Subfinder Cheat Sheet

Subfinder is a subdomain discovery tool made by Project Discovery, the following cheat sheet provides and overview of the command flags for Subfinder and common commamnd examples for real world usage.

Install Subfinder

go install -v github.com/projectdiscovery/subfinder/v2/cmd/[email protected]

Configure API Keys

Subfinder works straight after install, however with API keys (even a free key) will improve passive subdomain results.

Subfinder Flags & Syntax

root:~# subfinder -h

Flag	Description
`-d, -domain string[]`	domains to find subdomains for
`-dL, -list string`	file containing list of domains for subdomain discovery
`-s, -sources string[]`	specific sources to use for discovery (-s crtsh,github). Use -ls to display all available sources.
`-recursive`	use only sources that can handle subdomains recursively (e.g. subdomain.domain.tld vs domain.tld)
`-all`	use all sources for enumeration (slow)
`-es, -exclude-sources string[]`	sources to exclude from enumeration (-es alienvault,zoomeye)
`-m, -match string[]`	subdomain or list of subdomain to match (file or comma separated)
`-f, -filter string[]`	subdomain or list of subdomain to filter (file or comma separated)
`-rl, -rate-limit int`	maximum number of http requests to send per second
`-t int`	number of concurrent goroutines for resolving (-active only) (default 10)
`-o, -output string`	file to write output to
`-oJ, -json`	write output in JSONL(ines) format
`-oD, -output-dir string`	directory to write output (-dL only)
`-cs, -collect-sources`	include all sources in the output (-json only)
`-oI, -ip`	include host IP in output (-active only)
`-config string`	flag config file (default "$HOME/.config/subfinder/config.yaml")
`-pc, -provider-config string`	provider config file (default "$HOME/.config/subfinder/provider-config.yaml")
`-r string[]`	comma separated list of resolvers to use
`-rL, -rlist string`	file containing list of resolvers to use
`-nW, -active`	display active subdomains only
`-proxy string`	http proxy to use with subfinder
`-ei, -exclude-ip`	exclude IPs from the list of domains
`-silent`	show only subdomains in output
`-version`	show version of subfinder
`-v`	show verbose output
`-nc, -no-color`	disable color in output
`-ls, -list-sources`	list all available sources
`-timeout int`	seconds to wait before timing out (default 30)
`-max-time int`	minutes to wait for enumeration results (default 10)

Example Subfinder Commands

Find Subdomains Single Domain

Find subdomains for a single domain with subfinder:

subfinder -d hackerone.com

               __    _____           __
   _______  __/ /_  / __(_)___  ____/ /__  _____
  / ___/ / / / __ \/ /_/ / __ \/ __  / _ \/ ___/
 (__  ) /_/ / /_/ / __/ / / / / /_/ /  __/ /
/____/\__,_/_.___/_/ /_/_/ /_/\__,_/\___/_/ v2.5.1

		projectdiscovery.io

Use with caution. You are responsible for your actions
Developers assume no liability and are not responsible for any misuse or damage.
By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for hackerone.com
info.hackerone.com
design.hackerone.com
docs.hackerone.com
events.hackerone.com
web-seo-content-for-business.theflyingkick.websitedesignresource.api.hackerone.com
zendesk2.hackerone.com
fsdkim.hackerone.com
email.gh-mail.hackerone.com
a.ns.hackerone.com
support.hackerone.com
www.hackerone.com
mta-sts.managed.hackerone.com
api.hackerone.com
gslink.hackerone.com
zendesk1.hackerone.com
3d.hackerone.com
links.hackerone.com
mta-sts.hackerone.com
resources.hackerone.com
zendesk4.hackerone.com
zendesk3.hackerone.com
go.hackerone.com
mta-sts.forwarding.hackerone.com
_dmarc.hackerone.com
b.ns.hackerone.com
hackerone.com
defcon.hackerone.com
[INF] Found 27 subdomains for hackerone.com in 30 seconds 33 milliseconds

Verify Subfinder Results With HTTPX

Chain up other tools within your workflow, such as verifying targets have web servers using HTTPX:

echo hackerone.com | subfinder -silent | httpx -silent
https://docs.hackerone.com
https://mta-sts.forwarding.hackerone.com
https://mta-sts.hackerone.com
https://mta-sts.managed.hackerone.com
http://a.ns.hackerone.com
https://www.hackerone.com
http://b.ns.hackerone.com
http://zendesk4.hackerone.com
http://fsdkim.hackerone.com
http://zendesk1.hackerone.com
http://zendesk2.hackerone.com
http://zendesk3.hackerone.com
https://hackerone.com
https://support.hackerone.com
https://resources.hackerone.com
https://gslink.hackerone.com
https://api.hackerone.com

Subfinder + Naabu Portscan

echo hackerone.com | subfinder -silent | naabu -silent
docs.hackerone.com:443
docs.hackerone.com:80
mta-sts.forwarding.hackerone.com:443
mta-sts.forwarding.hackerone.com:80
mta-sts.hackerone.com:80
mta-sts.hackerone.com:443
mta-sts.managed.hackerone.com:80
mta-sts.managed.hackerone.com:443
<--SNIP-->

Category	Post Name
`cheat-sheet`	Nikto Cheat Sheet
`cheat-sheet`	Naabu Cheat Sheet: Commands & Examples
`cheat-sheet`	Reverse Shell Cheat Sheet: PHP, Python, Powershell, Bash, NC, JSP, Java, Perl
`Web App Security`	Insecure Direct Object Reference (IDOR): Definition, Examples & How to Find
`cheat-sheet`	Nmap Cheat Sheet: Commands & Examples (2023)
`SecOps`	Encrypted Notes App Solution (iOS, Android, MacOS, Linux, Windows)
`cheat-sheet`	DNS Tunneling dnscat2 Cheat Sheet
`cheat-sheet`	SSH Lateral Movement Cheat Sheet
`cheat-sheet`	Android Pen Testing Environment Setup
`cheat-sheet`	Password Reset Testing Cheat Sheet

HighOn.Coffee