subcat: Lightning-fast passive subdomain discovery tool

by ddos ·

SubCat is a powerful subdomain discovery tool that passively aggregates data from a variety of online sources to identify valid subdomains for websites. Designed with a modular and efficient architecture, SubCat is ideal for penetration testers, bug bounty hunters, and security researchers.

Built to comply with licensing and usage restrictions of its passive sources, SubCat ensures minimal impact on target systems while delivering in-depth subdomain intelligence.

Subdomain Discovery

Features

  • Fast Enumeration: Leverages a high-performance resolution and wildcard elimination module.
  • Curated Passive Sources: Gathers subdomains from trusted online sources to maximize coverage.
  • Lightweight & Efficient: Optimized for speed with minimal resource consumption.
  • STDIN/STDOUT Integration: Seamlessly integrate with other tools and workflows.
  • IP Scope Filtering: Filter results by IP addresses using a provided scope (CIDR or file-based).
  • Detailed Output: Options to display HTTP status codes, page titles, IP addresses, and technology detection.
  • Multiple Output Formats: Export results in TXT, JSON, CSV, and XML formats for easy integration with other tools.
  • Intelligent Caching: Cache API responses to improve performance and reduce external API calls.
  • Advanced Rate Limiting: Domain-specific rate limiting to prevent API throttling and ensure reliable results.
  • Reverse Lookup Mode: Supports reverse lookup to load only modules that handle reverse enumeration (requires a valid IP scope).
  • Custom Module Selection: Include or exclude specific modules via command-line flags.
  • Enhanced Multi-threading: Uses 50 concurrent threads by default for rapid processing.

Available Modules

SubCat currently supports the following modules for passive subdomain discovery:

  • dnsdumpster
  • digitalyama
  • virustotal
  • binaryedge
  • chaos
  • bevigil
  • dnsarchive
  • netlas
  • wayback
  • shodan
  • securitytrails
  • urlscan
  • ctrsh
  • threatcrowd
  • anubis
  • censys
  • alienvault
  • hackertarget
  • certspotter

SubCat’s modular architecture is designed for flexibility and ease of extension.

Install & Use

Tags: bug bountycybersecurityDiscoveryOSINTPentestingreconnaissancesecuritySubdomain