9 min read · Apr 6, 2023
Subfinder is an open-source tool used for subdomain enumeration, which means it helps to identify subdomains for a particular domain name. Subdomains are the domains that are part of a larger domain name and are separated by a dot. For example, in the domain name “blog.example.com”, “blog” is the subdomain.
Subdomain enumeration is important for various reasons, particularly in the context of cybersecurity. Attackers often use subdomains to launch attacks, such as phishing and malware attacks. By identifying all subdomains associated with a domain, security professionals can proactively secure them and prevent potential attacks. Subdomain enumeration can also help in identifying forgotten or abandoned subdomains that could be a security risk, and in identifying new web applications or services hosted on a domain that may not be visible through the main website.
Subfinder is a command-line tool that can be installed on various operating systems. Here’s a brief description of the installation process on different operating systems:
Linux:
- On Debian/Ubuntu, run the following command:
sudo apt-get update && sudo apt-get install subfinder
- On other Linux distributions, download the binary file from the official repository and install it using the package manager.
macOS:
- Install Homebrew package manager by running the following command in the Terminal:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
- Once Homebrew is installed, run the following command to install subfinder:
brew install subfinder
Windows:
- Download the latest binary release from the official repository.
- Extract the downloaded archive and add the extracted folder to your system’s PATH environment variable.
- Alternatively, you can install subfinder using the Windows Subsystem for Linux (WSL).
Once subfinder is installed, you can verify the installation by running the subfinder -h
command in your terminal.
Once subfinder is installed, you can use it from the command-line interface (CLI). Here’s the basic usage of subfinder:
To enumerate subdomains for a single domain, run the following command:
subfinder -d example.com
This will enumerate subdomains for the “example.com” domain and output the results to the terminal.
To save the output to a file, use the “-o” flag:
subfinder -d example.com -o output.txt
This will save the results to the “output.txt” file.
To enumerate subdomains for multiple domains, list them separated by commas:
subfinder -d example.com,example.net
This will enumerate subdomains for both “example.com” and “example.net” domains.
To use multiple threads for faster enumeration, use the “-t” flag:
subfinder -d example.com -t 10
This will use 10 threads to enumerate subdomains for the “example.com” domain.
To use different output formats, use the “-o” flag followed by the desired format:
subfinder -d example.com -o json
This will output the results in JSON format.
These are just a few examples of the basic usage of subfinder. To see all available flags and options, run the subfinder -h
command.
Subfinder has various flags and options that you can use to customize your subdomain enumeration.
Here’s an overview of the most commonly used flags and options:
-d
or--domain
: Specify the domain to enumerate subdomains for. You can also specify multiple domains separated by commas.-o
or--output
: Specify the output file name and format. Supported formats include CSV, JSON, and text.-t
or--threads
: Specify the number of threads to use for subdomain enumeration. Using more threads can increase the speed of enumeration but can also result in more false positives.--timeout
: Specify the timeout in seconds for HTTP requests. Increase this value if subfinder is timing out too quickly.-v
or--verbose
: Enable verbose output, which displays more information about the enumeration process.-nW
or--no-wildcard
: Disable wildcard filtering. By default, subfinder filters out subdomains that are likely to be wildcard subdomains.-r
or--recursive
: Enable recursive subdomain enumeration. This option enables subfinder to search for subdomains of the subdomains it finds.-a
or--all-sources
: Enable all data sources. By default, subfinder uses a subset of available data sources to enumerate subdomains. Enabling this option may result in more false positives.--set-config
: Set configuration options for subfinder, such as API keys for data sources.
These are just a few examples of the flags and options available in subfinder. To see the full list of options, run the subfinder -h
command.
Subfinder supports several data sources that require API keys or other credentials. Here’s how you can configure subfinder to use different API keys:
- Open your terminal or command prompt.
- Type the following command, replacing “example.com” with the domain you want to enumerate subdomains for and “your_api_key” with your actual API key:
subfinder -d example.com --set-config SHODAN_API_KEY=your_api_key
- Press Enter to execute the command.
