Cortex is a production-grade subdomain discovery and reconnaissance tool built in Go. It combines multiple discovery techniques to find subdomains for a target domain and generates comprehensive markdown reports.
- 🔍 Multi-Source Intelligence: DNS brute force, certificate transparency, search engines, and API integrations
- 🚀 High-Performance Scanning: Concurrent goroutines with intelligent rate limiting
- 📊 Professional Reporting: Detailed Markdown reports with statistics and analysis
- 🛡️ Stealth Operations: Built-in evasion techniques and request throttling
- 🎯 Modular Architecture: Clean separation of enumeration techniques
- ⚙️ Configurable Wordlists: Multiple wordlist sizes for different scanning needs
| Method | Description | Speed | Stealth |
|---|---|---|---|
| DNS Brute Force | Dictionary-based subdomain enumeration | ⚡⚡⚡ | 🥷🥷 |
| Certificate Transparency | CT log analysis for historical data | ⚡⚡ | 🥷🥷🥷 |
| Search Engine Dorking | Google/Bing reconnaissance | ⚡ | 🥷🥷🥷 |
| Third-Party APIs | SecurityTrails, VirusTotal, Shodan | ⚡⚡ | 🥷🥷🥷 |
| Passive Collection | Archive.org, DNS aggregators | ⚡ | 🥷🥷🥷 |
📄 subdomains-report-<domain>-<date>.md
├── 📝 Report Header
│ ├── Title: Subdomain Scan Report
│ ├── Generated by Cortex
│ ├── Scan Date & Duration
│
├── 📊 Summary
│ ├── Target Domain
│ ├── Total Subdomains Found
│ ├── Active Subdomains
│ ├── Sources Used
│ └── Scan Duration
│
├── ✅ Active Subdomains (if any)
│ └── Table: Subdomain | IP Addresses | CNAMEs | Source | Last Seen
│
├── ❌ Inactive/Unresolved Subdomains (if any)
│ └── Table: Subdomain | Source | Discovered
│
├── 📈 Statistics by Source
│ └── Table: Source | Count | Percentage
│
├── 🔧 Technical Details
│ ├── Scan Started
│ ├── Scan Completed
│ ├── Total Processing Time
│ └── Discovery Methods
│
├── 🎯 Recommendations (only if active subdomains exist)
│ ├── Security Considerations
│ │ ├── Review active subdomains for unnecessary services
│ │ ├── Ensure SSL certificates are valid
│ │ ├── Check for default credentials
│ │ └── Implement access controls & monitoring
│ └── Next Steps
│ ├── Perform security scans
│ ├── Review DNS configs
│ ├── Implement monitoring
│ └── Update policies
│
└── 📌 Footer
├── Generated by Cortex (with GitHub link)
└── Report generation timestamp- Obtaining proper authorization before scanning
- Complying with applicable laws and regulations
- Respecting rate limits and terms of service
- Using findings responsibly
- Report vulnerabilities through proper channels
- Avoid causing disruption to target systems
- Follow coordinated disclosure timelines
This project is licensed under the MIT License. See the LICENSE file for details.
- Inspired by tools like Subfinder, Amass, and Sublist3r
- Built with ❤️ for the security research community
- Named Cortex for its role as the central intelligence processor
- Special thanks to the Go community for excellent networking libraries