🎯 SubHunter - Advanced Subdomain Enumeration for Bug Bounty

🌟 Why SubHunter?

SubHunter isn't just another subdomain enumerator. It's a professional-grade reconnaissance tool specifically designed to maximize your Bug Bounty ROI by intelligently prioritizing high-value targets.

🎯 Built for Bug Bounty Success

• Smart Prioritization: Automatically ranks subdomains by their value for Bug Bounty programs
• Deep Discovery: Goes beyond surface-level enumeration with advanced techniques
• High Performance: 100+ concurrent threads with optimized async operations
• Actionable Intelligence: Detailed reports with security-focused insights

✨ Features

🔍 Multi-Vector Enumeration

• 🚀 Brute Force: 500+ curated subdomains optimized for Bug Bounty
• 🔐 Certificate Transparency: Searches CT logs (crt.sh integration)
• ⚡ DNS Resolution: Ultra-fast async DNS lookups
• 🌐 HTTP Analysis: Comprehensive web service fingerprinting

🧠 Intelligent Analysis

• 🎯 Priority Classification: Critical → High → Medium → Low → Unknown
• 🛡️ Security Headers: Identifies missing security controls
• ⚙️ Technology Detection: Recognizes frameworks, servers, and tools
• 📊 Performance Metrics: Response times and availability status

📈 Professional Reporting

• 📋 Organized Output: Sorted by priority for efficient triage
• 📄 Detailed Reports: Complete subdomain intelligence in text format
• 🎨 Color-coded Results: Visual priority indicators
• 📊 Statistical Summary: Quick overview of findings

🚀 Installation

Prerequisites

• Rust 1.70+ (Install Rust)

Quick Start

# Clone the repository
git clone https://github.com/your-username/subhunter.git
cd subhunter

# Build in release mode for maximum performance
cargo build --release

# Run SubHunter
./target/release/subhunter example.com

One-liner Installation

cargo install [--lock] subhunter

🎯 Intelligent Priority System

SubHunter uses a sophisticated classification system to help you focus on high-value targets first:

💻 Usage

Basic Usage

# Enumerate subdomains for a target
subhunter example.com

Example Output

🎯 SubHunter - Advanced Subdomain Enumeration for Bug Bounty
Target: example.com

🔍 Searching Certificate Transparency logs...
📋 Found 23 certificates in CT log
✅ CT Log: admin.example.com
✅ CT Log: api.example.com

🔍 Starting brute force enumeration...
✅ Found: admin.example.com (CRITICAL)
✅ Found: api.example.com (CRITICAL)
✅ Found: dev.example.com (CRITICAL)
✅ Found: mail.example.com (HIGH)
✅ Found: www.example.com (MEDIUM)

📊 Report saved to: subdomains_example.com.txt
📈 Statistics:
  🔴 Critical: 15
  🟠 High: 8
  🟡 Medium: 12
  🟢 Low: 5
  ⚪ Unknown: 3

✅ Enumeration completed!

📋 Sample Report

🎯 SUBDOMAIN ENUMERATION REPORT
Domain: example.com
Total found: 43
Timestamp: 2025-05-28 15:30:45
================================================================================

🔴 CRITICAL - HIGH PRIORITY FOR BUG BOUNTY
--------------------------------------------------

Domain: admin.example.com
IPs: ["192.168.1.10"]
HTTP Status: 200
Title: Admin Panel - Login
Technologies: ["Server: Apache/2.4.41"]
Security Headers: {"x-frame-options": "DENY"}
Response Time: 234ms

Domain: api.example.com
IPs: ["192.168.1.15"]
HTTP Status: 200
Title: API Gateway
Technologies: ["Server: nginx/1.18.0", "Powered by: Express"]
Security Headers: {}
Response Time: 156ms

🛠️ Technical Specifications

Performance

• ⚡ Concurrent Requests: 100 simultaneous operations
• ⏱️ Timeout Management: 60 second intelligent timeouts
• 🔄 Rate Limiting: Smart request throttling
• 🎯 Accuracy: Advanced duplicate detection

Technology Detection

SubHunter automatically identifies:

• Web Servers: Apache, Nginx, IIS, Cloudflare
• Frameworks: WordPress, Joomla, Drupal, React, Angular
• Languages: PHP, Python, Node.js, Java
• Security: WAFs, CDNs, Load Balancers

Wordlist Coverage

• 🎯 Bug Bounty Focused: Curated for maximum finding potential
• 🔧 Technology Specific: Jenkins, GitLab, Jira, Confluence
• 🌐 Infrastructure: Mail, VPN, Database, Monitoring
• 🔄 Variants: Automatic prefix generation (new-, old-, v1-, v2-)

🎯 Bug Bounty Optimizations

Maximize Your ROI

• 🎯 Target High-Value Assets: Automatically prioritizes admin panels and APIs
• ⚡ Efficient Scanning: Focuses on subdomains with highest bug potential
• 📊 Actionable Intelligence: Provides context for each finding
• 🚀 Time Optimization: Spend time on valuable targets, not noise

Use Cases

• 🔍 Initial Reconnaissance: Comprehensive asset discovery
• 🎯 Attack Surface Expansion: Find hidden entry points
• 📊 Continuous Monitoring: Track new subdomain deployments
• 🔴 Red Team Operations: Professional-grade enumeration

🛡️ Responsible Usage

⚠️ Important Notice: SubHunter is designed for ethical security testing only

Authorized Use Cases:

• ✅ Bug Bounty programs with explicit permission
• ✅ Penetration testing with written authorization
• ✅ Security auditing of your own assets
• ✅ Educational and research purposes

Prohibited Uses:

• ❌ Unauthorized scanning of third-party systems
• ❌ Malicious reconnaissance activities
• ❌ Violation of computer fraud and abuse laws

🚧 Roadmap

🔜 Coming Soon

• Subdomain Takeover Detection - Automated verification
• Screenshot Capture - Visual reconnaissance
• Port Scanning Integration - Service discovery
• JSON/CSV Export - Multiple output formats
• Web Dashboard - Interactive results viewer

🌟 Future Enhancements

• Custom Wordlists - User-defined dictionaries
• API Integration - Shodan, VirusTotal, SecurityTrails
• Machine Learning - Intelligent pattern recognition
• Team Collaboration - Shared workspace features

🤝 Contributing

We welcome contributions from the security community!

How to Contribute

1. 🍴 Fork the repository
2. 🌿 Create a feature branch
3. 💻 Make your changes
4. 🧪 Test thoroughly
5. 📝 Submit a pull request

Areas for Contribution

• 🎯 Enhanced wordlists
• 🔧 New enumeration techniques
• 📊 Improved reporting formats
• 🛡️ Additional security checks

📜 License

Released under the MIT License - see LICENSE for details.

🎖️ Credits