A bash script for passive reconnaissance that combines AnubisDB + certificate transparency logs with Shodan's InternetDB to discover subdomains and enumerate open ports - passive, free and no API keys required! A fsat tool for recon when you can not run port scan or brute force sub domains. Feel free to improve this concept.
- 🔒 Certificate Transparency Discovery: Uses crt.sh and AnubisDB to find subdomains from SSL certificate logs
- 🌐 DNS Resolution: Resolves all discovered subdomains to IP addresses
- 🔓 Port Enumeration: Leverages Shodan's free InternetDB for open port discovery
- 🛡️ Vulnerability Detection: Identifies known CVEs associated with discovered services
- 📊 Multiple Output Formats: CSV, TXT, and Markdown reports
- 🎯 Zero API Keys: Completely free - no registration or API keys required
- ⚡ Apple Silicon Optimized: Native performance on Apple Silicon M1, M2, M3 and M4
- 🔧 Dependency Checking: Automatic validation of required tools
The script automatically checks for dependencies and provides installation instructions:
brew install curl jq bindsudo apt-get update
sudo apt-get install curl jq dnsutilssudo yum install curl jq bind-utils# Clone the repository
git clone https://github.com/yourusername/subdomain-port-scanner.git
cd subdomain-port-scanner
# Confrim Checking dependencies are installed
sudo apt-get update
sudo apt-get install curl jq dnsutils
# Make the script executable
chmod +x subdomain_scanner.sh
# Run against a target domain
./subdomain_scanner.sh example.com./subdomain_scanner.sh target.comrecon_20241204_143022/
├── subdomains.txt # List of discovered subdomains
├── subdomains_with_ips.csv # Subdomains with resolved IPs
├── ports_and_services.csv # Port and vulnerability data
└── summary.md # Executive summary report
$ ./subdomain_scanner.sh example.com
[INFO] Starting reconnaissance for domain: example.com
[SUCCESS] Found 23 subdomains
[SUCCESS] Resolved 18 subdomains to IP addresses
[INFO] Checking 1.2.3.4 (api.example.com)...
Open ports: 22,80,443
[WARNING] Vulnerabilities found: CVE-2021-44228
[SUCCESS] Reconnaissance complete!
Quick Stats:
Subdomains: 23
Resolved IPs: 18
IPs with port data: 15| File | Description |
|---|---|
subdomains.txt |
Raw list of discovered subdomains |
subdomains_with_ips.csv |
Subdomain to IP mapping |
ports_and_services.csv |
Comprehensive port and vulnerability data |
summary.md |
Human-readable summary report |
- Certificate Transparency: Queries crt.sh for SSL certificate logs
- DNS Resolution: Uses
digto resolve subdomains to IP addresses - Port Discovery: Leverages Shodan InternetDB for passive port enumeration
- Data Enrichment: Extracts hostnames, service tags, and vulnerability data
- Report Generation: Creates multiple output formats for different use cases
- 💰 100% Free: No API keys, subscriptions, or rate limits
- 🔒 Passive Reconnaissance: Only uses publicly available data
- ⚡ Fast & Efficient: Concurrent processing with intelligent delays
- 📈 Comprehensive: Combines multiple data sources for complete coverage
- 🛡️ Security Focused: Highlights vulnerabilities and security issues
- 📱 Cross-Platform: Works on macOS, Linux, and WSL
Contributions are welcome! Here's how you can help:
- 🍴 Fork the repository
- 🌟 Create a feature branch (
git checkout -b feature/amazing-feature) - 💻 Commit your changes (
git commit -m 'Add amazing feature') - 📤 Push to the branch (
git push origin feature/amazing-feature) - 🔄 Open a Pull Request
- Add subdomain enumeration sources
- DNS brute-force functionality
- JSON output format
- Integration with other passive reconnaissance tools
- Docker containerization
- GitHub Actions for automated scanning
This tool is intended for authorized security testing and educational purposes only. Users are responsible for ensuring they have proper authorization before scanning any targets. The authors are not responsible for any misuse or damage caused by this tool.
Always ensure you have explicit permission before scanning domains you don't own.
This project is licensed under the MIT License - see the LICENSE file for details.
- crt.sh - Certificate Transparency log search
- Shodan InternetDB - Free passive reconnaissance data
- The cybersecurity community for continuous knowledge sharing
- 🐛 Issues: GitHub Issues
- 💬 Discussions: GitHub Discussions
- 📧 Email: find me on LinkedIn
- 📧 Homepage: Ahmad.science my homepage
If you find this tool useful, please consider giving it a star! ⭐
Made with ❤️ for the cybersecurity community