How to Make a Subdomain Scanner in Python

Abdou Rockikz · 08 oct 2019

Abdou Rockikz · 3 min read · Ethical Hacking

Finding subdomains of a particular website let you explore the full domain infrastructure of it. Building such a tool is really handy when it comes to information gathering phase in penetration testing for ethical hackers.

Searching for subdomains manually would take forever. Luckily, we don't have to do that, in this tutorial, we will build a subdomain scanner in Python using requests library. Let's get started!

RELATED: Learn how to discover all links of a website in Python.

Let's install it:

pip3 install requests

The method we gonna use here is brute-forcing, in other words, we gonna test all common subdomain names of that particular domain, whenever we receive a response from the server, that's an indicator for us that the subdomain is alive.

Open up a new Python file and follow along, let's use google.com for demonstration purposes, I used it because google has a lot of subdomains though:

import requests

# the domain to scan for subdomains
domain = "google.com"

Now we gonna need a big list of subdomains to scan, I've used a list of 100 subdomains just for demonstration, but in the real world, if you really want to discover all subdomains, you gotta use a bigger list, check this github repository which contains up to 10K subdomains.

I have a file "subdomains.txt" in the current directory, make sure you do too (grab your list of your choice in this repository):

# read all subdomains
file = open("subdomains.txt")
# read all content
content = file.read()
# split by new lines
subdomains = content.splitlines()

Now subdomains list contains the subdomains we want to test, let's brute-force:

for subdomain in subdomains:
    # construct the url
    url = f"http://{subdomain}.{domain}"
    try:
        # if this raises an ERROR, that means the subdomain does not exist
        requests.get(url)
    except requests.ConnectionError:
        # if the subdomain does not exist, just pass, print nothing
        pass
    else:
        print("[+] Discovered subdomain:", url)

First, we build up the URL to be suitable for sending a request, then we use requests.get() function to get the HTTP response from the server, this will raise a ConnectionError exception whenever a server does not respond, that's why we wrapped it in a try/except block.

Finally, when the exception isn't raised, then the subdomain exists.

Here is a part of the result when I ran the script:

Result of Subdomain scanner in Python

You'll notice when you run this that's quite slow, that depends on your Internet connection, but if you want to accelerate the scanning process, you can use multiple threads for scanning, I've already wrote one, check it here.

Alright, we are done, Now you know how to discover subdomains of any website you really want!

Happy Scanning ♥

View Full Code
Sharing is caring!


Read Also





Comment panel

   
Comment system is still in Beta, if you find any bug, please consider contacting us here.