- What is Subfinder
- Install Subfinder
- Subfinder API Setup
- Example Subfinder API Config File
- Subfinder Usage
- Example Subfinder Commands
- Document Changelog
What is Subfinder
Subfinder is a subdomain discovery tool made by Project Discovery, the following cheat sheet provides and overview of the command flags for Subfinder and common commamnd examples for real world usage. Subfinder can be used to obtain a number of subdomains both passively and actively, to identify more attack surface for penetration testing or bug bounty recon or assessment.
Install Subfinder
Configure API Keys
Subfinder works straight after install, however with API keys (even a free key) will improve passive subdomain results.
Subfinder Flags & Syntax
root:~# subfinder -h
Subfinder API Setup
Configuring Subfinder to use free or paid API services will likely improve the discovered domains the tool can find. You can list the sources Subfinder uses by running subfinder -ls
. In order to setup subfinder api keys you need to create a configuration file at: $HOME/.config/subfinder/provider-config.yaml
and populate with the API keys that you wil need to obtain from the various sources.
Subfinder Sources
Subfinder supports the following data API sources:
NAME | URL |
---|---|
BeVigil |
|
BinaryEdge |
|
BufferOver |
|
C99 |
|
Censys |
|
CertSpotter |
|
Chaos |
|
Chinaz |
|
DNSDB |
|
Fofa |
|
FullHunt |
|
GitHub |
|
Intelx |
|
PassiveTotal |
|
quake |
|
Robtex |
|
SecurityTrails |
|
Shodan |
|
ThreatBook |
|
VirusTotal |
|
WhoisXML API |
|
ZoomEye |
|
ZoomEye API |
|
dnsrepo |
|
Hunter |
|
|
|
BuiltWith |
|
Example Subfinder API Config File
The following is an example of the API config file:
Above file source: https://docs.projectdiscovery.io/tools/subfinder/install#post-install-configuration
Subfinder Usage
How to use Subfinder to find domains:
Flag | Description |
---|---|
|
domains to find subdomains for |
|
file containing list of domains for subdomain discovery |
|
specific sources to use for discovery (-s crtsh,github). Use -ls to display all available sources. |
|
use only sources that can handle subdomains recursively (e.g. subdomain.domain.tld vs domain.tld) |
|
use all sources for enumeration (slow) |
|
sources to exclude from enumeration (-es alienvault,zoomeye) |
|
subdomain or list of subdomain to match (file or comma separated) |
|
subdomain or list of subdomain to filter (file or comma separated) |
|
maximum number of http requests to send per second |
|
number of concurrent goroutines for resolving (-active only) (default 10) |
|
file to write output to |
|
write output in JSONL(ines) format |
|
directory to write output (-dL only) |
|
include all sources in the output (-json only) |
|
include host IP in output (-active only) |
|
flag config file (default "$HOME/.config/subfinder/config.yaml") |
|
provider config file (default "$HOME/.config/subfinder/provider-config.yaml") |
|
comma separated list of resolvers to use |
|
file containing list of resolvers to use |
|
display active subdomains only |
|
http proxy to use with subfinder |
|
exclude IPs from the list of domains |
|
show only subdomains in output |
|
show version of subfinder |
|
show verbose output |
|
disable color in output |
|
list all available sources |
|
seconds to wait before timing out (default 30) |
|
minutes to wait for enumeration results (default 10) |
Example Subfinder Commands
Find Subdomains Single Domain
Find subdomains for a single domain with subfinder:
Verify Subfinder Results With HTTPX
Chain up other tools within your workflow, such as verifying targets have web servers using HTTPX:
Subfinder + Naabu Portscan
If you found this Subfinder cheat sheet useful, please share it below.
Document Changelog
- Last Updated: 12/02/2024 (12th of February 2024)
- Author: Arr0way
- Notes: Checked syntax was current for latest version of Subfinder + added Subfinder API sources table.