loading
loading
Recon
Find hidden subdomains and secrets in webpages, external JavaScript, and GitHub.
overview
SubDomainizer digs subdomains and secrets out of the content a page loads. It fetches a URL, parses the inline and external JavaScript it references, and extracts hostnames, cloud-service URLs, and patterns that look like API keys or tokens. The names buried in bundled scripts often point to internal services no passive source lists.
It reaches past the page itself. With GitHub scanning enabled and a token, it searches public repositories for the same target, surfacing subdomains and secrets that leaked into committed code. Cloud-service results can be written to their own file for follow-up.
On Trickest, SubDomainizer is a Recon node that takes a URL and writes a file and a folder of findings. Run it after a crawler that collects JavaScript URLs, then feed the subdomains it recovers into a prober and the secrets into your triage flow.
use cases
Parse a page's inline and external scripts to recover hostnames that point to internal services passive enumeration never sees.
Flag strings that match API keys and tokens in the loaded JavaScript so exposed credentials get caught before an attacker finds them.
Enable GitHub scanning with a token to find subdomains and secrets that leaked into public repositories, a common source of credential exposure.
Write discovered cloud-service URLs, such as S3 buckets, to their own file to drive cloud-enumeration follow-up.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | -u | URL in which to find (sub)domains. |
| url-list-file | FILE | -l | File containing a list of URLs to scan. |
| domain | STRING | -d | Top-level domain to scope subdomain discovery to (e.g. example.com). |
| github-scan | BOOLEAN | -g | Also search GitHub for subdomains and secrets. |
| github-api-token | STRING | -gt | GitHub API token, required when GitHub scanning is enabled. |
| cookie | STRING | -c | Cookies to send with the request. |
| bypass-ssl | BOOLEAN | -k | Bypass verification of the SSL certificate. |
| cloud-services-results | FILE | -cop | File name in which to store cloud-services results. |
Showing key inputs. subdomainizer exposes 9 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | -u | URL in which to find (sub)domains. |
| cookie | STRING | -c | Cookies to send with the request. |
| domain | STRING | -d | Top-level domain to scope discovery to (e.g. example.com for www.example.com). |
| bypass-ssl | BOOLEAN | -k | Bypass verification of the SSL certificate. |
| github-scan | BOOLEAN | -g | Also search GitHub for subdomains and secrets. |
| root-folder | STRING | -f | Root folder that contains the files or folders to scan. |
| url-list-file | FILE | -l | File containing a list of URLs to scan. |
| github-api-token | STRING | -gt | GitHub API token, required with -g to scan GitHub. |
| cloud-services-results | FILE | -cop | File name in which to store cloud-services results. |
example
# mine a page's JavaScript for subdomains and secrets, and scan GitHub toopython3 SubDomainizer.py -u https://example.com -d example.com -g -gt <github-token> -o subs.txt -cop cloud-services.txt[+] Total 5 unique subdomains found:api.example.comassets.example.cominternal-staging.example.commetrics.example.comvpn.example.com[+] Cloud services found:https://example-static.s3.amazonaws.com[+] Possible secrets found:aws_access_key : AKIAIOSFODNN7EXAMPLE (in https://example.com/static/app.min.js)guidance
Use SubDomainizer when you want subdomains and secrets that live in a page's JavaScript, not just in DNS data. It reads content, so point it at live URLs from a crawler. For pure passive name enumeration, subfinder is faster; run SubDomainizer to catch what scripts and GitHub leak.
Passive subdomain enumeration from datasets. SubDomainizer mines JavaScript and GitHub for names and secrets datasets miss.
Mines JavaScript for endpoints and links. SubDomainizer pulls subdomains, cloud URLs, and secrets from the same scripts and from GitHub.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A URL is crawled by katana for JavaScript, then SubDomainizer mines those scripts for subdomains and secrets written as output.
Facts on this page come from the live Trickest tool library.