Documentation v1.0

Introduction

SubSpectre is a high-performance, self-hosted subdomain enumeration tool. It combines Certificate Transparency (CT) logs with active dictionary attacks to uncover subdomains that may not be publicly listed.

Self-Hosted & Private

SubSpectre runs entirely on your local machine or server. No data is sent to external clouds other than the necessary DNS queries and CT log checks to public providers like crt.sh.

Installation

SubSpectre is built with SvelteKit and Node.js. It requires Node v18+ to run.

# Clone the repository
git clone https://github.com/Trapkhing/subspectre.git

# Install dependencies
cd subspectre
npm install

# Start development server
npm run dev

Enumeration Logic

The engine orchestrates data from two primary sources:

Source 1: CT Logs

Queries crt.sh to find certificates historically issued for the target domain. This is passive and undetectable by the target.

Source 2: Active DNS

Uses a built-in dictionary of common subdomains (e.g., `dev`, `staging`, `api`) and attempts to resolve them against public DNS servers.

Wildcard Detection

To prevent false positives, SubSpectre checks for wildcard DNS records (e.g., `*.example.com`). If a random subdomain resolves (like `random-xyz.example.com`), any results that map to the same IP are flagged or filtered to keep the results clean.

Web Tools

SubSpectre includes a suite of web-based intelligence tools designed for quick, visual analysis of domains and infrastructure.

Whois Lookup

A robust WHOIS client that bypasses common restrictions by querying the IANA root server first, then following referrals to the authoritative registrar.

  • Universal Reach: Works on any TLD (com, net, io, app, etc.)
  • Smart Fallback: Automatically tries alternative servers if the primary registry is unreachable
  • Clean Parsing: Converts raw WHOIS text into structured JSON data
  • Raw Data View: Inspect the original server response for debugging

Tech Stack Detector

identify the technologies powering any website. Our V2 engine uses a weighted scoring system to reduce false positives.

Scoring System

Technologies are detected based on a cumulative score from multiple signals:

  • +3 points: Unique HTTP Headers or Cookies
  • +2 points: Specific Script Sources (src attributes)
  • +1 point : HTML Content Patterns

API Reference

The application exposes two main endpoints for programmatic access. There is currently no authentication required for the local API.

POST /api/scan

Start a new background scan. Active scans are stored in-memory.

Body Parameters
  • domain Target domain (e.g. google.com)
Response
{
  "status": "ok",
  "id": "abc123xym..."
}
GET /api/status?id=<id>

Poll the status of a running scan.

Query Parameters
  • id The ID returned from the start endpoint.
Response
{
  "running": true,
  "progress": 45,
  "wildcard": false,
  "results": [ ... ]
}
POST /api/whois

Perform a WHOIS lookup for a domain.

Body Parameters
  • domain Target domain (e.g. google.com)
Response
{
  "domainName": "google.com",
  "registrar": "MarkMonitor Inc.",
  "creationDate": "1997-09-15T04:00:00Z",
  "nameServer": [ ... ],
  "raw": "..."
}
POST /api/tech-stack

Detect technologies used on a website.

Body Parameters
  • url Target URL (e.g. https://example.com)
Response
{
  "url": "https://example.com",
  "technologies": [
    {
      "name": "Next.js",
      "category": "Framework",
      "confidence": "High"
    }
  ]
}

CLI Tools

SubSpectre includes powerful command-line tools for IP intelligence and subdomain enumeration. Perfect for automation, CI/CD pipelines, or quick reconnaissance from your terminal.

IP Lookup Tool

Get comprehensive IP intelligence including geolocation, network details, and security analysis.

Domain Scan Tool

Advanced subdomain enumeration with full DNS record resolution. Passive by default, active mode available.

IP Lookup CLI

Comprehensive IP address intelligence from your terminal.

Features

  • • Geolocation data (country, region, city, timezone)
  • • Network intelligence (ASN, ISP, organization)
  • • Security analysis (threat level, proxy detection)
  • • Beautiful color-coded terminal output
  • • Fast lookups with instant results

Usage

# Lookup any IP address
ip-lookup 8.8.8.8

# Lookup your own IP
ip-lookup --my-ip

# Show help
ip-lookup --help

Installation

After installing the project, make the CLI tools globally available:

npm link

Domain Scan CLI

Advanced subdomain enumeration with comprehensive DNS record resolution.

Passive by Default

The CLI tool performs passive enumeration only by default. It queries Certificate Transparency logs (completely undetectable) and resolves DNS records. Use --brute to enable active DNS brute forcing.

Features

  • • Certificate Transparency log queries (passive, undetectable)
  • • Multi-level subdomain discovery (e.g., api.v2.example.com)
  • • Full DNS record resolution (A, AAAA, CNAME, TXT, MX)
  • • Smart display (shows first 10 results, suggests web UI for more)
  • • Export to JSON, CSV, or TXT formats
  • • Optional DNS brute force with 120+ common subdomains
  • • Color-coded DNS record types

Usage

# Basic scan (passive CT logs only)
domain-scan example.com

# Enable brute force
domain-scan example.com --brute

# Export to JSON
domain-scan example.com --export json

# Custom wordlist
domain-scan example.com --wordlist custom.txt

Display Limits

To keep CLI output manageable, the tool shows a maximum of 10 results in the terminal. For larger result sets:

  • • Use the web interface for better visualization and filtering
  • Export to file for full data in JSON/CSV/TXT format

DNS Record Types

The tool resolves and displays all major DNS record types with color coding:

A

IPv4 addresses

AAAA

IPv6 addresses

CNAME

Canonical name records

TXT

Text records (SPF, verification)

MX

Mail exchange records

Export Formats

Export results in multiple formats for integration with other tools:

  • JSON - Full structured data with all DNS records
  • CSV - Spreadsheet-ready format
  • TXT - Simple subdomain list (one per line)