- Wait for subfinder to finish enumerating subdomains. The output will be displayed in the terminal window.
In this example, we’re using the --set-config
flag to specify the SHODAN_API_KEY
configuration option. This option is used to specify your Shodan API key.
You can use this same method to specify other API keys or credentials. Here are some examples:
- Censys API key:
subfinder -d example.com --set-config CENSYS_API_ID=your_api_id CENSYS_API_SECRET=your_api_secret
- SecurityTrails API key:
subfinder -d example.com --set-config SECURITYTRAILS_API_KEY=your_api_key
- VirusTotal API key:
subfinder -d example.com --set-config VIRUSTOTAL_API_KEY=your_api_key
Note that not all data sources require API keys or other credentials. If you don’t have a specific API key, you can omit the corresponding configuration options.
Using subfinder as a library in your own scripts
Subfinder can be used as a library in your own Python scripts. This allows you to automate subdomain enumeration and integrate it into your own tooling. Here’s an example of how to use subfinder as a library:
Install subfinder using pip:
pip install subfinder
Import subfinder into your Python script:
import subfinder
Use subfinder’s run
function to enumerate subdomains:
subdomains = subfinder.run(domain='example.com', silent=True)
In this example, we’re using the run
function to enumerate subdomains for the domain "example.com". We're also setting the silent
parameter to True to suppress output.
The run
function returns a list of subdomains as strings. You can then use this list in your own scripts.
Here’s an example of how to customize subfinder’s behavior using configuration options:
subdomains = subfinder.run(domain='example.com', silent=True, set_config={'SOURCES': 'censys,securitytrails', 'RATE_LIMIT': 1})
In this example, we’re using the set_config
parameter to specify the data sources and rate limit. The SOURCES
option is used to specify the data sources as a comma-separated string. The RATE_LIMIT
option is used to set the rate limit to 1 request per second.
Note that you can also use subfinder’s other functions and classes in your own scripts. For example, you can use the subfinder.validate_domain
function to validate a domain name, or the subfinder.Source
class to interact with individual data sources.
Advanced filtering options
--exclude-sources
: This option allows you to exclude specific data sources from the enumeration process. For example, if you don't want to include results from Shodan, you can use the following command:
subfinder -d example.com --exclude-sources shodan
--exclude-subdomains
: This option allows you to exclude specific subdomains from the results. For example, if you want to exclude all subdomains that contain the string "test", you can use the following command:
subfinder -d example.com --exclude-subdomains "*test*"
--exclude-resolvers
: This option allows you to exclude specific DNS resolvers from the enumeration process. For example, if you don't want to use Google's DNS resolver, you can use the following command:
subfinder -d example.com --exclude-resolvers 8.8.8.8
--include-sources
: This option allows you to include only specific data sources in the enumeration process. For example, if you only want to include results from Censys and Shodan, you can use the following command:
subfinder -d example.com --include-sources censys,shodan
--min-for-wildcard
: This option allows you to set the minimum number of subdomains required for a wildcard domain to be detected. For example, if you set this option to 3, subfinder will only detect wildcard domains that have at least 3 subdomains. You can use the following command:
subfinder -d example.com --min-for-wildcard 3
--no-passive
: This option disables passive subdomain enumeration. This means that subfinder will only use active methods to enumerate subdomains, such as DNS resolution and HTTP requests. You can use the following command:
subfinder -d example.com --no-passive
--wildcard
: This option includes wildcard subdomains in the results. Wildcard subdomains are subdomains that resolve to the same IP address as the parent domain, and can be used for malicious purposes. You can use the following command:
subfinder -d example.com --wildcard
--timeout
: This option sets the timeout for HTTP requests in seconds. You can use the following command to set the timeout to 10 seconds:
subfinder -d example.com --timeout 10
While subfinder is a powerful tool for subdomain enumeration, it has some limitations that are important to keep in mind:
- False positives: Like any subdomain enumeration tool, subfinder can produce false positives — subdomains that do not actually exist. This can happen when a subdomain was previously used but is no longer in use, or when a domain has been parked or redirected to another domain. It is important to manually verify any subdomains found by subfinder to ensure that they are actually in use.
