DEV Community: l0n3ly

SubX: A Fast Subdomain Buster & Full-Site Crawler with Screenshots (Python + Async)

l0n3ly — Wed, 29 Oct 2025 17:37:33 +0000

SubX: A Fast Subdomain Buster & Full-Site Crawler with Screenshots (Python + Async)

Discover hidden subdomains, crawl entire websites, take screenshots — all in one async-powered Python tool.

The Problem

When doing OSINT, bug bounty, or penetration testing, you often need to:

Find hidden subdomains (admin.target.com, api.staging.target.com)
Crawl the full site to map all internal pages
Take screenshots of login panels, dashboards, etc.
Respect robots.txt and avoid getting blocked

Most tools do one of these things.

SubX does all of them — fast, clean, and with color.

Meet SubX

github.com/Noob12345678900000/subx

SubX is a fully asynchronous Python tool that:

Brute-forces subdomains with custom wordlists
Resolves A/AAAA records (shows IPs)
Crawls every internal link
Takes screenshots of homepages using Playwright
Respects robots.txt
Outputs color-coded results in real time
Exports everything to JSON

Features at a Glance

Feature	Why It Matters
Async + 100 concurrent requests	Blazing fast
DNS IP resolution	Know where services live
Screenshot capture	Visual proof of admin panels
robots.txt compliance	Stay ethical & undetected
Colored output	Easy to read in terminal
JSON export	Feed into Nuclei, Burp, etc.

Installation


git clone https://github.com/Noob12345678900000/subx.git
cd subx

pip install aiohttp beautifulsoup4 colorama robotexclusionrulesparser playwright dnspython

playwright install chromium

Usage

1. Basic Scan


python3 subx.py example.com

2. With Screenshots + Custom Wordlist


python3 subx.py tesla.com -w wordlists/subdomains.txt --screenshots -o tesla_scan

3. Hunt Email Services


python3 subx.py target.com -w wordlists/email_subdomains.txt

Sample Output


[+] SUBDOMAIN: admin.target.com          → 192.168.1.100
[+] SUBDOMAIN: api.target.com            → 104.21.3.45
[INT] https://admin.target.com/login
[EXT] https://github.com/target
[Screenshot] Screenshot: admin.target.com_login.png
[+] Results saved to tesla_scan/results.json

Output Structure


tesla_scan/
├── results.json
└── screenshots/
    ├── www.tesla.com_.png
    ├── shop.tesla.com_.png
    └── admin.tesla.com_login.png

Built-in Wordlists

SubX includes two powerful wordlists:

`email_subdomains.txt` (50 entries)


mail
webmail
smtp
imap
pop3
mx
relay
mailhost
webmail2
securemail

`services_subdomains.txt` (50 entries)


admin
api
dev
staging
vpn
grafana
kibana
jenkins
docker
kubernetes

Pro tip: Combine with SecLists

Why Async?

Using aiohttp + asyncio, SubX can:

Make 100+ requests at once
Resolve DNS in parallel
Take screenshots without blocking

Result? A full scan in under 30 seconds.

Ethical Use Only

Only scan systems you have explicit permission to test.

Unauthorized scanning may violate:

CFAA (US)
Computer Misuse Act (UK)
GDPR / data protection laws

Roadmap

[ ] Add proxy support (--proxy http://...)
[ ] Auto-login brute-force mode
[ ] Export to Nuclei/YAML templates
[ ] GitHub Action for CI scanning
[ ] Web UI dashboard

Contribute

Love it? Hate it? Improve it!


git checkout -b feature/cool-thing
git commit -m "Add cool thing"
git push origin feature/cool-thing

Pull requests welcome!

Author

Noob12345678900000

GitHub: @Noob12345678900000

Star on GitHub

If you found this useful, star the repo!

GitHub - Noob12345678900000/subx

Happy (and ethical) hacking!

httprecon3: The Ultimate Stealthy Recon Tool for Bug Bounty Hunters and Pentesters

l0n3ly — Wed, 29 Oct 2025 17:06:03 +0000

Introducing httprecon3: The Ultimate Stealthy Recon Tool for Bug Bounty Hunters and Pentesters

By l0n3ly!

October 29, 2025

Cross-posted on DEV.to: https://dev.to/l0n3ly

In the fast-evolving world of cybersecurity, reconnaissance remains the cornerstone of any successful penetration test or bug bounty hunt. Tools like Subfinder, Amass, or even basic wget crawlers have their place, but what if you could combine deep web crawling, secret detection, subdomain enumeration, screenshot capture, and AI-powered insights—all in a single, stealthy Python script? Enter httprecon3, a fresh open-source powerhouse that's set to streamline your recon workflow like never before.

Launched today on GitHub by security researcher l0n3ly! (that's me—feel free to ping me on Discord at l0n3ly_natasha), httprecon3 is designed for the modern hunter: ethical, extensible, and evasion-ready. Whether you're mapping an attack surface for a bug bounty program or auditing your own infrastructure, this tool uncovers hidden gems (and potential landmines) with surgical precision. Let's dive in.

What Makes httprecon3 Stand Out?

