Scan subdomains with wordlist

Hint: flag is not a frag: once you've got it, you can get one more...

There're several tools for subdomains bruteforce, but they have several problems (for example, in dealing with wildcard subdomains).

So, I had to write a small script, which should suit my purposes.


  • Python threading (5 threads by default)
  • HTTP response code matching
  • HTTP response content matching (by regular expression)
  • Running the script:

    unixoid# python
    [Subdomains finder]
    USAGE: --domain [--wordlist names.txt] [--threads N] [--reject_codes 403,404,301] [--reject_regex "404"]
       wordlist = wordlist2.txt
       threads = 5
       reject = None

    As for HTTP requests, the HEAD method is used by default (except regex matching mode).

    The tool is equipped with 2 wordlists. wordlist1.txt is a list of 3-letter combinations (from dnsenum), and wordlist2.txt is a list of common subdomain names (from