Acamar: When Less Is More in Subdomain Enumeration

Hook

While competitors boast about querying 40+ data sources, Acamar deliberately caps itself at 14 and finishes reconnaissance in under 60 seconds. Sometimes the best tool is the one that doesn't try to do everything.

Context

Subdomain enumeration has become an arms race. Modern tools like Amass and Subfinder pride themselves on querying dozens of sources, maintaining graph databases, and offering every conceivable feature. This comprehensiveness comes at a cost: complex installation procedures, API key management headaches, and execution times that can stretch into hours for large domains.

Acamar takes the opposite approach. Created by si9int as a personal project and learning tool, it embraces radical simplicity: one Python file, no API keys required, and completion in under a minute. It's designed for the bug bounty hunter who needs quick reconnaissance before diving deeper, or the pentester who wants an auditable script they can understand in 20 minutes. In a field where tools compete on feature count, Acamar competes on minimalism and transparency.

Technical Insight

Acamar's architecture is refreshingly straightforward: a single Python3 file that sequentially queries 14 public services using the requests library and BeautifulSoup for HTML parsing. There's no async I/O, no threading, no complex dependency tree. Just linear execution through a list of services.

The core pattern is consistent across all 14 sources. Here's a simplified example of how Acamar queries a typical service:

def query_crtsh(domain):
    url = f'https://crt.sh/?q=%.{domain}&output=json'
    try:
        response = requests.get(url, timeout=20)
        if response.status_code == 200:
            json_data = response.json()
            subdomains = set()
            for entry in json_data:
                name = entry.get('name_value', '')
                # Handle wildcard certs and newlines
                if '\n' in name:
                    subdomains.update(name.split('\n'))
                else:
                    subdomains.add(name)
            return [s.replace('*.', '') for s in subdomains if domain in s]
    except Exception as e:
        print(f'[!] Error querying crt.sh: {e}')
    return []

This pattern repeats for services like DNSdumpster, HackerTarget, ThreatCrowd, and VirusTotal's public interface. Each function returns a list of subdomains, and the main orchestrator aggregates them into a set for automatic deduplication. The entire tool operates without maintaining state between queries—each service call is independent.

The architectural decision to remain single-threaded is deliberate. While this sacrifices performance, it dramatically simplifies the codebase. There's no need for thread safety considerations, no complex async/await patterns, and no race conditions to debug. For a learning tool or quick reconnaissance script, this tradeoff makes sense. The entire program flow is readable from top to bottom in minutes.

Acamar's service selection strategy reveals another key design choice: it deliberately excludes heavyweight sources like WaybackMachine and Archive.is. These services can return massive datasets but require significant parsing time. By focusing on 14 curated sources that return results quickly, Acamar maintains its sub-minute execution promise. The author explicitly acknowledges this limitation in the README, noting that archived content sources are omitted by design.

The output handling is equally minimalist. Results are deduplicated using Python sets, sorted alphabetically, and written to a timestamped text file. There's no JSON output, no DNS resolution verification, no wildcard detection. Just a clean list of discovered subdomains:

api.example.com
dev.example.com
mail.example.com
staging.example.com
www.example.com

This bare-bones approach makes Acamar trivially easy to integrate into shell scripts and automation pipelines. You can pipe the output directly to other tools without parsing complex formats or dealing with structured data you don't need.

Gotcha

Acamar's limitations are the flip side of its simplicity. The single-threaded architecture means you're waiting for each service sequentially. If DNSdumpster is slow to respond, you're sitting idle while Python blocks on that request. A multithreaded or async implementation could query all 14 services simultaneously, potentially reducing execution time from 60 seconds to 10 seconds.

More critically, Acamar performs zero DNS validation. It doesn't resolve discovered subdomains to verify they actually exist. You'll get historical subdomains that no longer point anywhere, wildcard false positives, and certificate transparency entries for domains that were never deployed. This is fine for initial reconnaissance but means you'll need a secondary tool to validate results. The tool also lacks recursive enumeration—if it discovers dev.example.com, it won't automatically search for subdomains of dev.example.com. For comprehensive enumeration, you're looking at multiple passes or switching to a more feature-complete tool. Finally, with no API key support, you're limited to public-facing endpoints that may rate-limit or return truncated results for popular domains.

Verdict

Use if: You need quick subdomain reconnaissance without setup overhead, you're working in restricted environments where installing complex tools is difficult, you want an auditable script you can modify for custom use cases, or you're learning subdomain enumeration techniques and want clean, readable code to study. Acamar excels as a first-pass recon tool before committing to heavier enumeration.

Skip if: You need comprehensive coverage including archived content, you're enumerating large organizations where thoroughness matters more than speed, you require DNS validation and wildcard detection, or you need to integrate API keys for deeper access to services like SecurityTrails or Shodan. In production pentesting or serious bug bounty work, use Acamar as a complement to Subfinder or Amass, not a replacement.