loading
loading
Recon
A multi-featured subdomain reconnaissance tool.
overview
oneforall is a multi-featured subdomain recon tool that combines passive collection with optional DNS brute force and liveness checks in one pipeline.
Target files, format selection, and alive filtering let you tune for breadth or for a live-only set ready for httpx.
Reach for it when you want a Chinese-maintained all-in-one enumerator alongside or instead of subfinder and amass.
use cases
Run OneForAll against a domain to pull subdomains from passive feeds and a brute-force module in one pass, widening the footprint you start from.
Enable the alive filter so the output holds names that resolved and answered, handing the rest of the workflow a validated list.
Turn on takeover scanning so each discovered name is tested for dangling records that an attacker could claim.
Feed a file of domains for bulk enumeration when scoping an organization with many roots rather than a single host.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| dns | BOOLEAN | --dns | Use DNS resolution (default True) |
| req | BOOLEAN | --req | HTTP request subdomains (default True) |
| port | STRING | --port | The port range request to the subdomains (default port: 80) |
| alive | BOOLEAN | --alive | Only export alive subdomains |
| brute | BOOLEAN | --brute | Use brute module (default True) |
| format | STRING | --fmt | result format (csv/json) |
| target | STRING | --target | Target domain |
Showing key inputs. oneforall exposes 9 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| dns | BOOLEAN | --dns | Use DNS resolution (default True) |
| req | BOOLEAN | --req | HTTP request subdomains (default True) |
| port | STRING | --port | The port range request to the subdomains (default port: 80) |
| alive | BOOLEAN | --alive | Only export alive subdomains |
| brute | BOOLEAN | --brute | Use brute module (default True) |
| format | STRING | --fmt | result format (csv/json) |
| target | STRING | --target | Target domain |
| targets | FILE | --targets | List of domains |
| takeover | BOOLEAN | --takeover | Scan subdomain takeover (default False) |
example
# oneforall: enumerate subdomains for example.comoneforall --target example.com --brute --alive --fmt jsonwww.example.comapi.example.commail.example.comdev.example.comstaging.example.comcdn.example.comvpn.example.comguidance
Reach for OneForAll when you want enumeration, DNS resolution, and HTTP validation in one tool. For a quick passive-only first pass, subfinder is lighter; OneForAll trades speed for built-in brute force, liveness checks, and takeover scanning.
Fast passive-only finder. OneForAll adds brute force, resolution, and liveness in the same run.
Deep OSINT enumeration with graph mapping. OneForAll is more turnkey for enumerate-and-validate.
Another all-in-one recon suite. OneForAll bundles takeover scanning into the enumeration node.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A domain feeds OneForAll, which enumerates, resolves, and probes subdomains, then writes the live, validated names as a queryable output.
Facts on this page come from the live Trickest tool library.