Authorized use only. Only scan domains you own or have explicit written permission to test.

What it does

subenum brute-forces subdomains by resolving a wordlist against a target domain using a concurrent worker pool. Results stream to stdout — pipe-clean, no noise. Everything else (progress, diagnostics, errors) goes to stderr.

subenum TUI — Configure Scan
Interactive TUI — launch with ./subenum -tui or make tui

Features

Worker Pool Spawn N goroutines for parallel DNS resolution with a configurable concurrency ceiling.
Wildcard Detection Double-probe check before scanning; exits early unless -force is set.
Interactive TUI Form-based config and live-scrolling results via -tui. Session values persisted to ~/.config/subenum/last.json.
Simulation Mode Generate synthetic DNS results at a configurable hit rate — zero network I/O. Safe for demos and testing.
Pipe-Friendly Output Resolved subdomains stream to stdout only. Progress and diagnostics go to stderr. Compose freely with other tools.
Graceful Shutdown Trap SIGINT/SIGTERM, drain in-flight workers, flush partial results before exit.
Retry with Backoff Configurable DNS resolution attempts per subdomain with linear backoff for flaky networks.
Input Validation RFC-compliant domain syntax and strict ip:port format enforcement on startup.

Quick Start

Build from source:

git clone https://github.com/TMHSDigital/subenum.git
cd subenum
go build -buildvcs=false -o subenum

Run a scan:

./subenum -w wordlist.txt example.com

Launch the TUI:

./subenum -tui

Simulation (zero network I/O):

./subenum -simulate -hit-rate 20 -w examples/sample_wordlist.txt example.com

Docker:

docker build -t subenum .
docker run --rm -v $(pwd)/data:/data subenum -w /data/wordlist.txt example.com
## Documentation
Architecture Developer Guide Docker Contributing Advanced Usage Changelog