Subrake Subdomain Enumeration & Validation tool for Bug Bounty
Subrake Subdomain Enumeration & Validation tool for Bug Bounty

Subrake: Subdomain Enumeration & Validation tool for Bug Bounty

A Subdomain Enumeration and Validation tool for Bug Bounty and Pentesters.

Subdomain Enumeration with Subrake
Subdomain Enumeration with Subrake

Key Features

  • OSINT + Subdomain Bruteforcing
  • Capable of handling outputs from multiple tools
  • Handling False Positives and Filters subdomains with same resolutions.
  • Checking for Server Banners and Ports
  • Incredibly Fast
  • Handling domains with larger scopes
  • Port Scanning


Installing stable version directly from PYPI:

$ pip3 install subrake

Installing latest build:

$ git clone
$ cd Subrake/
$ python3 install

Run after installation:

$ subrake --help


Subrake is highly flexible and is made to work under different situations. It can parse output files from multiple tools collectively. It does OSINT search alongside wordlist bruteforcing and before actual bruteforcing, it removes similar subdomains and false positives. It does also support a filter which when supplied allows you to seperate subdomains with same IP addresses in the final CSV result. Let’s see some of the Subrake uses:

A simple run with OSINT results from search engines:

$ subrake -d

Subrake with Multiple Threads:

$ subtake -d -t 50

Subrake with OSINT results + SecLists subdomains list:

$ subrake -d --wordlists SecLists/Discovery/DNS/namelist.txt

Subrake with OSINT results + Multiple SecLists subdomains list:


Subdomains with similar names will automatically be filtered and counted as 1

$ subrake -d --wordlists SecLists/Discovery/DNS/namelist.txt,SecLists/Discovery/DNS/dns-Jhaddix.txt

Subrake without OSINT + Output from multiple tools combined + IP Filtering:

$ domain=""
$ subfinder -d $domain -nW -o $domain/1.txt && sublist3r -d $domain -o $domain/2.txt && cat $domain/* >> /tmp/output.txt
$ subrake -d $domain -w tmp/output.txt --filter --skip-search

Subrake without DNS + OSINT:

$ subrake -d --skip-dns

Subrake with Port Scanning:


The port 80,443 will be scanned by default for every host under HTTP/HTTPS banner. So, there’s no need to specify them here

$ subrake -d --ports 8080,8443,8000,23,445


   Args               Description                                    Default
   -h, --help           Show this manual                             NONE
   -d, --domain         Target domain. Possible
                        example: []                       NONE
   -w, --wordlists      Wordlists containing subdomains
                        to test. Multiple wordlists can
                        be specified.                                NONE
   -t, --threads        Number of threads to spawn                    25
   -o, --output         Store final subdomains in a specified file   NONE
   -c, --csv            Store output results in CSV format           NONE
   -p, --ports          Comma-seperated list of ports to scan.       NONE
   -s, --skip-search    Search for subdomains Online from various
                        sites.                                       FALSE
       --filter         Filter subdomains with same IP in CSV output FALSE
                        Helpful with larger scopes.
       --skip-dns       Skip initial DNS enumeration phase           FALSE
       --exclude-ips    Exclude specified IPs from the final results
                        Helpful in removing False Positives          NONE
Dark Mode

Subrake (this link opens in a new window) by hash3liZer (this link opens in a new window)

A Subdomain Enumeration and Validation tool for Bug Bounty and Pentesters.