An in-depth guide to subfinder: beginner to advanced (2024)

In the era of application security, bug bounties have evolved and become mainstream for hackers around the globe. Hackers are constantly looking for new tactics to automate the process of reconnaissance and find different types of vulnerabilities. One of the first steps to hacking a larger scoped program is subdomain enumeration.

You can find subdomains by using tools like amass, assetfinder, sudomy, and others. However, in this post, we'll discuss one of the most popular, subfinder, from ProjectDiscovery.

Introduction To Subfinder

Subfinder is a popular open-source tool used for subdomain enumeration. It allows users to quickly and easily discover subdomains of a given domain by using a variety of different active and passive methods. This can be useful for a variety of purposes, such as security assessments, penetration testing, and research.

There are several similar tools available, including Sublist3r, Knockpy, and Amass. However, Subfinder is generally considered to be one of the most effective due to its speed, active development and the strong community. Subfinder is written in Golang, making full use of Golang's native concurrency to gather subdomains from multiple sources simultaneously. Subfinder gathers potential subdomain lists from passive online sources such as Binaryedge, C99, Certspotter, Chinaz, Censys, Chaos, and others.

Core Features

Below are some of Subfinder's core features:

  • Fast and powerful resolution and wildcard elimination module
  • Curated passive sources to maximize results
  • Multiple Output formats supported (JSON, File, Stdout)
  • Optimized for speed, very fast and lightweight on resources
  • STDIN/OUT support for integrating with workflows
  • Command Line Interface (CLI) based tool
  • Easy API configuration interface
  • Ability to exclude certain sources
  • Uses up to 26 passive DNS sources (including SecurityTrails!)
  • Docker, tar and pre-built binaries available

The ProjectDiscovery Community Factor

The ProjectDiscovery community is a major factor in the success of Subfinder, and has helped to make it one of the most popular tools for subdomain enumeration. Their passion and engagement have helped to drive the development of the tool and ensure that it continues to meet their needs, including penetration testing, security research and bug bounty hunting.

The ProjectDiscovery community plays a crucial role in the development and success of Subfinder and other tools. They provide valuable feedback and suggestions for improving the tool, contribute code and other resources to the project, develop content related to the tool, and help to battle test it.

Table of Contents

  • Installation of Subfinder
  • Navigating through Subfinder
  • Output Options
  • Advanced Options
  • Post Installation Instructions
  • Conclusion

Installation of Subfinder

We can install Subfinder using four different methods:

Source

Subfinder is written in Golang. Therefore, we can install it from source by using Golang utilities. To achieve that, you'll need to install Go on your local machine.

go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
An in-depth guide to subfinder: beginner to advanced (1)

Binary

First, download the release that is compatible with your operating system, to get started. Then unzip the folder, and move the subfinder binary file to /usr/local/bin.

tar -xzvf subfinder-linux-amd64.tar.gzmv subfinder /usr/local/bin/subfinder -h

GitHub

Clone the repository at repo and change to subfinder/v2/cmd/subfinder. Now run go build .. Subfinder is now available for use after the binary file has been moved to /usr/local/bin.

git clone https://github.com/projectdiscovery/subfinder.gitcd subfinder/v2/cmd/subfindergo build .mv subfinder /usr/local/bin/subfinder -h

Docker

docker pull projectdiscovery/subfinder:latest

Navigating through Subfinder

In this section, we will cover all the different features and usage options that Subfinder provides.

Getting Help

subfinder -h
An in-depth guide to subfinder: beginner to advanced (2)

Performing Basic Subdomain Enumeration

subfinder -d tesla.com -v
An in-depth guide to subfinder: beginner to advanced (3)

Enumerating Subdomains From a List of Domains

subfinder -dL list.txt -v
An in-depth guide to subfinder: beginner to advanced (4)
An in-depth guide to subfinder: beginner to advanced (5)

Enumerating Subdomains Using Specific Sources

subfinder -d tesla.com -s virustotal
An in-depth guide to subfinder: beginner to advanced (6)

The screenshot below shows how we retrieved the subdomains using the virustotal API Key. To retrieve subdomains from other alternative sources, the API Keys must be added to the file ~/.config/subfinder/provider-config.yaml. You can learn more about these API keys below in the Post Installation Instructions section.

The example of sample API Keys has being shown in the screenshot below:

An in-depth guide to subfinder: beginner to advanced (7)

Enumerating Subdomains Using All Sources

subfinder -d tesla.com -v -all 
An in-depth guide to subfinder: beginner to advanced (8)

Using the -all option, we can fetch all the subdomains using the default sources and sources with configured API Keys.

An in-depth guide to subfinder: beginner to advanced (9)

Excluding Specific Sources

subfinder -d tesla.com -es virustotal,securitytrails,dnsdumpster 
An in-depth guide to subfinder: beginner to advanced (10)

The -es option allows you to exclude specific sources. The total count of subdomains decreases significantly. The domain count originally with all sources was more than 854 domains.

After removing these sources, the picture below only displays the 559 domains.

