How to Make a Subdomain Scanner in Python

Learning how to build a Python script to scan for subdomains of a given domain using requests library.
  · 3 min read · Updated may 2022 · Ethical Hacking

Finding subdomains of a particular website let you explore the full domain infrastructure of it. Building such a tool is really handy when it comes to information gathering phase in penetration testing for ethical hackers.

Searching for subdomains manually would take forever. Luckily, we don't have to do that, in this tutorial, we will build a subdomain scanner in Python using requests library. Let's get started!

Related: How to Use Shodan API in Python.

Let's install it:

pip3 install requests

The method we gonna use here is brute-forcing, in other words, we gonna test all common subdomain names of that particular domain, whenever we receive a response from the server, that's an indicator for us that the subdomain is alive.

Open up a new Python file and follow along, let's use for demonstration purposes, I used it because google has a lot of subdomains though:

import requests

# the domain to scan for subdomains
domain = ""

Now we gonna need a big list of subdomains to scan, I've used a list of 100 subdomains just for demonstration, but in the real world, if you really want to discover all subdomains, you gotta use a bigger list, check this github repository which contains up to 10K subdomains.

I have a file "subdomains.txt" in the current directory, make sure you do too (grab your list of your choice in this repository):

# read all subdomains
file = open("subdomains.txt")
# read all content
content =
# split by new lines
subdomains = content.splitlines()

Now subdomains list contains the subdomains we want to test, let's brute-force:

# a list of discovered subdomains
discovered_subdomains = []
for subdomain in subdomains:
    # construct the url
    url = f"http://{subdomain}.{domain}"
        # if this raises an ERROR, that means the subdomain does not exist
    except requests.ConnectionError:
        # if the subdomain does not exist, just pass, print nothing
        print("[+] Discovered subdomain:", url)
        # append the discovered subdomain to our list

First, we build up the URL to be suitable for sending a request, then we use requests.get() function to get the HTTP response from the server, this will raise a ConnectionError exception whenever a server does not respond, that's why we wrapped it in a try/except block.

When the exception wasn't raised, then the subdomain exists. Let's write all the discovered subdomains to a file:

# save the discovered subdomains into a file
with open("discovered_subdomains.txt", "w") as f:
    for subdomain in discovered_subdomains:
        print(subdomain, file=f)

Here is a part of the result when I ran the script:

Result of Subdomain scanner in Python

Once it's finished, you'll see a new file discovered_subdomains.txt appears, which includes all the discovered subdomains!

You'll notice when you run the script that's quite slow, especially when you use longer lists, as it's using a single thread to scan. However, if you want to accelerate the scanning process, you can use multiple threads for scanning, I've already wrote one, check it here.

Alright, we are done, now you know how to discover subdomains of any website you want!

Read AlsoHow to Get Domain Name Information in Python.

Happy Scanning ♥

View Full Code
Sharing is caring!

Read Also

Comment panel