subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed. subfinder is built for doing one thing only - passive subdomain enumeration, and it does that very well.
We have designed subfinder to comply with all passive sources licenses, and usage restrictions, as well as maintained a consistently passive model to make it useful to both penetration testers and bug bounty hunters alike.
Features
- Simple and modular code base making it easy to contribute.
- Fast And Powerful Resolution and wildcard elimination module
- Curated passive sources to maximize results (26 Sources as of now)
- Multiple Output formats supported (Json, File, Stdout)
- Optimized for speed, very fast and lightweight on resources
- Stdin and stdout support for integrating in workflows
Usage
subfinder -h
Flag | Description | Example |
---|---|---|
-config string | Configuration file for API Keys, etc | subfinder -config config.yaml |
-d | Domain to find subdomains for | subfinder -d uber.com |
-dL | File containing list of domains to enumerate | subfinder -d hackerone-hosts.txt |
-exclude-sources | List of sources to exclude from enumeration | subfinder -exclude-sources archiveis |
-max-time | Minutes to wait for enumeration results (default 10) | subfinder -max-time 1 |
-nC | Don't Use colors in output | subfinder -nC |
-nW | Remove Wildcard & Dead Subdomains from output | subfinder -nW |
-o | File to write output to (optional) | subfinder -o output.txt |
-oD | Directory to write enumeration results to (optional) | subfinder -oD ~/outputs |
-oI | Write output in Host,IP format | subfinder -oI |
-oJ | Write output in JSON lines Format | subfinder -oJ |
-r | Comma-separated list of resolvers to use | subfinder -r 1.1.1.1,1.0.0.1 |
-rL | Text file containing list of resolvers to use | subfinder -rL resolvers.txt |
-silent | Show only subdomains in output | subfinder -silent |
-sources | Comma separated list of sources to use | subfinder -sources shodan,censys |
-t | Number of concurrent goroutines for resolving (default 10) | subfinder -t 100 |
-timeout | Seconds to wait before timing out (default 30) | subfinder -timeout 30 |
-v | Show Verbose output | subfinder -v |
-version | Show current program version | subfinder -version |
Installation Instructions
Direct Installation
subfinder requires go1.13+ to install successfully !
The installation is easy. You can download the pre-built binaries for different platforms from the Releases page. Extract them using tar, move it to your $PATH and you're ready to go.
> tar -xzvf subfinder-linux-amd64.tar
> mv subfinder-linux-amd64 /usr/bin/subfinder
> subfinder
go get -v github.com/projectdiscovery/subfinder/cmd/subfinder
Upgrading
If you wish to upgrade the package you can use:
go get -u -v github.com/projectdiscovery/subfinder/cmd/subfinder
Running in a Docker Container
You can use the official dockerhub image at subfinder. Simply run -
> docker pull ice3man/subfinder
If you want to build the container yourself manually, git clone the repo, then build and run the following commands
- Clone the repo using
git clone https://github.com/projectdiscovery/subfinder.git
- Build your docker container
docker build -t ice3man/subfinder .
- After building the container using either way, run the following -
docker run -it ice3man/subfinder
The above command is the same as running -h
For example, this runs the tool against uber.com and output the results to your host file system:docker run -v $HOME/.config/subfinder:/root/.config/subfinder -it ice3man/subfinder -d uber.com > uber.com.txt
Post Installation Instructions
Subfinder will work after using the installation instructions however to configure Subfinder to work with certain services, you will need to have setup API keys. The following services do not work without an API key:
Theses values are stored in the $HOME/.config/subfinder/config.yaml file which will be created when you run the tool for the first time. The configuration file uses the YAML format. Multiple API keys can be specified for each of these services from which one of them will be used for enumeration.
For sources that require multiple keys, namely
Censys
, Passivetotal
, they can be added by separating them via a colon (:).An example config file -
resolvers:
- 1.1.1.1
- 1.0.0.1
sources:
- binaryedge
- bufferover
- censys
- passivetotal
- sitedossier
binaryedge:
- 0bf8919b-aab9-42e4-9574-d3b639324597
- ac244e2f-b635-4581-878a-33f4e79a2c13
censys:
- ac244e2f-b635-4581-878a-33f4e79a2c13:dd510d6e-1b6e-4655-83f6-f347b363def9
certspotter: []
passivetotal:
- sampleemail@user.com:sample_password
securitytrails: []
shodan: []
> mkdir $HOME/.config/subfinder
> cp config.yaml $HOME/.config/subfinder/config.yaml
> nano $HOME/.config/subfinder/config.yaml
> docker run -v $HOME/.config/subfinder:/root/.config/subfinder -it ice3man/subfinder -d freelancer.com
Running Subfinder
To run the tool on a target, just use the following command.
> subfinder -d freelancer.com
[CERTSPOTTER] www.fi.freelancer.com
[DNSDUMPSTER] hosting.freelancer.com
[DNSDUMPSTER] support.freelancer.com
[DNSDUMPSTER] accounts.freelancer.com
[DNSDUMPSTER] phabricator.freelancer.com
[DNSDUMPSTER] cdn1.freelancer.com
[DNSDUMPSTER] t1.freelancer.com
[DNSDUMPSTER] wdc.t1.freelancer.com
[DNSDUMPSTER] dal.t1.freelancer.com
> subfinder -d freelancer.com -o output.txt
-dL
option can be used. This requires a directory to write the output files. Subdomains for each domain from the list are written in a text file in the directory specified by the -oD
flag with their name being the domain name.> cat domains.txt
hackerone.com
google.com
> subfinder -dL domains.txt -oD ~/path/to/output
> ls ~/path/to/output
hackerone.com.txt
google.com.txt
> cat domains.txt
hackerone.com
google.com
> subfinder -dL domains.txt -o ~/path/to/output.txt
> ls ~/path/to/
output.txt
If you use the JSON format, or the Host:IP format, then it becomes mandatory for you to use the -nW format as resolving is essential for these output format. By default, resolving the found subdomains is disabled.
> subfinder -d hackerone.com -o output.json -oJ -nW
> cat output.json
{"host":"www.hackerone.com","ip":"104.16.99.52"}
{"host":"mta-sts.hackerone.com","ip":"185.199.108.153"}
{"host":"hackerone.com","ip":"104.16.100.52"}
{"host":"mta-sts.managed.hackerone.com","ip":"185.199.110.153"}
You can specify custom resolvers too.
> subfinder -d freelancer.com -o result.txt -nW -v -r 8.8.8.8,1.1.1.1
> subfinder -d freelancer.com -o result.txt -nW -v -rL resolvers.txt
> echo "hackerone.com" | subfinder -v
> cat targets.txt | subfinder -v
The subdomains discovered can be piped to other tools too. For example, you can pipe the subdomains discovered by subfinder to the awesome httprobe tool by @tomnomnom which will then find running http servers on the host.> echo "hackerone.com" | subfinder -silent | httprobe
http://hackerone.com
http://www.hackerone.com
http://docs.hackerone.com
http://api.hackerone.com
https://docs.hackerone.com
http://mta-sts.managed.hackerone.com