March 8, 2019

1058 words 5 mins read



Subdomain enumeration and information gathering tool

repo name jonluca/Anubis
repo link
language Python
size (curr.) 212 kB
stars (curr.) 602
created 2017-12-09
license MIT License


Build Status Coverage GitHub issues GitHub license

        d8888                   888      d8b
       d88888                   888      Y8P
      d88P888                   888
     d88P 888 88888b.  888  888 88888b.  888 .d8888b
    d88P  888 888 "88b 888  888 888 "88b 888 88K
   d88P   888 888  888 888  888 888  888 888 "Y8888b.
  d8888888888 888  888 Y88b 888 888 d88P 888      X88
 d88P     888 888  888  "Y88888 88888P"  888  88888P'

Anubis is a subdomain enumeration and information gathering tool. Anubis collates data from a variety of sources, including HackerTarget, DNSDumpster, x509 certs, VirusTotal, Google, Pkey, and NetCraft. Anubis also has a sister project, AnubisDB, which serves as a centralized repository of subdomains.

Original Medium article release

Getting Started


  • Nmap (if wanting to run port scans and certain certificate scans)

If you are running Linux, the following are also required:

sudo apt-get install python3-pip python-dev libssl-dev libffi-dev


Note: Python 3 is required

pip3 install anubis-netsec

Or Linux Snap distribution:

snap install anubis

Install From Source

Please note Anubis is still in beta.

git clone
cd Anubis
pip3 install  -r requirements.txt
pip3 install .


  anubis -t TARGET [-o FILENAME] [-noispbarv] [-w SCAN] [-q NUM]
  anubis -h
  anubis --version
  -h --help                       show this help message and exit
  -t --target                     set target (comma separated, no spaces, if multiple)
  -n --with-nmap                  perform an nmap service/script scan
  -o --output                     save to filename
  -i --additional-info            show additional information about the host from Shodan (requires API key)
  -p --ip                         outputs the resolved IPs for each subdomain, and a full list of unique ips
  -a --send-to-anubis-db          send results to Anubis-DB
  -r --recursive                  recursively search over all subdomains
  -s --ssl                        run an ssl scan and output cipher + chain info
  -w --overwrite-nmap-scan SCAN   overwrite default nmap scan (default -nPn -sV -sC)
  -v --verbose                    print debug info and full request output
  -q --queue-workers NUM          override number of queue workers (default: 10, max: 100)
  --version                       show version and exit

  For help using this tool, please open an issue on the Github repository:


Common Use Case

anubis -tipa -o out.txt

Set’s target to, (t) outputs additional information (i) like server and ISP or server hosting provider, then attempts to resolve all URLs (p) and outputs list of unique IPs and sends to Anubis-DB (a). Finally, writes all results to out.txt (o).


anubis -t Simplest use of Anubis, just runs subdomain enumeration

Searching for subdomains for (

Testing for zone transfers
Searching for Subject Alt Names
Searching HackerTarget
Searching VirusTotal
Searching DNSDumpster
Searching Anubis-DB
Found 193 subdomains
... (truncated for readability)
Sending to AnubisDB
Subdomain search took 0:00:20.390

anubis -t -ip (equivalent to anubis -t --additional-info --ip) - resolves IPs and outputs list of uniques, and provides additional information through

Searching for subdomains for
Server Location: San Francisco US - 94107
ISP: Fastly
Found 27 domains
Found 6 unique IPs
Execution took 0:00:04.604


anubis -t --with-nmap -o temp.txt -is --overwrite-nmap-scan "-F -T5"

Searching for subdomains for (

Testing for zone transfers
Searching for Subject Alt Names
Searching HackerTarget
Searching VirusTotal
Searching DNSDumpster
Searching Anubis-DB
Running SSL Scan
Available TLSv1.0 Ciphers:
Available TLSv1.2 Ciphers:
 * Certificate Information:
       SHA1 Fingerprint:                  f8d1965323111e86e6874aa93cc7c52969fb22bf
       Common Name:                       *
       Issuer:                            DigiCert SHA2 Secure Server CA
       Serial Number:                     11711178161886346105980166697563149367
       Not Before:                        2015-08-17 00:00:00
       Not After:                         2018-08-21 12:00:00
       Signature Algorithm:               sha256
       Public Key Algorithm:              RSA
       Key Size:                          2048
       Exponent:                          65537 (0x10001)
       DNS Subject Alternative Names:     ['*', '', '*', '', '', '*', '', '', '', '', '*']

       Hostname Validation:               OK - Certificate matches
       AOSP CA Store (7.0.0 r1):          OK - Certificate is trusted
       Apple CA Store (OS X 10.11.6):     OK - Certificate is trusted
       Java 7 CA Store (Update 79):       OK - Certificate is trusted
       Microsoft CA Store (09/2016):      OK - Certificate is trusted
       Mozilla CA Store (09/2016):        OK - Certificate is trusted
       Received Chain:                    * --> DigiCert SHA2 Secure Server CA
       Verified Chain:                    * --> DigiCert SHA2 Secure Server CA --> DigiCert Global Root CA
       Received Chain Contains Anchor:    OK - Anchor certificate not sent
       Received Chain Order:              OK - Order is valid
       Verified Chain contains SHA1:      OK - No SHA1-signed certificate in the verified certificate chain

     OCSP Stapling
       OCSP Response Status:              successful
       Validation w/ Mozilla Store:       OK - Response is trusted
       Responder Id:                      0F80611C823161D52F28E78D4638B42CE1C6D9E2
       Cert Status:                       good
       Cert Serial Number:                08CF7DA9B222C9D983C50D993F2F5437
       This Update:                       Dec 16 16:20:41 2017 GMT
       Next Update:                       Dec 23 15:35:41 2017 GMT
 * OpenSSL Heartbleed:
                                          OK - Not vulnerable to Heartbleed
 * HTTP Security Headers:
       NOT SUPPORTED - Server did not send an HSTS header

     HTTP Public Key Pinning (HPKP)
       NOT SUPPORTED - Server did not send an HPKP header

     Computed HPKP Pins for Current Chain
      0 - *                                  3FUu+FYb3IyHxicQEMs5sSzs207fuv25p7NGRIPDaAw=
      1 - DigiCert SHA2 Secure Server CA                5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w=
      2 - DigiCert Global Root CA                       r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=
Searching for additional information
Server Location: San Francisco, US - 94107
ISP  or Hosting Company: Fastly
To run a DNSSEC subdomain enumeration, Anubis must be run as root
Starting Nmap Scan
Host : ()
Protocol: tcp
port: 80	state: open
port: 443	state: open
Found 195 subdomains
... (truncated for readability)
Sending to AnubisDB
Subdomain search took 0:00:26.579

Running the tests

Run all test with coverage

 python3 test

Run tests on their own, in native pytest environment


Built With


Please read for details on our code of conduct, and the process for submitting pull requests to us.


  • JonLuca DeCaro - Initial work - Anubis

See also the list of contributors who participated in this project.


This project is licensed under the MIT License - see the file for details


comments powered by Disqus