Subdomain Gathering Tools – Top 10

This article showcases the top subdomain gathering tools currently available to the cybersecurity community. Finding subdomains is a critical task for penetration testers and security researchers. Identifying subdomains of a given domain is an integral part of the information gathering phase.  These tools help uncover hidden services, track the attack surface, and identify vulnerabilities within an organization’s online presence.

Table of Contents

Top 10 Subdomain Gathering Tools

1. Sublist3r

Description: Sublist3r is a Python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
GitHub Link: Sublist3r on GitHub

python -d

Documentation Link: Sublist3r Documentation

2. Amass

Description: The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open-source information gathering and active reconnaissance techniques.
GitHub Link: Amass on GitHub

amass enum -d

Documentation Link: Amass Documentation

3. Subfinder

Description: Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources.
GitHub Link: Subfinder on GitHub

subfinder -d

Documentation Link: Subfinder Documentation

4. Assetfinder

Description: Assetfinder is a tool that finds domains and subdomains related to a particular domain, useful for penetration testing and bug bounty hunting.
GitHub Link: Assetfinder on GitHub


Documentation Link: No official documentation, but usage is straightforward as displayed.


Description: is an online service by Sectigo that allows users to search for SSL/TLS certificates by domain name, showing any related subdomains.
GitHub Link: N/A ( is an online service)
Usage: Visit the website and enter the domain name:
Documentation Link: N/A ( does not offer separate documentation)

6. Findomain

Description: Findomain is a fast and cross-platform subdomain enumerator, combining various passive data sources, certificate transparency logs, and more.
GitHub Link: Findomain on GitHub

findomain -t

Documentation Link: Findomain Documentation

7. Knockpy

Description: Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist.
GitHub Link: Knockpy on GitHub


Documentation Link: Knockpy Documentation

8. SubOver

Description: SubOver is a powerful hostname takeover tool that checks a list of subdomains and finds dangling CNAME records.
GitHub Link: SubOver on GitHub

./subover -l subdomains.txt

Documentation Link: SubOver Documentation

9. DNSRecon

Description: DNSRecon provides DNS enumeration with services record enumeration and DNS zone transfer.
GitHub Link: DNSRecon on GitHub

dnsrecon -d

Documentation Link: DNSRecon Documentation


Description: AQUATONE is a set of tools for performing reconnaissance on domain names. It can discover subdomains, take screenshots, find open ports, and more.
GitHub Link: AQUATONE on GitHub

aquatone-discover --domain

Documentation Link: AQUATONE Documentation

Conclusive Summary

In conclusion, the subdomain gathering tools mentioned above serve a variety of functions and are indispensable for penetration testers, bug bounty hunters, and security enthusiasts. They aid in uncovering potential security threats and provide a platform to strengthen online defenses against cyber attacks. While this list features ten notable tools, there are many others available in the cybersecurity domain, and the best choice depends on individual needs and specific security tasks at hand.