SubX: A Fast Subdomain Buster & Full-Site Crawler with Screenshots (Python + Async)
Discover hidden subdomains, crawl entire websites, take screenshots — all in one async-powered Python tool.
The Problem
When doing OSINT, bug bounty, or penetration testing, you often need to:
-
Find hidden subdomains (
admin.target.com,api.staging.target.com) - Crawl the full site to map all internal pages
- Take screenshots of login panels, dashboards, etc.
-
Respect
robots.txtand avoid getting blocked
Most tools do one of these things.
SubX does all of them — fast, clean, and with color.
Meet SubX
github.com/Noob12345678900000/subx
SubX is a fully asynchronous Python tool that:
- Brute-forces subdomains with custom wordlists
- Resolves A/AAAA records (shows IPs)
- Crawls every internal link
- Takes screenshots of homepages using Playwright
- Respects
robots.txt - Outputs color-coded results in real time
- Exports everything to JSON
Features at a Glance
| Feature | Why It Matters |
|---|---|
| Async + 100 concurrent requests | Blazing fast |
| DNS IP resolution | Know where services live |
| Screenshot capture | Visual proof of admin panels |
| robots.txt compliance | Stay ethical & undetected |
| Colored output | Easy to read in terminal |
| JSON export | Feed into Nuclei, Burp, etc. |
Installation
git clone https://github.com/Noob12345678900000/subx.git
cd subx
pip install aiohttp beautifulsoup4 colorama robotexclusionrulesparser playwright dnspython
playwright install chromium
Usage
1. Basic Scan
python3 subx.py example.com
2. With Screenshots + Custom Wordlist
python3 subx.py tesla.com -w wordlists/subdomains.txt --screenshots -o tesla_scan
3. Hunt Email Services
python3 subx.py target.com -w wordlists/email_subdomains.txt
Sample Output
[+] SUBDOMAIN: admin.target.com → 192.168.1.100
[+] SUBDOMAIN: api.target.com → 104.21.3.45
[INT] https://admin.target.com/login
[EXT] https://github.com/target
[Screenshot] Screenshot: admin.target.com_login.png
[+] Results saved to tesla_scan/results.json
Output Structure
tesla_scan/
├── results.json
└── screenshots/
├── www.tesla.com_.png
├── shop.tesla.com_.png
└── admin.tesla.com_login.png
Built-in Wordlists
SubX includes two powerful wordlists:
email_subdomains.txt (50 entries)
mail
webmail
smtp
imap
pop3
mx
relay
mailhost
webmail2
securemail
services_subdomains.txt (50 entries)
admin
api
dev
staging
vpn
grafana
kibana
jenkins
docker
kubernetes
Pro tip: Combine with SecLists
Why Async?
Using aiohttp + asyncio, SubX can:
- Make 100+ requests at once
- Resolve DNS in parallel
- Take screenshots without blocking
Result? A full scan in under 30 seconds.
Ethical Use Only
Only scan systems you have explicit permission to test.
Unauthorized scanning may violate:
- CFAA (US)
- Computer Misuse Act (UK)
- GDPR / data protection laws
Roadmap
- [ ] Add proxy support (
--proxy http://...) - [ ] Auto-login brute-force mode
- [ ] Export to Nuclei/YAML templates
- [ ] GitHub Action for CI scanning
- [ ] Web UI dashboard
Contribute
Love it? Hate it? Improve it!
git checkout -b feature/cool-thing
git commit -m "Add cool thing"
git push origin feature/cool-thing
Pull requests welcome!
Author
Noob12345678900000
GitHub: @Noob12345678900000
Star on GitHub
If you found this useful, star the repo!
GitHub - Noob12345678900000/subx
Happy (and ethical) hacking!
Top comments (0)