How to Make a Subdomain Scanner in Python

Learning how to build a Python script to scan for subdomains of a given domain using requests library.
  · 3 min read · Updated dec 2020 · Ethical Hacking


Finding subdomains of a particular website let you explore the full domain infrastructure of it. Building such a tool is really handy when it comes to information gathering phase in penetration testing for ethical hackers.

Searching for subdomains manually would take forever. Luckily, we don't have to do that, in this tutorial, we will build a subdomain scanner in Python using requests library. Let's get started!

Related: How to Use Shodan API in Python.

Let's install it:

pip3 install requests

The method we gonna use here is brute-forcing, in other words, we gonna test all common subdomain names of that particular domain, whenever we receive a response from the server, that's an indicator for us that the subdomain is alive.

Open up a new Python file and follow along, let's use google.com for demonstration purposes, I used it because google has a lot of subdomains though:

import requests

# the domain to scan for subdomains
domain = "google.com"

Now we gonna need a big list of subdomains to scan, I've used a list of 100 subdomains just for demonstration, but in the real world, if you really want to discover all subdomains, you gotta use a bigger list, check this github repository which contains up to 10K subdomains.

I have a file "subdomains.txt" in the current directory, make sure you do too (grab your list of your choice in this repository):

# read all subdomains
file = open("subdomains.txt")
# read all content
content = file.read()
# split by new lines
subdomains = content.splitlines()

Now subdomains list contains the subdomains we want to test, let's brute-force:

# a list of discovered subdomains
discovered_subdomains = []
for subdomain in subdomains:
    # construct the url
    url = f"http://{subdomain}.{domain}"
    try:
        # if this raises an ERROR, that means the subdomain does not exist
        requests.get(url)
    except requests.ConnectionError:
        # if the subdomain does not exist, just pass, print nothing
        pass
    else:
        print("[+] Discovered subdomain:", url)
        # append the discovered subdomain to our list
        discovered_subdomains.append(url)

First, we build up the URL to be suitable for sending a request, then we use requests.get() function to get the HTTP response from the server, this will raise a ConnectionError exception whenever a server does not respond, that's why we wrapped it in a try/except block.

When the exception wasn't raised, then the subdomain exists. Let's write all the discovered subdomains to a file:

# save the discovered subdomains into a file
with open("discovered_subdomains.txt", "w") as f:
    for subdomain in discovered_subdomains:
        print(subdomain, file=f)

Here is a part of the result when I ran the script:

Result of Subdomain scanner in Python

Once it's finished, you'll see a new file discovered_subdomains.txt appears, which includes all the discovered subdomains!

You'll notice when you run this that's quite slow, that depends on your Internet connection, but if you want to accelerate the scanning process, you can use multiple threads for scanning, I've already wrote one, check it here.

Alright, we are done, Now you know how to discover subdomains of any website you really want!

Read AlsoHow to Get Domain Name Information in Python.

Happy Scanning ♥

View Full Code
Sharing is caring!



Read Also





Comment panel