers.

Searching for subdomains manually would take forever. Luckily, we don't have to do that, in this tutorial, we will build a subdomain scanner in Python using requests library. Let's get started!

RELATED: Learn how to discover all links of a website in Python.

Let's install it:

pip3 install requests

The method we gonna use here is brute-forcing, in other words, we gonna test all common subdomain names of that particular domain, whenever we receive a response from the server, that's an indicator for us that the subdomain is alive.

Open up a new Python file and follow along, let's use for demonstration purposes, I used it because google has a lot of subdomains though:

import requests

# the domain to scan for subdomains
domain = ""

Now we gonna need a big list of subdomains to scan, I've used a list of 100 subdomains just for demonstration, but in the real world, if you really want to discover all subdomains, you gotta use a bigger list, check this github repository which contains up to 10K subdomains.

I have a file "subdomains.txt" in the current directory, make sure you do too (grab your list of your choice in this repository):

# read all subdomains
file = open("subdomains.txt")
# read all content
content =
# split by new lines
subdomains = content.splitlines()

Now subdomains list contains the subdomains we want to test, let's brute-force:

for subdomain in subdomains:
    # construct the url
    url = f"http://{subdomain}.{domain}"
        # if this raises an ERROR, that means the subdomain does not exist
    except requests.ConnectionError:
        # if the subdomain does not exist, just pass, print nothing
        print("[+] Discovered subdomain:", url)

First, we build up the URL to be suitable for sending a request, then we use requests.get() function to get the HTTP response from the server, this will raise a ConnectionError exception whenever a server does not respond, that's why we wrapped it in a try/except block.

Finally, when the exception isn't raised, then the subdomain exists.

Here is a part of the result when I ran the script:

Result of Subdomain scanner in Python

You'll notice when you run this that's quite slow, that depends on your Internet connection, but if you want to accelerate the scanning process, you can use multiple threads for scanning, I've already wrote one, check it here.

Also, consider writing the results to a file instead of just printing into the console, this will let you explore discovered subdomains later after the execution of the script.

Alright, we are done, Now you know how to discover subdomains of any website you really want!

Read AlsoHow to Get Domain Name Information in Python.

Happy Scanning ♥

View Full Code
Sharing is caring!

Read Also

Comment panel