loading
loading
Recon
Subdomain enumeration tool that runs automated reconnaissance for bug hunting and pentesting.
overview
sudomy collects subdomains for a target and then runs a chain of analysis steps on top of them. It pulls names from many passive sources, can brute force with a large built-in wordlist, and resolves the results into a clean, deduplicated host list. From there it layers on HTTP probing, status codes, port data, technology identification, and screenshots from a single invocation.
Flags toggle each stage, so you can run everything at once with --all, skip noisy active passes with --no-passive or --no-probe, or aim a specific capability such as --takeover, --dnsprobe, --extract-params, or --gwordlist. An --html report and a --graph view turn the raw findings into something you can read at a glance.
In a Trickest workflow sudomy takes a domain list and a config of API keys and writes a folder of results. Use it as a one-stop discovery stage, or run targeted passes and feed the resolved hosts into probing, scanning, and takeover nodes downstream.
source github.com/screetsec/Sudomy
use cases
Enable --all to collect subdomains from every passive source, resolve them, and produce a clean host list ready for the rest of the workflow.
Turn on --httpx, --status-code, and --apps-identifier so the output already tells you which hosts are live and what they run.
Switch on --takeover so dangling, claimable records surface in the same run that found the subdomains.
Emit --html and --graph to hand a readable map of the attack surface to teammates without re-rendering the raw data.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| domains | FILE | · | domains of the websites to scan |
| config | FILE | · | Config file for API keys and webhook URLs |
| all | BOOLEAN | --all | Running all Enumeration, no nmap & gobuster |
| source | STRING | --source | Use source for Enumerate Subdomain |
| httpx | BOOLEAN | --httpx | Perform httpx multiple probers using retryablehttp |
| takeover | BOOLEAN | --takeover | Subdomain TakeOver Vulnerabilty Scanner |
| bruteforce | BOOLEAN | --bruteforce | Bruteforce Subdomain Using Gobuster (Wordlist: ALL Top SecList DNS) |
| html | BOOLEAN | --html | Make report output into HTML |
Showing key inputs. sudomy exposes 23 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| all | BOOLEAN | --all | Running all Enumeration, no nmap & gobuster |
| html | BOOLEAN | --html | Make report output into HTML |
| graph | BOOLEAN | --graph | Network Graph Visualization |
| httpx | BOOLEAN | --httpx | Perform httpx multiple probers using retryablehttp |
| config | FILE | · | Config file for API keys and webhook URLs |
| source | STRING | --source | Use source for Enumerate Subdomain |
| db-port | STRING | --db-port | Collecting port from 3rd Party default=shodan |
| domains | FILE | · | domains of the websites to scan |
| dnsprobe | BOOLEAN | --dnsprobe | Perform multiple dns queries (dnsprobe) |
| nmap-top | BOOLEAN | --nmap-top | Port scanning with top-ports using nmap from domain list |
| no-probe | BOOLEAN | --no-probe | Do not perform httprobe |
| resolver | BOOLEAN | --resolver | Convert domain lists to resolved IP lists without duplicates |
| takeover | BOOLEAN | --takeover | Subdomain TakeOver Vulnerabilty Scanner |
| cloudfare | BOOLEAN | --cloudfare | Check an IP is Owned by Cloudflare |
| gwordlist | BOOLEAN | --gwordlist | Generate wordlist based on collecting url resources (Passive) |
| websocket | BOOLEAN | --websocket | WebSocket Connection Check |
| bruteforce | BOOLEAN | --bruteforce | Bruteforce Subdomain Using Gobuster (Wordlist: ALL Top SecList DNS) |
| no-passive | BOOLEAN | --no-passive | Do not perform passive subdomain enumeration |
| ping-sweep | BOOLEAN | --ping-sweep | Check live host using methode Ping Sweep |
| screenshot | BOOLEAN | --screenshot | Screenshots a list of website (default: gowitness) |
| status-code | BOOLEAN | --status-code | Get status codes, response from domain list |
| extract-params | BOOLEAN | --extract-params | Collecting URL Parameter from Engine |
| apps-identifier | STRING | --apps-identifier | Identify technologies on website (ex: webanalyze) |
example
# sudomy: full passive enum plus httpx probing and an HTML report for example.comsudomy --all --httpx --html --dnsprobeapi.example.comapp.example.comstaging.example.comdev.example.commail.example.comvpn.example.comcdn.example.comgitlab.example.comwww.example.comguidance
Use sudomy when you want one node to handle the whole early recon loop, from passive enumeration through probing and takeover checks. For just the raw subdomain set with no extras, subfinder or amass are leaner. For probing alone on an existing list, reach straight for httpx.
Pure passive subdomain enumeration. Faster and simpler when you only need the names, not the recon pipeline around them.
Deeper enumeration and mapping with active and passive sources. Heavier to run than a sudomy passive pass.
OSINT-focused, also pulls emails and names. sudomy leans harder into resolving, probing, and takeover.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A domain list feeds sudomy, which enumerates, resolves, and probes subdomains and writes the recon results as a queryable output.
Facts on this page come from the live Trickest tool library.