Subfinder: Subdomain Discovery Tool
Subfinder is a tool which allows you to find valid subdomains through passive online sources. It uses a modular architecture which allows it to be fast and simple. This tool only has one function, which is to find the subdomains of a target domain.
Subfinder: Subdomain Discovery Tool
After submitting a target domain to Subfinder, it will go through at least 26 sources to find all of the various subdomains of the target domain. The subdomains can then be outputted in multiple formats such as Json, File and Stdout. It allows the user to enter multiple target domains at once, while the stdin/stdout features allow it to be integrated with other tools as part of a workflow.
Features:
- Simple and modular code base making it easy to contribute.
- Fast and Powerful Resolution and wildcard elimination module
- Curated passive sources to maximize results (26 Sources as of now)
- Multiple Output formats supported (
json,file,stdout) - Optimized for speed, very fast and lightweight on resources
stdinandstdoutsupport for integrating in workflows
Supported Platforms:
- Linux
- Windows
- OS X
Requirements:
- Go 1.13+
Subfinder Install
Option 1
Download the pre-built binaries from the release page, then extract using tar:
$ tar -xzvf subfinder-linux-amd64.tar
Move it to your path:
$ mv subfinder-linux-amd64 /usr/bin/subfinder
Option 2
Install in one command using Go:
$ go get -v github.com/projectdiscovery/subfinder/cmd/subfinder
Option 3
For automatic installation:
$ docker pull ice3man/subfinder
For manual installation:
$ git clone https://github.com/projectdiscovery/subfinder.git
docker build -t ice3man/subfinder .
docker run -it ice3man/subfinder
Usage
Linux
To run the tool on a target, use the following command:
$ subfinder -d freelancer.com
Docker
Use the following command:
$ docker run -v $HOME/.config/subfinder:/root/.config/subfinder -it ice3man/subfinder -d domain.com > domain.com.txt
$ HOME/.config/subfinder/config.yaml file
– Virustotal,Passivetotal, SecurityTrails, Censys, Binaryedge, Shodan, URLScan
Subfinder has many switches which are shown below:
$ Usage of ./subfinder:
-config string
Configuration file for API Keys, etc (default "/home/user/.config/subfinder/config.yaml")
-d string
Domain to find subdomains for
-dL string
File containing list of domains to enumerate
-exclude-sources string
List of sources to exclude from enumeration
-max-time int
Minutes to wait for enumeration results (default 10)
-nC
Don't Use colors in output
-nW
Remove Wildcard & Dead Subdomains from output
-o string
File to write output to (optional)
-oD string
Directory to write enumeration results to (optional)
-oI
Write output in Host,IP format
-oJ
Write output in JSON lines Format
-r string
Comma-separated list of resolvers to use
-rL string
Text file containing list of resolvers to use
-silent
Show only subdomains in output
-sources string
Comma separated list of sources to use
-t int
Number of concurrent goroutines for resolving (default 10)
-timeout int
Seconds to wait before timing out (default 30)
-v Show Verbose output
-version
Show version of subfinder
Usage example
root@cyberpunk.rs:~/go/bin$ sudo ./subfinder -d hackerone.com -v
_ __ _ _
____ _| |__ / _(_)_ _ __| |___ _ _
(_-< || | '_ \ _| | ' \/ _ / -_) '_|
/__/\_,_|_.__/_| |_|_||_\__,_\___|_| v2
projectdiscovery.io
[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.
[INF] Enumerating subdomains for hackerone.com
[hackertarget] api.hackerone.com
[hackertarget] a.ns.hackerone.com
[hackertarget] b.ns.hackerone.com
[hackertarget] www.hackerone.com
[archiveis] hackerone.com
[archiveis] docs.hackerone.com
[bufferover] mta-sts.managed.hackerone.com
[bufferover] mta-sts.forwarding.hackerone.com
[bufferover] mta-sts.hackerone.com
[bufferover] support.hackerone.com
Browse Information Gathering Tools.
