Subdomain enumeration and TCP port scanning.
_____ ____ ___ __ ______ ___ ____
/ ___/| \ / _] / ] | / _]| \
( \_ | o ) [_ / /| | / [_ | D )
\__ || _/ _]/ / |_| |_|| _]| /
/ \ || | | [_/ \_ | | | [_ | \
\ || | | \ | | | | || . \
\___||__| |_____|\____| |__| |_____||__|\_|
From GitHub:
pipx install git+https://github.com/x3r0day/x3r0day-specter.git
Install with:
Or for the VCS package:
python3 -m pip install rich
python3 -m specter --help
python3 main.py --help
# Subdomain enumeration
specter subdomain example.com
# Subdomain with brute force
specter subdomain example.com -b
# Save subdomain report
specter subdomain example.com -o subdomains.html
# Port scan
specter scanme.nmap.org
# Specific ports
specter target.com -p 22,80,443
| Command |
Description |
specter subdomain <domain> |
Enumerate subdomains |
specter scan <target> |
TCP port scan |
specter <target> |
Default: TCP port scan |
python3 -m specter <command> |
Repo-local module entry point |
python3 main.py <command> |
Backward-compatible local shim |
# Passive enumeration
specter subdomain example.com
# With brute force
specter subdomain example.com -b
# Custom wordlist
specter subdomain example.com -b -w words.txt
# Add Shodan
specter subdomain example.com -K "$SHODAN_KEY"
# Skip web port checks
specter subdomain example.com -N
# Skip page scraping
specter subdomain example.com -W
# Save report
specter subdomain example.com -o subdomains.html
- Pull candidates from passive sources in parallel
- Deduplicate, track sources per subdomain
- Optionally brute-force prefixes
- Resolve to IP
- Check common web ports
- Scrape title, server, tech from responsive hosts
| Source |
Default |
Notes |
crt.sh |
Yes |
Certificate Transparency logs |
hackertarget |
Yes |
Host search API |
alienvault |
Yes |
OTX Passive DNS |
urlscan |
Yes |
Indexed domains |
rapiddns |
Yes |
DNS data |
shodan |
No |
Add with -K |
bruteforce |
No |
Add with -b |
| Arg |
Type |
Description |
domain |
string |
Target domain (e.g. example.com) |
| Short |
Long |
Type |
Default |
Description |
-K |
--shodan-key |
string |
- |
Shodan API key |
-b |
--brute |
flag |
- |
Brute force prefixes |
-w |
--wordlist |
path |
- |
Custom wordlist |
-N |
--no-port-scan |
flag |
- |
Skip web port checks |
-W |
--no-scrape |
flag |
- |
Skip page scraping |
| Short |
Long |
Type |
Default |
Description |
-c |
--resolve-concurrency |
int |
200 |
Concurrent DNS lookups |
-C |
--scan-concurrency |
int |
30 |
Concurrent port scans |
-t |
--http-timeout |
float |
8.0 |
HTTP timeout (seconds) |
-o |
--out |
path |
- |
Output file (html/csv/json) |
-v |
- |
flag |
- |
Verbose output |
-q |
--quiet |
flag |
- |
Suppress progress |
{
"domain": "example.com",
"subdomains": [
{
"subdomain": "www.example.com",
"ip": "192.168.1.1",
"sources": ["crt.sh", "urlscan"],
"ports": [80, 443],
"status": 200,
"title": "Example Domain",
"server": "ECS",
"tech": [],
"elapsed": 0.812,
"err": null
}
],
"total_found": 12,
"total_resolved": 8,
"started": "2026-03-24T10:30:00Z",
"finished": "2026-03-24T10:30:04Z",
"elapsed": 4.219,
"errors": []
}# Basic scan (default: top 1000 ports)
specter scanme.nmap.org
# Specific ports
specter target.com -p 22,80,443,8080
# Top 100 ports
specter target.com -P 100
# All ports
specter target.com -a
# Stealth mode
specter target.com --stealth
# SYN scan (requires root)
specter target.com --syn-scan
# Aggressive service detection
specter target.com -S -U
# Save report
specter target.com -o results.html
- Resolves hostname, scans TCP ports, probes services
- Basic mode: HTTP hints, SSH banners, TLS cert data
-S uses nmap for deeper service detection--stealth reduces noise and concurrency--syn-scan sends raw SYN packets (needs root)
| Arg |
Type |
Description |
target |
string |
Hostname or IP to scan |
| Short |
Long |
Type |
Default |
Description |
-p |
--ports |
string |
- |
Specific ports: 22,80,443 or range 1-1024 |
-P |
--top-ports |
int |
1000 |
Scan top N ports |
-a |
--all-ports |
flag |
- |
Scan all 65535 ports |
| Short |
Long |
Type |
Default |
Description |
-c |
--concurrency |
int |
1000 |
Concurrent connections |
-t |
--timeout |
float |
1.5 |
Connect timeout (seconds) |
-C |
--svc-concurrency |
int |
20 |
Concurrent service probes |
-S |
--aggr-svc-scan |
flag |
- |
Use nmap for service detection |
-M |
--nmap-args |
string |
-sV --open |
nmap arguments |
-U |
--sudo-nmap |
flag |
- |
Run nmap with sudo |
-N |
--no-svc-scan |
flag |
- |
Skip service detection |
| - |
--stealth |
flag |
- |
Lower-noise profile |
| - |
--syn-scan |
flag |
- |
Raw SYN scan (needs root) |
| Short |
Long |
Type |
Default |
Description |
-o |
--out |
path |
- |
Output file |
-v |
- |
flag |
- |
Verbose; -vv for raw output |
-q |
--quiet |
flag |
- |
Suppress progress |
{
"target": "scanme.nmap.org",
"ip": "192.168.1.0",
"req_ports": [1, 2, 3],
"open_ports": [22, 80, 9929],
"svcs": [
{
"port": 22,
"ok": true,
"state": "open",
"svc": "ssh",
"info": "Banner: SSH-2.0-OpenSSH_9.7",
"elapsed": 0.023,
"n_cmd": "light ssh probe",
"raw": "SSH-2.0-OpenSSH_9.7",
"err": null
}
],
"started": "2026-03-24T10:30:00Z",
"finished": "2026-03-24T10:30:02Z",
"elapsed": 2.345,
"errors": []
}
- Python 3.10+
pipx for the recommended global install path- Rich for manual repo-local execution
- Nmap (optional, for aggressive mode)
--syn-scan needs root. --sudo-nmap prompts for sudo when using nmap.
x3r0day-specter/
├── pyproject.toml
├── main.py
├── packaging/
│ └── aur/
│ ├── LICENSE
│ ├── README.md
│ ├── specter/
│ │ ├── PKGBUILD
│ │ └── .SRCINFO
│ └── specter-git/
│ ├── PKGBUILD
│ └── .SRCINFO
├── specter/
│ ├── scanner/
│ │ ├── port_scan.py
│ │ └── subdomain.py
│ └── core/
│ └── results.py
├── PLAN.md
└── README.md
MIT License. See LICENSE.
