Ksubdomain | Fast and Accurate Subdomain Enumeration Tool


Ksubdomain is a stateless subdomain blasting tool, similar to stateless port scanning, supports fast DNS blasting on Windows/Linux/Mac, and has a retransmission mechanism, so you don’t have to worry about missing packets.

This tool can be use to perform subdomain enumeration, asynchronous dns packets, use pcap to scan 1600,000 subdomains in 1 second.

The src asset collection of hacking8 information flow https://i.hacking8.com/src/ uses ksubdomain.

Features and Tips

  • Stateless blasting, with failure retransmission mechanism, extremely fast
  • Chinese help, -h will see Chinese help
  • Two modes, enumeration mode and verification mode, the enumeration mode has a built-in 10w dictionary
  • Simplify the network parameters to -b parameters, enter your network download speed such as -b 5m, it will automatically limit the network card sending speed.
  • You can use ./ksubdomain test to test the maximum number of local packets
  • Obtaining the network card has been changed to fully automatic and can be read according to the configuration file.
  • There will be a progress bar from time to time, showing success/send/queue/receive/failure/time-consuming information in sequence.
  • For different scales of data, adjust the –retry –timeout parameters to get the best results
  • When –retry is -1, it will keep retrying until all is successful.


To use this tool, just type this following command:

ksubdomain [global options] command [command options] [arguments…]

List of Commands:

  • enum (-e) : enumerate domain names
  • verify (-v) : verify mode
  • test : tests the maximum sending speed of the local network card
  • help (-h) : Shows a list of commands or help for one command

List of Tool Mode

  • Verification Mode Provides a complete list of domain names, ksubdomain is responsible for quickly getting results
  • Enumeration mode Provide only first-level domain names, specify a domain name dictionary or use the built-in dictionary of ksubdomain to enumerate all second-level domain names


Compared with massdns, dnsx

Use 100w dictionary, test in 4H5M network environment

ksubdomain massdns dnsx
Support system Windows/Linux/Darwin Windows/Linux/Darwin Windows/Linux/Darwin
Features Support for validation and enumeration only verify only verify
way of sending pcap network card sending packets epoll,pcap,socket socket
Command Line time ./ksubdomain v -b 5m -f d2.txt -o ksubdomain.txt -r dns.txt –retry 3 –np time ./massdns -r dns.txt -t AAAA -w massdns.txt d2.txt –root -o L time ./dnsx -a -o dnsx.txt -r dns.txt -l d2.txt -retry 3 -t 5000
Remark Added –np to prevent too much printing
result Time consuming: 1m28.273s Number of
successes: 1397 Time spent: 3m29.337s Number of
successes: 1396 Time consuming: 5m26.780s Number of
successes: 1396

ksubdomain only takes 1 minute and a half, which is much faster than massdns and dnsx~


1 Like