SubCat - Lightning-fast passive subdomain discovery tool

1742024528329.webp


SubCat is a powerful subdomain discovery tool that passively aggregates data from a variety of online sources to identify valid subdomains for websites. Designed with a modular and efficient architecture, SubCat is ideal for penetration testers, bug bounty hunters, and security researchers.

Built to comply with licensing and usage restrictions of its passive sources, SubCat ensures minimal impact on target systems while delivering in-depth subdomain intelligence.

Features​

  • Fast Enumeration: Leverages a high-performance resolution and wildcard elimination module.
  • Curated Passive Sources: Gathers subdomains from trusted online sources to maximize coverage.
  • Lightweight & Efficient: Optimized for speed with minimal resource consumption.
  • STDIN/STDOUT Integration: Seamlessly integrate with other tools and workflows.
  • IP Scope Filtering: Filter results by IP addresses using a provided scope (CIDR or file-based).
  • Detailed Output: Options to display HTTP status codes, page titles, IP addresses, and technology detection.
  • Reverse Lookup Mode: Supports reverse lookup to load only modules that handle reverse enumeration (requires a valid IP scope).
  • Custom Module Selection: Include or exclude specific modules via command-line flags.
  • Enhanced Multi-threading: Uses 50 concurrent threads by default for rapid processing.

Post Installation​

Before querying third-party services, configure your API keys in the config.yaml file.

By default, SubCat looks for the configuration file in your user's home directory under ~/.subcat/config.yaml. You can also specify a custom config path using the -c or --config option.

Not all modules require an API key, but the following sources do:
  • BinaryEdge
  • Virustotal
  • SecurityTrails
  • Shodan
  • Bevigil
  • Chaos
  • DNSDumpster
  • Netlas
  • DigitalYama
  • Censys
  • AlienVault
  • CertSpotter
  • URLScan (for advanced usage)

Available Modules​

SubCat currently supports the following modules for passive subdomain discovery:

  • dnsdumpster
  • digitalyama
  • virustotal
  • binaryedge
  • chaos
  • bevigil
  • dnsarchive
  • netlas
  • wayback
  • shodan
  • securitytrails
  • urlscan
  • ctrsh
  • threatcrowd
  • anubis
  • censys
  • alienvault
  • hackertarget
  • certspotter
SubCat's modular architecture is designed for flexibility and ease of extension.

Download SubCat
 
Click to expand...
Back
Top