Appearance
Subfinder Subdomain Enumeration Cheat Sheet
Overview
Subfinder is a powerful subdomain discovery tool developed by Project Discovery that discovers valid subdomains for websites using passive online sources. It has a simple modular architecture and is optimized for speed and efficiency. Subfinder uses various public and private sources to find subdomains, including search engines, DNS aggregators, and certificate transparency logs.
What sets Subfinder apart from other subdomain enumeration tools is its extensive source coverage and its ability to use API keys for enhanced results. By leveraging multiple data sources simultaneously, Subfinder can discover subdomains that might be missed by other tools. It's designed to be easily integrated into security workflows and can be used in combination with other tools for comprehensive reconnaissance.
Subfinder is widely used by security researchers, bug bounty hunters, and penetration testers as the first step in reconnaissance to map the attack surface of a target organization. Its passive approach means it doesn't generate suspicious traffic to the target, making it suitable for stealthy reconnaissance.
Installation
Using Go
bash
# Install using Go (requires Go 1.20 or later)
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
# Verify installation
subfinder -versionUsing Docker
bash
# Pull the latest Docker image
docker pull projectdiscovery/subfinder:latest
# Run Subfinder using Docker
docker run -it projectdiscovery/subfinder:latest -hUsing Homebrew (macOS)
bash
# Install using Homebrew
brew install subfinder
# Verify installation
subfinder -versionUsing PDTM (Project Discovery Tools Manager)
bash
# Install PDTM first if not already installed
go install -v github.com/projectdiscovery/pdtm/cmd/pdtm@latest
# Install Subfinder using PDTM
pdtm -i subfinder
# Verify installation
subfinder -versionOn Kali Linux
bash
# Install using apt
sudo apt install subfinder
# Verify installation
subfinder -versionBasic Usage
Enumerating Subdomains
bash
# Enumerate subdomains for a single domain
subfinder -d example.com
# Enumerate subdomains for multiple domains
subfinder -d example.com,hackerone.com
# Enumerate subdomains from a list of domains
subfinder -dL domains.txtOutput Options
bash
# Save results to a file
subfinder -d example.com -o results.txt
# Output in JSON format
subfinder -d example.com -oJ -o results.json
# Output in JSONL format
subfinder -d example.com -oJ -nW -o results.jsonl
# Output in CSV format
subfinder -d example.com -oC -o results.csv
# Silent mode (only subdomains)
subfinder -d example.com -silentBasic Filtering
bash
# Remove wildcard subdomains
subfinder -d example.com -nW
# Exclude specific subdomains
subfinder -d example.com -exclude-domains dev.example.com,stage.example.com
# Match specific subdomains
subfinder -d example.com -match-domain api.example.comAdvanced Usage
Source Selection
bash
# List all available sources
subfinder -ls
# Use specific sources
subfinder -d example.com -sources censys,shodan,virustotal
# Exclude specific sources
subfinder -d example.com -exclude-sources alienvault,threatcrowdAPI Configuration
bash
# Set API keys interactively
subfinder -set-config
# Set specific API key
subfinder -set-config VirusTotal=APIKEY
# Use a custom configuration file
subfinder -d example.com -config config.yamlRecursive Enumeration
bash
# Enable recursive subdomain discovery
subfinder -d example.com -recursive
# Set maximum recursion depth
subfinder -d example.com -recursive -max-depth 2DNS Resolution
bash
# Resolve discovered subdomains
subfinder -d example.com -resolve
# Use custom resolvers
subfinder -d example.com -resolve -r resolvers.txtActive Enumeration
bash
# Enable active enumeration
subfinder -d example.com -active
# Set timeout for active enumeration
subfinder -d example.com -active -timeout 10Performance Optimization
Concurrency and Rate Limiting
bash
# Set source concurrency (default: 10)
subfinder -d example.com -sc 20
