A multi-stage recon toolkit written in Python: given a domain, it brute-forces subdomains, port-scans whatever it finds, grabs HTTPS headers, and brute-forces common web paths on each host.
Built as a learning project to understand how recon tools work under the hood — sockets, TLS/SNI, threading, and DNS resolution — rather than relying on existing tools like nmap, gobuster, or subfinder.
Https path crawling is currently being worked on.
domain
│
▼
subdomain_enum.py → brute-forces subdomain prefixes, resolves via DNS
│
▼ (for each subdomain found)
port_scanner.py → TCP-scans top 100 ports, grabs HTTPS header on 443 (SNI-aware)
│
▼ (if 443 is open)
path_crawler.py → brute-forces common paths/files, filters known false-positive response sizes
│
▼
beautify_report.py → turns the raw output into a readable .txt report
| File | Purpose |
|---|---|
main.py |
Entry point — runs the subdomain enumerator |
subdomain_enum.py |
Subdomain brute-forcer + DNS resolution |
port_scanner.py |
Threaded TCP port scanner + HTTPS header grabber |
path_crawler.py |
Web path/directory brute-forcer |
beautify_report.py |
Converts raw scan output into a readable report |
sub_prefix_list.txt |
Wordlist of subdomain prefixes (www, admin, mail, ...) |
ports_100.txt |
Top 100 TCP ports (by nmap's frequency data) |
paths.txt |
Wordlist of common web paths/files |
- Python 3.10+ (uses
matchstatements) requests
pip install requestspython main.pyYou'll be prompted for:
- A subdomain wordlist file (default:
sub_prefix_list.txt) - An output file name (default:
found_subdomains.txt) - The target domain
- Whether to port-scan + crawl paths on each found subdomain (Y/N)
This tool is more of a learning exercise than a practically useful scanner. In real-world testing results varied:
- Most production sites today sit behind a CDN/WAF (Cloudflare, CloudFront, Azure Front Door, etc.) that rate-limits or blocks automated, non-browser-like traffic almost immediately — often after just a handful of requests.
- Many subdomains return generic
403/503block pages regardless of what's actually behind them, which gives little real signal. - The path brute-forcer is especially affected — fast, threaded requests against a single host are exactly the pattern WAFs are built to detect and shut down.
In short: this works cleanly against test environments (local servers, deliberately vulnerable apps, infrastructure you control), but don't expect meaningful results against random real-world domains — that's by design on their end, not a bug on this end.
This tool performs active scanning (port scanning, brute forcing) against the targets it's pointed at. Only run it against domains and infrastructure you own or have explicit permission to test. Unauthorized scanning of third-party systems may be illegal depending on your jurisdiction.
MIT
-
fix https path scanning (handle errors better).
-
add automatic content length checker to catch false positives on pathcrawler ✅(0 + only adds 1 per subdomain)
-
add input parcing trough direct cli (python ./main (domain) scan_ports=yes,..).
-
add the functionality to run specific tool(s).
-
give user choice on how many threads are allowed.
-
remove debug print statements.
-
actually structure code and use main.py better
-
check code for redundancy and just general bad practice (there are definitly a few).
-
use OOP?