What is Subfinder

Subfinder is a subdomain discovery tool made by Project Discovery, the following cheat sheet provides and overview of the command flags for Subfinder and common commamnd examples for real world usage. Subfinder can be used to obtain a number of subdomains both passively and actively, to identify more attack surface for penetration testing or bug bounty recon or assessment.

Install Subfinder

go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
Configure API Keys

Subfinder works straight after install, however with API keys (even a free key) will improve passive subdomain results.

Subfinder Flags & Syntax

root:~# subfinder -h



Subfinder API Setup

Configuring Subfinder to use free or paid API services will likely improve the discovered domains the tool can find. You can list the sources Subfinder uses by running subfinder -ls. In order to setup subfinder api keys you need to create a configuration file at: $HOME/.config/subfinder/provider-config.yaml and populate with the API keys that you wil need to obtain from the various sources.

Subfinder Sources

Subfinder supports the following data API sources:

NAME URL
BeVigil

https://bevigil.com/osint-api
BinaryEdge

https://binaryedge.io
BufferOver

https://tls.bufferover.run
C99

https://api.c99.nl/
Censys

https://censys.io
CertSpotter

https://sslmate.com/certspotter/api/
Chaos

https://chaos.projectdiscovery.io
Chinaz

http://my.chinaz.com/ChinazAPI/DataCenter/MyDataApi
DNSDB

https://api.dnsdb.info
Fofa

https://fofa.info/static_pages/api_help
FullHunt

https://fullhunt.io
GitHub

https://github.com
Intelx

https://intelx.io
PassiveTotal

http://passivetotal.org
quake

https://quake.360.cn
Robtex

https://www.robtex.com/api/
SecurityTrails

http://securitytrails.com
Shodan

https://shodan.io
ThreatBook

https://x.threatbook.cn/en
VirusTotal

https://www.virustotal.com
WhoisXML API

https://whoisxmlapi.com/
ZoomEye

https://www.zoomeye.org
ZoomEye API

https://api.zoomeye.org
dnsrepo

https://dnsrepo.noc.org
Hunter

https://hunter.qianxin.com/
Facebook

https://developers.facebook.com
BuiltWith

https://api.builtwith.com/domain-api

Example Subfinder API Config File

The following is an example of the API config file:

binaryedge:
  - 0bf8919b-aab9-42e4-9574-d3b639324597
  - ac244e2f-b635-4581-878a-33f4e79a2c13
censys:
  - ac244e2f-b635-4581-878a-33f4e79a2c13:dd510d6e-1b6e-4655-83f6-f347b363def9
certspotter: []
passivetotal:
  - [email protected]:sample_password
redhuntlabs:
  - ENDPOINT:API_TOKEN
  - https://reconapi.redhuntlabs.com/community/v1/domains/subdomains:joEPzJJp2AuOCw7teAj63HYrPGnsxuPQ
securitytrails: []
shodan:
  - AAAAClP1bJJSRMEYJazgwhJKrggRwKA
github:
  - ghp_lkyJGU3jv1xmwk4SDXavrLDJ4dl2pSJMzj4X
  - ghp_gkUuhkIYdQPj13ifH4KA3cXRn8JD2lqir2d4
zoomeyeapi:
  - 4f73021d-ff95-4f53-937f-83d6db719eec
quake:
  - 0cb9030c-0a40-48a3-b8c4-fca28e466ba3
facebook:
  - APP_ID:APP_SECRET
intelx:
  - HOST:API_KEY
  - 2.intelx.io:s4324-b98b-41b2-220e8-3320f6a1284d

Above file source: https://docs.projectdiscovery.io/tools/subfinder/install#post-install-configuration

Subfinder Usage

How to use Subfinder to find domains:

Flag Description

-d, -domain string[]

domains to find subdomains for

-dL, -list string

file containing list of domains for subdomain discovery

-s, -sources string[]

specific sources to use for discovery (-s crtsh,github). Use -ls to display all available sources.