# Set host concurrency (default: 10)
subfinder -d example.com -hc 20
# Set rate limit
subfinder -d example.com -rate-limit 100Timeout Options
bash
# Set timeout for passive sources
subfinder -d example.com -timeout 30
# Set timeout for active resolution
subfinder -d example.com -resolve -timeout-resolve 5Optimization for Large Scans
bash
# Use all sources for comprehensive results
subfinder -d example.com -all
# Increase concurrency for faster scanning
subfinder -d example.com -sc 50 -hc 50Integration with Other Tools
Pipeline with HTTPX
bash
# Find subdomains and probe for HTTP services
subfinder -d example.com -silent | httpx -silent
# Find subdomains, resolve them, and probe for HTTP services
subfinder -d example.com -silent -resolve | httpx -silentPipeline with Nuclei
bash
# Find subdomains and scan for vulnerabilities
subfinder -d example.com -silent | httpx -silent | nuclei -t cves/
# Find subdomains with specific patterns and scan for vulnerabilities
subfinder -d example.com -silent | grep api | httpx -silent | nuclei -t apis/Pipeline with Naabu
bash
# Find subdomains and scan for open ports
subfinder -d example.com -silent | naabu -silent
# Find subdomains, scan for open ports, and probe for HTTP services
subfinder -d example.com -silent | naabu -silent | httpx -silentOutput Customization
Custom Output Format
bash
# Output only specific fields in JSON format
subfinder -d example.com -oJ | jq '.host'
# Count total subdomains
subfinder -d example.com -silent | wc -l
# Sort output alphabetically
subfinder -d example.com -silent | sortFiltering Output
bash
# Filter subdomains by pattern
subfinder -d example.com -silent | grep api
# Filter out specific patterns
subfinder -d example.com -silent | grep -v dev
# Find unique root subdomains
subfinder -d example.com -silent | awk -F. '{print $(NF-1)"."$NF}' | sort -uAdvanced Filtering
bash
# Filter by subdomain level
subfinder -d example.com -silent | awk -F. 'NF==3' # 2nd level subdomains
subfinder -d example.com -silent | awk -F. 'NF==4' # 3rd level subdomains
subfinder -d example.com -silent | awk -F. 'NF>=5' # Deep level subdomains
# Filter by specific patterns
subfinder -d example.com -silent | grep -E '(api|dev|stage|test)'
# Exclude common development subdomains
subfinder -d example.com -silent | grep -v -E '(dev|stage|test|uat)'API Key Configuration
Configuring API Keys
Subfinder supports various API providers. Here's how to configure them:
bash
# Create a configuration file
mkdir -p $HOME/.config/subfinder
cat > $HOME/.config/subfinder/config.yaml << EOF
resolvers:
- 1.1.1.1
- 8.8.8.8
sources:
- alienvault
- censys
- shodan
- virustotal
binaryedge:
- 0bf8919b-aab9-42e4-9574-d3b639324597
censys:
- ac244e2f-b635-4581-878a-33f4e79a2c13:dd510d6e-1b6e-4655-83f6-f347b363def9
certspotter:
- 0412e8d1-5a86-47b4-a1a6-2a3b4a104a1a
github:
- ghp_16C7e42F292c6912E7710c838347Ae178B4a
passivetotal:
- sample-email@user.com:sample-password
securitytrails:
- 9e56ef28-540b-4e0c-a51e-aba1f0d2d4d3
shodan:
- AAAAClP1bJJSRMEYJazgwhJKrggRwKA
virustotal:
- 6f5e5b82a6b5a61951c6a659d4a4522b34b3950d1e35e93131a7f63a3c352553
EOFSupported API Providers
| Provider | Description |
|---|---|
| BinaryEdge | Search for internet-exposed devices |
| Censys | Search engine for internet-connected devices |
| Certspotter | Certificate transparency monitoring |
| GitHub | Code hosting platform |
| PassiveTotal | Threat intelligence platform |
| SecurityTrails | DNS and domain data provider |
| Shodan | Search engine for internet-connected devices |
| VirusTotal | File and URL analysis service |
Troubleshooting
Common Issues
Rate Limiting by Sources
bash# Reduce concurrency subfinder -d example.com -sc 5 # Add delay between requests subfinder -d example.com -delay 2API Key Issues
bash# Verify API key configuration cat $HOME/.config/subfinder/config.yaml # Test specific source subfinder -d example.com -sources censysDNS Resolution Issues
