SubFinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and has been aimed as a successor to sublist3r project. SubFinder uses Passive Sources, Search Engines, Pastebins, Internet Archives, etc to find subdomains and then it uses a permutation module inspired by altdns to generate permutations and resolve them quickly using a powerful bruteforcing engine. It can also perform plain bruteforce if needed. The tool is highly customizable, and the code is built with a modular approach in mind making it easy to add functionalities and remove errors.
We have designed SubFinder to comply with all passive sources licenses, and usage restrictions, as well as maintained a consistently passive model to make it useful to both penetration testers and bug bounty hunters alike.
Features
- Simple and modular code base making it easy to contribute.
- Fast And Powerful Bruteforcing Module
- Powerful Permutation generation engine. (In Development)
- Many Passive Data Sources (30 At Present)
- Multiple Output formats
Ask, Archive.is, Baidu, Bing, Censys, CertDB, CertSpotter, CrtSH, DnsDB, DNSDumpster, Dogpile, Entrust CT-Search, Exalead, FindSubdomains, GoogleTER, Hackertarget, IPv4Info, Netcraft, PassiveTotal, PTRArchive, Riddler, SecurityTrails, SiteDossier, Shodan, SSL Certificates, ThreatCrowd, ThreatMiner, Virustotal, WaybackArchive, Yahoo
Usage
./subfinder -h
Flag | Description | Example |
---|---|---|
-b | Use bruteforcing to find subdomains | ./subfinder -d example.com -b |
-c | Don't show colored output | ./subfinder -c |
-d | Domain to find subdomains for | ./subfinder -d example.com |
-dL | List of domains to find subdomains for | ./subfinder -dl hosts.txt |
-nW | Remove wildcard subdomains | ./subfinder -nw |
-o | Name of the output file (Optional) | ./subfinder -o output.txt |
-oT | Write output in Aquatone style JSON format (Required -nW) | ./subfinder -o output.txt -nw -oA |
-oJ | Write output in JSON format | ./subfinder -o output.json -oJ |
-oD | Output to directory (When using multiple hosts) | ./subfinder -od ~/misc/out/ |
-r | Comma-separated list of resolvers to use | ./subfinder -r 8.8.8.8,1.1.1.1 |
-rL | File containing list of resolvers to use | ./subfinder -rL resolvers.txt |
--recursive | Use recursive subdomain finding (default: true) | ./subfinder --recursive |
--set-config | Sets a configuration option | ./subfinder --set-config example=something |
--set-settings | Sets a setting option | ./subfinder --set-settings CensysPages=10 |
--no-passive | Do not perform passive subdomain enumeration | ./subfinder -d freelancer.com --no-passive |
--silent | Show only the subdomains found | ./subfinder --silent |
--sources | Comma separated list of sources to use (optional) | ./subfinder --sources threatcrowd,virustotal |
--exclude-sources | Comma separated list of sources not to use (optional) | ./subfinder --exclude-sources threatcrowd,virustotal |
-t | Number of concurrent threads (Bruteforce) | ./subfinder -t 10 |
--timeout | Seconds to wait until quitting connection | ./subfinder --timeout 10 |
-v | Display verbose output | ./subfinder -v |
-w | Wordlist for doing bruteforcing and permutation | ./subfinder -w words.txt |
Installation Instructions
Direct Installation
SubFinder requires go1.10+ to install successfully !
The installation is easy. Git clone the repo and run go build.
go get github.com/subfinder/subfinder
Upgrading
If you wish to upgrade the package you can use:
go get -u github.com/subfinder/subfinder
Running in a Docker Container
Git clone the repo, then build and run subfinder in a container with the following commands
- Clone the repo using
git clone https://github.com/subfinder/subfinder.git
- Build your docker container
docker build -t subfinder .
- After building the container, run the following.
docker run -it subfinder
The above command is the same as running -h
NOTE: Please follow the Post Install steps given after this to correctly configure the tool.For example, this runs the tool against uber.com and output the results to your host file system:
docker run -v $HOME/.config/subfinder:/root/.config/subfinder -it subfinder -d uber.com > uber.com.txt
Post Installation Instructions
Subfinder will work after using the installation instructions however to configure Subfinder to work with certain services, you will need to have setup API keys. These following services do not work without an API key:
These are the configuration options you have to specify via the command line.
VirustotalAPIKey
PassivetotalUsername
PassivetotalKey
SecurityTrailsKey
RiddlerEmail
RiddlerPassword
CensysUsername
CensysSecret
ShodanAPIKey
./subfinder --set-config VirustotalAPIKey=0x41414141
./subfinder --set-config PassivetotalUsername=hacker,PassivetotalKey=supersecret
mkdir $HOME/.config/subfinder
cp config.json $HOME/.config/subfinder/config.json
nano $HOME/.config/subfinder/config.json
sudo docker run -v $HOME/.config/subfinder:/root/.config/subfinder -it subfinder -d freelancer.com
Running Subfinder
To run the tool on a target, just use the following command.
./subfinder -d freelancer.com
[CERTSPOTTER] www.fi.freelancer.com
[DNSDUMPSTER] hosting.freelancer.com
[DNSDUMPSTER] support.freelancer.com
[DNSDUMPSTER] accounts.freelancer.com
[DNSDUMPSTER] phabricator.freelancer.com
[DNSDUMPSTER] cdn1.freelancer.com
[DNSDUMPSTER] t1.freelancer.com
[DNSDUMPSTER] wdc.t1.freelancer.com
[DNSDUMPSTER] dal.t1.freelancer.com
./subfinder -d freelancer.com -o output.txt
You can also pass some special settings for the tool through the command line by using --set-setting flag. For example, you can pass the number of Censys pages to check using the following command.
./subfinder -d freelancer.com --sources censys --set-settings CensysPages=2 -v
These are the settings currently supported
CensysPages
AskPages
BaiduPages
BingPages
./subfinder -d freelancer.com -b -w jhaddix_all.txt -t 100 --sources censys --set-settings CensysPages=2 -v
./subfinder -d freelancer.com -o result_aquatone.json -oT -nW -v
./subfinder -d freelancer.com -o result_aquatone.json -oT -nW -v -r 8.8.8.8,1.1.1.1
./subfinder -d freelancer.com -o result_aquatone.json -oT -nW -v -rL resolvers.txt
--no-passive
flag which will not run passive discovery. You can use this functionality to run plain bruteforce, etc../subfinder -d freelancer.com --no-passive -v -b -w ~/dnslist.txt