-recursive

use only sources that can handle subdomains recursively (e.g. subdomain.domain.tld vs domain.tld)

-all

use all sources for enumeration (slow)

-es, -exclude-sources string[]

sources to exclude from enumeration (-es alienvault,zoomeye)

-m, -match string[]

subdomain or list of subdomain to match (file or comma separated)

-f, -filter string[]

subdomain or list of subdomain to filter (file or comma separated)

-rl, -rate-limit int

maximum number of http requests to send per second

-t int

number of concurrent goroutines for resolving (-active only) (default 10)

-o, -output string

file to write output to

-oJ, -json

write output in JSONL(ines) format

-oD, -output-dir string

directory to write output (-dL only)

-cs, -collect-sources

include all sources in the output (-json only)

-oI, -ip

include host IP in output (-active only)

-config string

flag config file (default "$HOME/.config/subfinder/config.yaml")

-pc, -provider-config string

provider config file (default "$HOME/.config/subfinder/provider-config.yaml")

-r string[]

comma separated list of resolvers to use

-rL, -rlist string

file containing list of resolvers to use

-nW, -active

display active subdomains only

-proxy string

http proxy to use with subfinder

-ei, -exclude-ip

exclude IPs from the list of domains

-silent

show only subdomains in output

-version

show version of subfinder

-v

show verbose output

-nc, -no-color

disable color in output

-ls, -list-sources

list all available sources

-timeout int

seconds to wait before timing out (default 30)

-max-time int

minutes to wait for enumeration results (default 10)

Example Subfinder Commands

Find Subdomains Single Domain

Find subdomains for a single domain with subfinder:

subfinder -d hackerone.com

               __    _____           __
   _______  __/ /_  / __(_)___  ____/ /__  _____
  / ___/ / / / __ \/ /_/ / __ \/ __  / _ \/ ___/
 (__  ) /_/ / /_/ / __/ / / / / /_/ /  __/ /
/____/\__,_/_.___/_/ /_/_/ /_/\__,_/\___/_/ v2.5.1

		projectdiscovery.io

Use with caution. You are responsible for your actions
Developers assume no liability and are not responsible for any misuse or damage.
By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for hackerone.com
info.hackerone.com
design.hackerone.com
docs.hackerone.com
events.hackerone.com
web-seo-content-for-business.theflyingkick.websitedesignresource.api.hackerone.com
zendesk2.hackerone.com
fsdkim.hackerone.com
email.gh-mail.hackerone.com
a.ns.hackerone.com
support.hackerone.com
www.hackerone.com
mta-sts.managed.hackerone.com
api.hackerone.com
gslink.hackerone.com
zendesk1.hackerone.com
3d.hackerone.com
links.hackerone.com
mta-sts.hackerone.com
resources.hackerone.com
zendesk4.hackerone.com
zendesk3.hackerone.com
go.hackerone.com
mta-sts.forwarding.hackerone.com
_dmarc.hackerone.com
b.ns.hackerone.com
hackerone.com
defcon.hackerone.com
[INF] Found 27 subdomains for hackerone.com in 30 seconds 33 milliseconds

Verify Subfinder Results With HTTPX

Chain up other tools within your workflow, such as verifying targets have web servers using HTTPX:

echo hackerone.com | subfinder -silent | httpx -silent
https://docs.hackerone.com
https://mta-sts.forwarding.hackerone.com
https://mta-sts.hackerone.com
https://mta-sts.managed.hackerone.com
http://a.ns.hackerone.com
https://www.hackerone.com
http://b.ns.hackerone.com
http://zendesk4.hackerone.com
http://fsdkim.hackerone.com
http://zendesk1.hackerone.com
http://zendesk2.hackerone.com
http://zendesk3.hackerone.com
https://hackerone.com
https://support.hackerone.com
https://resources.hackerone.com
https://gslink.hackerone.com
https://api.hackerone.com

Subfinder + Naabu Portscan

echo hackerone.com | subfinder -silent | naabu -silent
docs.hackerone.com:443
docs.hackerone.com:80
mta-sts.forwarding.hackerone.com:443
mta-sts.forwarding.hackerone.com:80
mta-sts.hackerone.com:80
mta-sts.hackerone.com:443
mta-sts.managed.hackerone.com:80
mta-sts.managed.hackerone.com:443
<--SNIP-->

If you found this Subfinder cheat sheet useful, please share it below.

Document Changelog

  • Last Updated: 12/02/2024 (12th of February 2024)
  • Author: Arr0way
  • Notes: Checked syntax was current for latest version of Subfinder + added Subfinder API sources table.