Subfinder is an open-source tool that is designed to help bug hunter and penetration testers discover subdomains related to a specific domain. Subdomains are often overlooked by security teams and can be used by attackers to gain unauthorized access to a network and also takeover the subdomain. Subfinder helps security professionals find these subdomains, which can then be analyzed for vulnerabilities.
How Subfinder Works
Subfinder is a command-line tool that uses various search engines to find subdomains related to a specific domain. This tool uses a combination of brute-force techniques and advanced search algorithms to identify subdomains, including permutations and alterations of the domain name. The tool is designed to be fast and efficient, with the ability to find thousands of subdomains in a matter of minutes.
Subfinder also supports recursive subdomain scanning, which allows it to identify subdomains that are not directly related to the domain name but are linked to it through other subdomains. This feature can be especially useful for identifying subdomains that are hidden or not publicly accessible.
- Multiple sources: This tool uses multiple sources to find subdomains, including search engines, certificate transparency logs, and web archives. This ensures a wider range of potential subdomains can be discovered.
- Fast and efficient: This tool is designed to be fast and efficient, with the ability to find thousands of subdomains in a matter of minutes.
- Customizable output: This tool allows users to customize the output of the tool. This includes the ability to output the subdomains in various formats, including JSON, CSV, and TXT.
- Configurable DNS resolver: This tool allows users to specify the DNS resolver used to resolve subdomains. This can help to bypass certain DNS blocking mechanisms.
- Integration with other tools: Subfinder can be integrated with other tools, such as Nmap and Dirb, to provide a more comprehensive view of the target’s infrastructure.
Subfinder can be installed on various platforms, including Windows, Linux, and macOS. This tool requires go1.19 to install successfully. Run the following command to install the latest version:
Post Installation Instructions
After the installation process was successful you can use the tool, however the following services require configuring API keys to work:
BeVigil, BinaryEdge, BufferOver, C99, Censys, CertSpotter, Chaos, Chinaz, DnsDB, Fofa, FullHunt, GitHub, Intelx, PassiveTotal, quake, Robtex, SecurityTrails, Shodan, ThreatBook, VirusTotal, WhoisXML API, ZoomEye, ZoomEye API, dnsrepo, Hunter
You can also use the
subfinder -ls command to display all the available sources.
These values are stored in the
$HOME/.config/subfinder/provider-config.yaml file which will be created when you run the tool for the first time. The configuration file uses the YAML format. Multiple API keys can be specified for each of these services from which one of them will be used for enumeration.
How to Use Subfinder
To use Subfinder, users can specify the target domain using the “-d” option. For example, the following command can be used to find subdomains for the target domain “example.com”:
Subfinder can output the discovered subdomains in various formats, including JSON, CSV, and TXT. Users can specify the output format using the “-o” option. For example, the following command can be used to output the discovered subdomains in JSON format:
This tool also can be integrated with other tools, such as Nmap and Dirb, to provide a more comprehensive view of the target’s infrastructure. For example, the following command can be used to scan the discovered subdomains using Nmap:
In this example, the subdomains discovered by Subfinder are piped to Nmap, which scans each subdomain for open ports and services.