0xSubZero automates the entire subdomain enumeration process using various tools and APIs, making reconnaissance more efficient.
- Collects subdomains from various sources (Passive, Active, APIs)
- Filters & de-duplicates results
- Performs active DNS brute-forcing
- Live Subdomain Checking using httpx
- Automatic HTML Report Generation
- Tool Installation & API Key Validation
- Error Handling & Logging
0xSubZero integrates multiple tools for passive and active subdomain enumeration. Below is a list of required tools and their purpose:
SubfinderPassive subdomain enumeration from public sourcesAssetfinderFinds subdomains using OSINT techniquesAmassSubdomain discovery via multiple reconnaissance techniquesFindomainFast subdomain discovery using certificate transparency and APIsGauFetches URLs from sources like Wayback MachineHttpxIdentifies live subdomains, status codes, and web technologiesGobusterPerforms DNS brute-force enumerationUnfurlExtracts subdomains from long URLsGitHub-SubdomainsExtracts subdomains from GitHub repositoriesChaosRetrieves subdomains using Project Discovery's APIShosubgoShosubgo Finds subdomains using Shodan API
git clone https://github.com/XploitPoy-777/0xSubZero.git
cd 0xSubZerochmod +x install.sh
./install.shConfig/api_keys.txt add your API keys:
GITHUB_TOKEN=your_github_token
CHAOS_API_KEY=your_chaos_api_key
SHODAN_API_KEY=your_shodan_api_key
VIRUSTOTAL_API_KEY=your_virustotal_api_keychmod +x 0xSubZero.sh
./0xSubZero.sh example.comβββ(kaliγΏkali)-[~/0xSubZero]
ββ$ ./0xSubZero.sh -h
_____ _____ _ ______
| _ | / ___| | | |___ /
| |/' |_ ________\ `--. _ _| |__ / / ___ _ __ ___
| /| \ \/ /______|`--. \ | | | '_ \ / / / _ \ '__/ _ \
\ |_/ /> < /\__/ / |_| | |_) |./ /__| __/ | | (_) |
\___//_/\_\ \____/ \__,_|_.__/ \_____/\___|_| \___/ v1.0
ββββββββββββββββββββββββββββββββββββββββββββ[By XploitPoy-777]βββββββββ
Subdomain Enumeration - Help Menu
Usage: ./0xSubZero.sh <domain>
Options:
<domain> Run the subdomain enumeration for the specified dsomain.
-c, --check Check if all required tools are installed.
-i, --install Install all required tools.
-a, --apikey Validate that all required API keys are present.
-h, --help Display this help menu.
Examples:
./0xSubZero.sh example.com
./0xSubZero.sh -c
./0xSubZero.sh -i
./0xSubZero.sh -aWatch a full video tutorial here:
After execution, the results are stored in an automatically created results directory (e.g., subdomain_example.com_YYYY-MM-DD_HH:MM:SS
ALL_Subdomains.txtComplete list of discovered subdomainsAlive_Subdomains.txtList of subdomains that are alivewebs_info.txtDetailed information about live subdomains (IP, tech, etc.)Subdomains_Report.htmlInteractive HTML report
../0xSubZero.sh example.comsubdomain_example.com_2025-02-28_14:30:00
βββ ALL_Subdomains.txt
βββ Alive_Subdomains.txt
βββ webs_info.txt
βββ Subdomains_Report.htmladmin.example.com
mail.example.com
dev.example.com
beta.example.comadmin.example.com
mail.example.comhttps://admin.example.com [200] [Admin Portal] [IP: 192.168.1.1] [nginx] [PHP, JavaScript]
https://mail.example.com [403] [Mail Server] [IP: 192.168.1.2] [Apache] [Python, React]π View Sample HTML Report
- OS: Linux (Debian-based)
- Tools:
curljqgitgopython3-pip - Go Packages:
gauhttpxsubfinderchaos-clientgithub-subdomains - Python Modules:
shodancensys
To install dependencies manually:
sudo apt update && sudo apt install -y curl jq git golang python3-pip
pip3 install shodan censys- Only test on domains you own or have explicit permission to test.
- Do not use for illegal activities.
- Respect rate limits & API usage policies.