An in-depth guide to subfinder: beginner to advanced (11)

Output Options

Outputting Results to a File

subfinder -d tesla.com -o subdomain.txt 
An in-depth guide to subfinder: beginner to advanced (12)

Outputting Results in JSON Format

subfinder -d tesla.com -o tesla.json -oJ 
An in-depth guide to subfinder: beginner to advanced (13)

In the example below, we've utilized JQ to transform JSON data into a format that is easier to read. Using the head command, we can obtain the first ten lines of the tesla.json file.

An in-depth guide to subfinder: beginner to advanced (14)

Specifying a Directory to Write the Output

subfinder -dL list.txt -oD results
An in-depth guide to subfinder: beginner to advanced (15)

To supply a list of domains for subdomain enumeration, the -oD option is used in conjunction with -dL. As you can see in the picture shown below, when the command has been performed, a directory containing the appropriate files is created.

An in-depth guide to subfinder: beginner to advanced (16)

Only Displaying Active Subdomains

subfinder -d tesla.com -o tesla_domain.json -nW
An in-depth guide to subfinder: beginner to advanced (17)

The option -nW performs DNS resolution on discovered subdomains, and discards any that don't respond. Use of the JSON output requires this parameter. It makes domain resolving easier, completing that part of your reconnaissance in one step.

Hiding Unnecessary Output

subfinder -d tesla.com -silent
An in-depth guide to subfinder: beginner to advanced (18)

Being More Verbose

subfinder -d tesla.com -v
An in-depth guide to subfinder: beginner to advanced (19)

Advanced Options

Viewing Available Sources

subfinder -ls
An in-depth guide to subfinder: beginner to advanced (20)

Setting a Timeout

subfinder -d tesla.com -max-time 5
An in-depth guide to subfinder: beginner to advanced (21)

Piping to/from Other Tools

Subfinder accepts root domains from STDIN, like this:

echo "tesla.com" | subfinder -silent | httprobe
An in-depth guide to subfinder: beginner to advanced (22)

Specifying a DNS Resolver

subfinder -d tesla.com -o output.txt -nW -v -r 8.8.8.8
An in-depth guide to subfinder: beginner to advanced (23)

Specifying a List of DNS Resolvers

subfinder -d tesla.com -o output.txt -nW -v -r -rL resolver.txt
An in-depth guide to subfinder: beginner to advanced (24)

Post Installation Instructions

Subfinder will function after following the installation instructions. However, API keys need to be set up for Subfinder to function with certain services that have been customized. Without an API key, the following services will not function: Binaryedge, C99, Certspotter, Chinaz, Censys, Chaos, DnsDB, Fofa, Github, Intelx, Passivetotal, Robtex, SecurityTrails, Shodan, Threatbook, Virustotal, WhoisXML API, Zoomeye.

When you first run the program, a file called $HOME/.config/subfinder/provider-config.yaml will be produced that contains these settings. The configuration file is formatted in YAML. Each of these services allows the specification of multiple API keys, one of which will be used for enumeration.

For sources like Censys and Passivetotal that need several keys, you may add them by separating them with a colon (:).

binaryedge:
- 1bf8919b-aab9-42e4-9574-d3b639324598
- bc244e2f-b635-4581-878a-33f4e79a2c14
censys:
- cc244e2f-b635-4581-878a-33f4e79a2c13:dd510d6e-1b6e-4655-83f6-f347b363def8
certspotter: []
passivetotal:
- sample-email@user.com:sample_password
securitytrails: []
shodan:
- AAAAClP1bJJSRMEYJazgwhJKrggRwKA
github:
- ghp_lkyJGU3jv1xmwk4SDXavrLDJ4dl2pSJMzj4X
- ghp_gkUuhkIYdQPj13ifH4KA3cXRn8JD2lqir2d4

Conclusion

Subfinder is a fantastic tool for gathering subdomains from various passive sources. It is straightforward to use and does not require much configuration. Due to its extensive integrations, it is far more powerful than most other subdomain mapping solutions currently available. Additionally, because it is implemented in the Go programming language, it is fast. Subfinder is unquestionably among the finest choices for bounty seekers while hunting for subdomains.

Author - Devansh Bordia, @devansh3008

References

  • https://hakin9.org/subfinder-is-a-subdomain-discovery-tool-that-discovers-valid-subdomains-for-websites/
  • https://securitytrails.com/blog/subfinder
  • https://www.geeksforgeeks.org/subfinder-tool-in-linux/
  • https://lipsonthomas.com/subfinder-subdomain-enumeration-tool/
  • https://medium.com/bug-bounty/tagged/subfinder

Interested in Nuclei Cloud? Learn more here...

An in-depth guide to subfinder: beginner to advanced (2024)

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: The Hon. Margery Christiansen

Last Updated:

Views: 6125

Rating: 5 / 5 (50 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: The Hon. Margery Christiansen

Birthday: 2000-07-07

Address: 5050 Breitenberg Knoll, New Robert, MI 45409

Phone: +2556892639372

Job: Investor Mining Engineer

Hobby: Sketching, Cosplaying, Glassblowing, Genealogy, Crocheting, Archery, Skateboarding

Introduction: My name is The Hon. Margery Christiansen, I am a bright, adorable, precious, inexpensive, gorgeous, comfortable, happy person who loves writing and wants to share my knowledge and understanding with you.