Subrake - A powerful Subdomain Scanner & Validator for Reconnaissance


Subrake - A Powerful Subdomain Scanner & Validator Written in sockets and requests which makes it a lot more faster and easier to manage. It works by enumerating subdomains by searching them on web and by using local wordlists. It further identify the assets of a domain based on their ip and CNAME records and identify subdomains which are using the same IP addresses. It also scan ports if are given and enumerte possible server engines used on assets using the SERVER header returned in the response. It also enumerates possible returned HTTP status codes on port 80 and 443. 

Key Features of Subrake

  • Use built-in low level sockets to connect subdomains and other assets
  • Search Subdomains Online on the Web.
  • Validate Subdomains Using associated IP address.
  • Identify False Positives.
  • Internal Filtering using --filter option
  • Store data in plain text and CSV formats.
  • Built-in Port Scanning
  • Fitering Into More Results by Removing False Positives.


Install the required modules from requirements.txt file:

$ pip install -r requirements.txt

You can take a start by cloning the source.

$ git clone
$ cd Subrake/
$ python subrake -d yourdomain.tld -w wordlists/small.lst


    $ python subrake -d -w [ Sublister Output ]
    $ python subrake -d -d --wordlist wordlist/small.lst --filter --csv output.csv

   Args               Description                      Default
   -h, --help           Show this manual                  NONE
   -d, --domain         Target domain. Possible
                        example: []            NONE
   -w, --wordlists      Wordlists containing subdomains
                        to test. Multiple wordlists can
                        be specified.                     NONE                      
   -t, --threads        Number of threads to spawn         25
   -o, --output         Store output in a seperate file   NONE
   -c, --csv            Store output in CSV format        NONE
   -p, --ports          Comma-seperated ports to scan.    NONE
                        Depends on --scan-ports. 
   -s, --search         Search for subdomains Online      FALSE
       --filter         Filter subdomains with same IP    FALSE
       --scan-ports     Turns on the port scanning 
                        feature                           FALSE
       --exclude-ips    Exclude foll Ip Addresses from
                        Results.                          NONE


Here are some of common examples of Subrake:

$ python -d --wordlist wordlists/small.lst
$ python -d -t 30 -o output.txt -f --search -w myrandomlist.txt
$ python -d -w wordlists/small.lst -t 30 -o output.txt --csv output.csv --scan-ports


You can contribute to the project in many ways:

  • Report Bugs
  • Fork the project and start building on your own.
  • Suggestions for making it better

Have any further Question? You can hit me up on Twitter and Email:
Email: [email protected]
Twitter: @hash3liZer

February 5, 2020


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023