bash# Use custom resolvers subfinder -d example.com -resolve -r resolvers.txt # Increase resolution timeout subfinder -d example.com -resolve -timeout-resolve 10Memory Issues
bash# Process domains one by one for domain in $(cat domains.txt); do subfinder -d $domain -o "$domain-subs.txt"; done
Debugging
bash
# Enable verbose mode
subfinder -d example.com -v
# Show debug information
subfinder -d example.com -debug
# Check source statistics
subfinder -d example.com -statsConfiguration
Configuration File
Subfinder uses a configuration file located at $HOME/.config/subfinder/config.yaml. You can customize various settings in this file:
yaml
# Example configuration file
resolvers:
- 1.1.1.1
- 8.8.8.8
sources:
- alienvault
- censys
- shodan
- virustotal
# API keys for different providers
binaryedge:
- API_KEY
censys:
- API_ID:API_SECRETEnvironment Variables
bash
# Set Subfinder configuration via environment variables
export SUBFINDER_CONFIG_PATH=/path/to/config.yaml
export SUBFINDER_SOURCES=censys,shodan,virustotal
export SUBFINDER_RESOLVERS=1.1.1.1,8.8.8.8Reference
Command Line Options
| Flag | Description |
|---|---|
-d, -domain | Domain to find subdomains for |
-dL, -domain-list | File containing list of domains |
-o, -output | File to write output to |
-oJ | Write output in JSON format |
-oC | Write output in CSV format |
-silent | Show only subdomains in output |
-v, -verbose | Show verbose output |
-ls, -list-sources | List all available sources |
-s, -sources | Sources to use for enumeration |
-es, -exclude-sources | Sources to exclude from enumeration |
-recursive | Recursive subdomain discovery |
-max-depth | Maximum recursion depth |
-nW, -no-wildcards | Remove wildcard subdomains |
-exclude-domains | Subdomains to exclude from enumeration |
-match-domain | Subdomains to match in enumeration |
-r, -resolvers | File containing list of resolvers |
-resolve | Resolve discovered subdomains |
-active | Enable active subdomain enumeration |
-timeout | Timeout for passive sources in seconds |
-timeout-resolve | Timeout for resolver requests in seconds |
-sc, -source-concurrency | Number of concurrent sources |
-hc, -host-concurrency | Number of concurrent hosts |
-rate-limit | Maximum number of HTTP requests per second |
-all | Use all sources for enumeration |
-config | Path to configuration file |
-set-config | Set configuration values |
-version | Show Subfinder version |
Available Sources
| Source | Description | API Key Required |
|---|---|---|
| Alienvault | Open Threat Exchange | No |
| Anubis | Subdomain data from Anubis | No |
| Archiveis | Archive.is URL archive | No |
| Binaryedge | Internet scanning data | Yes |
| BufferOver | DNS data | No |
| Censys | Internet scanning data | Yes |
| CertSpotter | Certificate transparency logs | Yes (for better results) |
| Chaos | Project Discovery's Chaos dataset | Yes |
| Commoncrawl | Web crawl data | No |
| DNSDB | Passive DNS database | Yes |
| DNSRepo | DNS records repository | No |
| Entrust | Certificate transparency logs | No |
| FacebookCT | Facebook's certificate transparency logs | No |
| GitHub | Code search | Yes (for better results) |
| Intelx | Intelligence X data | Yes |
| PassiveTotal | RiskIQ's passive DNS data | Yes |
| Rapiddns | DNS records database | No |
| Riddler | DNS records search | No |
| SecurityTrails | DNS records database | Yes |
| Shodan | Internet scanning data | Yes |
| ThreatBook | Threat intelligence data | Yes |
| ThreatMiner | Threat intelligence data | No |
| URLScan | URL scanning service | No |
| VirusTotal | Security service for files and URLs | Yes |
| Waybackarchive | Internet Archive's Wayback Machine | No |
| ZoomEye | Cyberspace search engine | Yes |
Resources
This cheat sheet provides a comprehensive reference for using Subfinder, from basic enumeration to advanced filtering and integration with other tools. For the most up-to-date information, always refer to the official documentation.