If you're into serious subdomain enumeration and tired of hitting the same limits with Subfinder, Assetfinder, and the usual OSINT suspects — let me introduce you to SubFors, an open-source beast designed for extreme recon and smart discovery
- Here's a quick comparison showing how SubFors stacks up against other tools:
🔍 Feature Comparison:
| Feature | SubFors ✅ | Subfinder ❌ | Assetfinder ❌ |
|---|---|---|---|
| API Integrations | ✅ (VT, DNS) | ❌ | ❌ |
| Multi-Engine Search | ✅ (11 engines) | ✅ (8 engines) | ❌ |
| CT Logs Support | ✅ | ✅ | ✅ |
| Web Archive Analysis | ✅ (Wayback etc) | ❌ | ❌ |
| JS File Analysis | ✅ | ❌ | ❌ |
| CAPTCHA/WAF Bypass | ✅ Smart Bypass | ❌ | ❌ |
| Smart Brute Force | ✅ | ❌ | ❌ |
| Rate Limit Handling | ✅ Auto-Detect | ❌ | ❌ |
| Bulk Domains Support | ✅ | ✅ | ❌ |
| FavIcon Hashing | ✅ | ❌ | ❌ |
| WAF/CDN Detection | ✅ | ❌ | ❌ |
| Multiple Output Formats | ✅ JSON/TXT/XML | ✅ TXT/JSON | ✅ TXT |
| Speed | ✅ Ultra Fast | Moderate | Basic |
🧠 Why It's Different:
Uses 11 different data sources + APIs
Detects CAPTCHA & WAFs — and bypasses them
Scans JS files, headers, source code, even favicon hashes
Built-in brute-force with smart evasion
Web archive scraping for deep legacy subs
Auto-detects rate limits and adapts
Output is clean, exportable in JSON/XML/TXT
Designed for automation and serious bug bounty recon🌐 Try It:
🛠️ GitHub: https://github.com/saad-ayady/SubFors
🌍 Web Docs & Demo: https://saad-ayady.github.io/SubFors_WebSite
⚠️ This isn’t another clone — it’s a full-blown intelligent recon engine.
Give it a shot. Test it on a big scope. Compare results.
And if you like it? A ⭐ on GitHub and feedback would mean the world 🙏
