0xSubZero automates the entire subdomain enumeration process using various tools and APIs, making reconnaissance more efficient.
- Collects subdomains from various sources (Passive, Active, APIs)
- Filters & de-duplicates results
- Performs active DNS brute-forcing
- Identifies live subdomains using httpx
- Generates detailed HTML reports
- Logs all actions for easy debugging
- Passive Subdomain Enumeration (via OSINT tools & APIs)
- Active Subdomain Enumeration (via brute-forcing)
- Multiple Enumeration Techniques (Certificates, GitHub, VirusTotal, etc.)
- Live Subdomain Checking using httpx
- Automatic HTML Report Generation
- Tool Installation & API Key Validation
- Error Handling & Logging
0xSubZero integrates multiple tools for passive and active subdomain enumeration. Below is a list of required tools and their purpose:
SubfinderPassive subdomain enumeration from public sourcesAssetfinderFinds subdomains using OSINT techniquesAmassSubdomain discovery via multiple reconnaissance techniquesFindomainFast subdomain discovery using certificate transparency and APIsGauFetches URLs from sources like Wayback MachineHttpxIdentifies live subdomains, status codes, and web technologiesGobusterPerforms DNS brute-force enumerationUnfurlExtracts subdomains from long URLsGitHub-SubdomainsExtracts subdomains from GitHub repositoriesChaosRetrieves subdomains using Project Discovery's APIShosubgoShosubgo Finds subdomains using Shodan API
git clone https://github.com/0xPoyel/0xSubZero.git
cd 0xSubZerochmod +x install.sh
./install.shConfig/api_keys.txt add your API keys:
GITHUB_TOKEN=your_github_token
CHAOS_API_KEY=your_chaos_api_key
SHODAN_API_KEY=your_shodan_api_key
VIRUSTOTAL_API_KEY=your_virustotal_api_keychmod +x 0xSubZero.sh
./0xSubZero.sh example.com./0xSubZero.sh -c./0xSubZero.sh -i./0xSubZero.sh -a./0xSubZero.sh -up┌──(kali㉿kali)-[~/0xSubZero]
└─$ ./0xSubZero.sh -h
_____ _____ _ ______
| _ | / ___| | | |___ /
| |/' |_ ________\ `--. _ _| |__ / / ___ _ __ ___
| /| \ \/ /______|`--. \ | | | '_ \ / / / _ \ '__/ _ \
\ |_/ /> < /\__/ / |_| | |_) |./ /__| __/ | | (_) |
\___//_/\_\ \____/ \__,_|_.__/ \_____/\___|_| \___/ v1.0
────────────────────────────────────────────[By 0xPoyel]─────────
Subdomain Enumeration - Help Menu
Usage: ./0xSubZero.sh <domain>
Options:
<domain> Run the subdomain enumeration for the specified dsomain.
-c, --check Check if all required tools are installed.
-i, --install Install all required tools.
-a, --apikey Validate that all required API keys are present.
-up, --update Update 0xSubZero tools to the latest version.
-h, --help Display this help menu.
Examples:
./0xSubZero.sh example.com
./0xSubZero.sh -c
./0xSubZero.sh -i
./0xSubZero.sh -a
./0xSubZero.sh -up📺 Watch a full video tutorial here:
After execution, the results are stored in an automatically created results directory (e.g., subdomain_example.com_YYYY-MM-DD_HH:MM:SS
ALL_Subdomains.txtComplete list of discovered subdomainsAlive_Subdomains.txtList of subdomains that are alivewebs_info.txtDetailed information about live subdomains (IP, tech, etc.)Subdomains_Report.htmlInteractive HTML report
../0xSubZero.sh example.comsubdomain_example.com_2025-02-28_14:30:00
│── ALL_Subdomains.txt
│── Alive_Subdomains.txt
│── webs_info.txt
│── Subdomains_Report.htmladmin.example.com
mail.example.com
dev.example.com
beta.example.comadmin.example.com
mail.example.comhttps://admin.example.com [200] [Admin Portal] [IP: 192.168.1.1] [nginx] [PHP, JavaScript]
https://mail.example.com [403] [Mail Server] [IP: 192.168.1.2] [Apache] [Python, React]🔗 View Sample HTML Report
- OS: Linux (Debian-based)
- Tools:
curljqgitgopython3-pip - Go Packages:
gauhttpxsubfinderchaos-clientgithub-subdomains - Python Modules:
shodancensys
To install dependencies manually:
sudo apt update && sudo apt install -y curl jq git golang python3-pip
pip3 install shodan censys🚨 Responsible Disclosure Policy
- Only test on domains you own or have explicit permission to test.
- Do not use for illegal activities.
- Respect rate limits & API usage policies.