Subfinder – A Subdomain Discovery Tool That Discovers Valid Subdomains For Websites
subfinder is a subdomain tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed. subfinder is built for doing one thing only - passive subdomain enumeration, and it does that very well.
We have designed subfinder to comply with all passive sources licenses, and usage restrictions, as well as maintained a consistently passive model to make it useful to both penetration testers and bug bounty hunters alike.
This will display help for the tool. Here are all the switches it supports.
The installation is easy. You can download the pre-built binaries for different platforms from the page. Extract them using tar, move it to your $PATH and you're ready to go.
If you want to build it yourself, you can go get the repo
If you wish to upgrade the package you can use:
You can use the official image at . Simply run -
The above command will pull the latest tagged release from the dockerhub repository.
If you want to build the yourself manually, git clone the repo, then build and run the following commands
For example, this runs the tool against uber.com and output the results to your host file system:
Subfinder will work after using the installation instructions however to configure Subfinder to work with certain services, you will need to have setup API keys. The following services do not work without an API key:
Theses values are stored in the $HOME/.config/subfinder/config.yaml file which will be created when you run the tool for the first time. The configuration file uses the YAML format. Multiple API keys can be specified for each of these services from which one of them will be used for enumeration.
For sources that require multiple keys, namely , , they can be added by separating them via a colon (:).
An example config file -
If you are using docker, you need to first create your directory structure holding subfinder configuration file. After modifying the default config.yaml file, you can run:
After that, you can pass it as a volume using the following sample command.
To run the tool on a target, just use the following command.
This will run the tool against freelancer.com. There are a number of configuration options that you can pass along with this command. The verbose switch (-v) can be used to display verbose information.
The -o command can be used to specify an output file.
To run the tool on a list of domains, option can be used. This requires a directory to write the output files. Subdomains for each domain from the list are written in a text file in the directory specified by the flag with their name being the domain name.
If you want to save results to a single file while using a domain list, specify the -o flag with the name of the output file.
You can also get output in json format using -oJ switch. This switch saves the output in the JSON lines format.
If you use the JSON format, or the Host:IP format, then it becomes mandatory for you to use the format as resolving is essential for these output format. By default, resolving the found subdomains is disabled.
The --silent switch can be used to show only subdomains found without any other info.
You can specify custom resolvers too.
Now, domains can be piped to subfinder and enumeration can be ran on them. For example -
The subdomains discovered can be piped to other tools too. For example, you can pipe the subdomains discovered by subfinder to the awesome tool by @tomnomnom which will then find running http servers on the host.
Gloss