Subdomainhound is a tool designed to enumerate subdomains and domain names associated with an organization using public certificate transparency logs (crt.sh) and reverse WHOIS lookups via the WhoisXML API.
Python 3.X
pip install requests
Supports searching domains and subdomains associated with organizations using:
1. crt.sh (Certificate Transparency logs)
2. WhoisXML Reverse Whois APIChoose from:
Mode 1 β Only crt.sh
Mode 2 β Only WhoisXML
Mode all β Both sources combinedSpeeds up processing with support for concurrent queries via threadsControl request rate to avoid rate-limiting (-d flag)Spoof user agents using the -u flagBatching of input queries for crt.sh to reduce rate limiting and improve efficiencyFailed queries due to network or rate-limit errors are retried at the end using multithreading.Enable silent mode using the -s or --silent flag to suppress standard output (useful when piping results to other tools or saving outputs only).
| Flags | Description | Defaults |
|---|---|---|
-h, --help |
Show help menu | - |
-t, --threads |
Number of threads for concurrent processing | 1 |
-d, --delay |
Delay between requests in seconds | 1.0 |
-o, --output |
Output file path (optional) | - |
-u, --user-agent |
Custom User-Agent string. | Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Mobile Safari/537.36 |
-m, --mode |
Mode for lookup (1=crt.sh, 2=reverse-whois). all=both | 1 |
-k, --api-key |
API key for reverse-whois lookup. | - |
-q, --query-file |
Path to the file containing organization names | - |
-e, --exact-match |
Disable exact match. | True |
-s, --silent |
Silent mode: only output results, suppress logs. | False |
python Subdomainhound.py
python Subdomainhound.py -hpython Subdomainhound.py "Tesla Inc"
echo "Tesla Inc" | python Subdomainhound.py
cat subsidiaries.txt | python Subdomainhound.py
python Subdomainhound.py -q ../subsidiaries.txtpython Subdomainhound.py "Tesla Inc" -m 2 -k <api_key>
echo "Tesla Inc" | python Subdomainhound.py -m 2 -k <api_key>
cat subsidiaries.txt | python Subdomainhound.py -m 2 -k <api_key>
python Subdomainhound.py -q ../subsidiaries.txt -m 2 -k <api_key>python Subdomainhound.py -q ../subsidiaries.txt -m 2 -k <api_key> -epython Subdomainhound.py "Tesla Inc" -m all -k <api_key>
echo "Tesla Inc" | python Subdomainhound.py -m all -k <api_key>
cat subsidiaries.txt | python Subdomainhound.py -m all -k <api_key>
python Subdomainhound.py -q ../subsidiaries.txt -m all -k <api_key>python Subdomainhound.py -q ../subsidiaries.txt -u "Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.6.30 Version/10.61"python Subdomainhound.py -q ../subsidiaries.txt -m all -k <api_key> -d 2python Subdomainhound.py -q ../subsidiaries.txt -m all -k <api_key> -d 2 -o output.json{
"Tesla Inc": [
"sub.tesla.com",
"login.teslamotors.com",
"energy.tesla.com"
],
"SpaceX": [
"launch.spacex.com",
"shop.spacex.com"
]
}-
-eflag disables exact match for reverse-WHOIS search (used with-m 2or-m all).β οΈ Be cautious: Using this can return a lot of garbage/noisy data if not filtered properly. -
-kis required for any mode using WhoisXML API (2 or all). -
Supports input from direct query, stdin, or file.
-
Multithreaded with customizable thread count and delay between requests.
-
If your intention is to exclusively utilize it for crt.sh (i.e. -m 1 or --mode 1), consider passing not only organization names but also domain patterns like:
- domain.com
- %.domain.com
- %.%.domain.com etc.
-
This increases the chances of discovering subdomains via certificate transparency logs.
PRs and issues are welcome.