Gone are the days of juggling multiple tools for recon. httprecon3 packs a punch with features tailored for real-world scenarios:

Deep Crawling with 50+ Link Extraction Methods

Recursively spider sites up to a configurable depth (default: 3), pulling URLs from everything—HTML anchors, CSS url() declarations, JS fetch() calls, SVG embeds, Web App Manifests, even robots.txt sitemaps. It handles lazy-loaded images (data-src, srcset), videos, audio, iframes, and more. No more missing those sneaky API endpoints buried in minified JS.
300+ API Key and Secret Patterns

Built-in regex magic detects exposed credentials from heavyweights like AWS (AKIA[0-9A-Z]{16}), Firebase, Stripe (sk_live_[0-9a-zA-Z]{24}), GitHub tokens (ghp_[a-zA-Z0-9]{36}), Slack, Twilio, and over 100 others. It even flags JWTs, SSH keys, and crypto wallets. Pro tip: Run --extract-keys to surface these in your scans.
Subdomain Brute-Force with 250+ Wordlist

Armed with a curated list covering core (e.g., www, api), DevOps (jenkins, k8s), monitoring (grafana, prometheus), and niche terms (hipaa, soc2), it uses multithreaded DNS resolution to validate hits. Load your own wordlist with --wordlist for custom fuzzing.
Stealth Mode for Evasion

Random delays (configurable via --stealth MIN MAX), rotating User-Agents, and headless Chrome integration keep you under the radar. Perfect for production environments where WAFs are watching.
Full-Page Screenshots

Using Selenium, it captures entire pages (not just viewports) and saves them with timestamps. Great for visual verification of admin panels or dynamic content. Just add --screenshots shots/ and watch the PNGs pile up.
Keyword Hunting with 300+ Patterns

Targets sensitive files and paths like .env, /wp-admin, Dockerfile, backups (*.bak), and debug flags (debug=true). Customize with -k for your own hunts.
JavaScript Deep Dive

Parses axios, XMLHttpRequest, template literals, WebSockets, and dynamic imports to unearth endpoints that static scanners miss.
AI-Powered Reports

At scan's end, it queries GPT-4o (via Pollinations API) for a concise summary: high-value assets, critical findings, and next steps. Disable with --no-ai if you're flying solo.

Under the MIT License, it's free to fork, tweak, and deploy. The repo is already extensible—edit the wordlists or patterns right in the script.

Quick Start: From Zero to Recon Hero

Getting up and running is a breeze. Here's the playbook:

Clone and Install

git clone https://github.com/Noob12345678900000/httprecon3.git
cd httprecon3
pip install requests beautifulsoup4 cssutils selenium colorama dnspython
# For screenshots, grab ChromeDriver or add webdriver-manager for auto-handling.

Basic Scan

python3 httprecon3.py example.com

This kicks off a depth-3 crawl, keyword hunt, and asset dump.

Pro-Level Recon

python3 httprecon3.py target.com \
  --subdomains \
  --extract-keys \
  --screenshots shots/ \
  --stealth 2 5 \
  -o assets.txt \
  -e js css json

Brute subdomains, snag secrets, screenshot everything, and stealthily delay requests by 2–5 seconds.

Output? Colorful terminal logs with assets listed, keyword hits with context, API detections, and that slick AI wrap-up. Assets save to file for easy piping into tools like Nuclei or FFUF.

Real-World Use Case: Finding a Leaked AWS Key in 30 Seconds

During a recent bug bounty, I ran httprecon3 on a mid-sized SaaS target. Within the first pass, it flagged:

admin.target.com (from subdomain brute-force)
/config.js containing AKIA... (via --extract-keys)
/graphql with introspection enabled
A full screenshot of the admin login panel

The AI report summarized:

Critical: AWS key exposed in JS. Admin panel accessible. GraphQL introspection on. Prioritize key rotation and auth testing.

30 seconds from launch to actionable intel. That’s the power of httprecon3.

Why Open Source? Why Now?

Recon tools are often bloated, paid, or outdated. httprecon3 is:

Lightweight: One script, no bloat.
Free & Open: MIT licensed.
Community-Driven: Pull requests welcome for new patterns, wordlists, or integrations.

Check out the manual page for full command reference.

Get Started Today

git clone https://github.com/Noob12345678900000/httprecon3.git

Star it. Fork it. Break it. Improve it.

GitHub: https://github.com/Noob12345678900000/httprecon3
Discord: l0n3ly_natasha
DEV.to: https://dev.to/l0n3ly

"In recon, speed wins. In depth, secrets fall."

— l0n3ly!

Happy hunting. Stay ethical. And never stop learning.

DEV Community: l0n3ly

SubX: A Fast Subdomain Buster & Full-Site Crawler with Screenshots (Python + Async)

SubX: A Fast Subdomain Buster & Full-Site Crawler with Screenshots (Python + Async)

The Problem

Meet SubX

Features at a Glance

Installation

Usage

1. Basic Scan

2. With Screenshots + Custom Wordlist

3. Hunt Email Services

Sample Output

Output Structure

Built-in Wordlists

email_subdomains.txt (50 entries)

services_subdomains.txt (50 entries)

Why Async?

Ethical Use Only

Roadmap

Contribute

Author

Star on GitHub

httprecon3: The Ultimate Stealthy Recon Tool for Bug Bounty Hunters and Pentesters

Introducing httprecon3: The Ultimate Stealthy Recon Tool for Bug Bounty Hunters and Pentesters

What Makes httprecon3 Stand Out?

Quick Start: From Zero to Recon Hero

Clone and Install

Basic Scan

Pro-Level Recon

Real-World Use Case: Finding a Leaked AWS Key in 30 Seconds

Why Open Source? Why Now?

Get Started Today

`email_subdomains.txt` (50 entries)

`services_subdomains.txt` (50 entries)