- Limited data sources: Subfinder relies on various data sources to enumerate subdomains, and not all of these sources are comprehensive or up-to-date. Some sources may have incomplete data or may be missing some subdomains, which can result in an incomplete list of subdomains.
- DNS caching: DNS caching can cause subfinder to miss newly added subdomains or subdomains that have recently changed their DNS records. This is because subfinder relies on DNS queries to enumerate subdomains, and DNS caches can take some time to update with new information.
- Rate limits: Some data sources used by subfinder may have rate limits in place, which can limit the number of subdomains that can be enumerated in a given time period. This can result in incomplete or delayed results.
- False negatives: In some cases, subdomains may not be detected by subfinder. This can happen when a subdomain is not in use or has been recently added, and has not yet been indexed by any of the data sources used by subfinder.
It is important to keep these limitations in mind when using subfinder, and to use multiple tools and manual verification to ensure that all subdomains have been properly identified.
Tips for efficiently using subfinder to find subdomains
- Use multiple data sources: Subfinder uses multiple data sources to find subdomains. By default, it uses nine different sources. You can also add your own data sources. Using multiple data sources can help you find more subdomains.
- Use the
-d
flag to specify the target domain: When using subfinder, you can specify the target domain using the-d
flag. This will limit the search to only that domain, which can help you find subdomains faster. - Use the
-nW
flag to exclude wildcard subdomains: Wildcard subdomains are subdomains that match any subdomain name. They can make it difficult to find actual subdomains. You can exclude wildcard subdomains using the-nW
flag. - Use the
-o
flag to save results: You can use the-o
flag to save the results of your subdomain search to a file. This can be helpful for reviewing the results later or for using the results in other tools. - Use the
-silent
flag for a quiet output: When you run subfinder, it can produce a lot of output. You can use the-silent
flag to suppress some of that output, which can make it easier to see the results. - Use the
-t
flag to specify the number of threads: Subfinder uses multiple threads to search for subdomains. You can use the-t
flag to specify the number of threads to use. Using more threads can speed up the search, but it can also increase the load on the target domain's server. - Use the
-b
flag to enable brute forcing: Subfinder can also perform brute force searches to find subdomains. You can use the-b
flag to enable brute forcing. This can be helpful for finding subdomains that are not publicly visible, but it can also increase the load on the target domain's server.
Best practices for securing your subdomains
- Use HTTPS: Ensure that all subdomains are served over HTTPS to prevent attackers from intercepting sensitive data in transit. You can use services like Let’s Encrypt to obtain free SSL certificates for your subdomains.
- Implement DNSSEC: Implement DNSSEC to protect against DNS spoofing attacks, which can redirect users to malicious websites.
- Monitor DNS records: Regularly monitor your DNS records to ensure that no unauthorized changes have been made. Use tools like DNS monitoring services or scripts to alert you to any changes.
- Avoid wildcard subdomains: Wildcard subdomains can make it difficult to secure your subdomains, so it’s best to avoid using them. If you do need to use wildcard subdomains, ensure that they are properly secured.
- Set appropriate permissions: Ensure that appropriate permissions are set for all subdomains to prevent unauthorized access. Avoid using default or weak passwords and implement two-factor authentication for access to critical subdomains.
- Patch software and keep systems up-to-date: Ensure that all software running on your subdomains is patched and up-to-date to prevent known vulnerabilities from being exploited.
- Perform regular vulnerability assessments: Perform regular vulnerability assessments and penetration testing to identify any weaknesses in your subdomain security posture.
Subfinder is a valuable tool for cybersecurity professionals because it automates the process of subdomain enumeration, which can be time-consuming and error-prone if done manually. Subfinder uses multiple data sources to find subdomains and provides various filtering options to help identify only the most relevant subdomains. It also supports the use of API keys for additional data sources, and can be integrated into scripts for automated scanning. Subfinder helps security professionals to identify potential attack surfaces, and to secure them before they can be exploited by attackers.