Subfinder Subdomain Enumeration Cheat Sheet
Sinopsis
Subfinder es una poderosa herramienta de descubrimiento de subdominio desarrollada por Project Discovery que descubre subdominios válidos para sitios web usando fuentes en línea pasivas. Tiene una arquitectura modular sencilla y está optimizada para la velocidad y la eficiencia. Subfinder utiliza varias fuentes públicas y privadas para encontrar subdominios, incluyendo motores de búsqueda, agregadores DNS y registros de transparencia de certificados.
Qué conjunto Subfinder aparte de otras herramientas de enumeración de subdominio es su amplia cobertura de fuente y su capacidad de utilizar las claves de API para resultados mejorados. Al aprovechar múltiples fuentes de datos simultáneamente, Subfinder puede descubrir subdominios que podrían perderse por otras herramientas. Está diseñado para ser fácilmente integrado en flujos de trabajo de seguridad y se puede utilizar en combinación con otras herramientas para un reconocimiento integral.
Subfinder es ampliamente utilizado por investigadores de seguridad, cazadores de recompensas de fallos, y testadores de penetración como el primer paso en el reconocimiento para mapear la superficie de ataque de una organización objetivo. Su enfoque pasivo significa que no genera tráfico sospechoso al objetivo, lo que lo hace adecuado para el reconocimiento robótico.
Instalación
Usando Go
# Install using Go (requires Go 1.20 or later)
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
# Verify installation
subfinder -version
Usando Docker
# Pull the latest Docker image
docker pull projectdiscovery/subfinder:latest
# Run Subfinder using Docker
docker run -it projectdiscovery/subfinder:latest -h
Utilizando Homebrew (macOS)
# Install using Homebrew
brew install subfinder
# Verify installation
subfinder -version
Utilizando PDTM (Project Discovery Tools Manager)
# Install PDTM first if not already installed
go install -v github.com/projectdiscovery/pdtm/cmd/pdtm@latest
# Install Subfinder using PDTM
pdtm -i subfinder
# Verify installation
subfinder -version
En Kali Linux
# Install using apt
sudo apt install subfinder
# Verify installation
subfinder -version
Uso básico
Subdominios en potenciación
# Enumerate subdomains for a single domain
subfinder -d example.com
# Enumerate subdomains for multiple domains
subfinder -d example.com,hackerone.com
# Enumerate subdomains from a list of domains
subfinder -dL domains.txt
Opciones de salida
# Save results to a file
subfinder -d example.com -o results.txt
# Output in JSON format
subfinder -d example.com -oJ -o results.json
# Output in JSONL format
subfinder -d example.com -oJ -nW -o results.jsonl
# Output in CSV format
subfinder -d example.com -oC -o results.csv
# Silent mode (only subdomains)
subfinder -d example.com -silent
Filtro básico
# Remove wildcard subdomains
subfinder -d example.com -nW
# Exclude specific subdomains
subfinder -d example.com -exclude-domains dev.example.com,stage.example.com
# Match specific subdomains
subfinder -d example.com -match-domain api.example.com
Uso avanzado
Selección de fuentes
# List all available sources
subfinder -ls
# Use specific sources
subfinder -d example.com -sources censys,shodan,virustotal
# Exclude specific sources
subfinder -d example.com -exclude-sources alienvault,threatcrowd
Configuración de API
# Set API keys interactively
subfinder -set-config
# Set specific API key
subfinder -set-config VirusTotal=APIKEY
# Use a custom configuration file
subfinder -d example.com -config config.yaml
Enumeración Recursiva
# Enable recursive subdomain discovery
subfinder -d example.com -recursive
# Set maximum recursion depth
subfinder -d example.com -recursive -max-depth 2
Resolución DNS
# Resolve discovered subdomains
subfinder -d example.com -resolve
# Use custom resolvers
subfinder -d example.com -resolve -r resolvers.txt
Enumeración activa
# Enable active enumeration
subfinder -d example.com -active
# Set timeout for active enumeration
subfinder -d example.com -active -timeout 10
Optimización del rendimiento
Concurrencia y limitación de tarifas
# Set source concurrency (default: 10)
subfinder -d example.com -sc 20
# Set host concurrency (default: 10)
subfinder -d example.com -hc 20
# Set rate limit
subfinder -d example.com -rate-limit 100
Opciones de tiempo
# Set timeout for passive sources
subfinder -d example.com -timeout 30
# Set timeout for active resolution
subfinder -d example.com -resolve -timeout-resolve 5
Optimización para grandes escáneres
# Use all sources for comprehensive results
subfinder -d example.com -all
# Increase concurrency for faster scanning
subfinder -d example.com -sc 50 -hc 50
Integración con otras herramientas
Pipeline con HTTPX
# Find subdomains and probe for HTTP services
subfinder -d example.com -silent|httpx -silent
# Find subdomains, resolve them, and probe for HTTP services
subfinder -d example.com -silent -resolve|httpx -silent
Pipeline con Nuclei
# Find subdomains and scan for vulnerabilities
subfinder -d example.com -silent|httpx -silent|nuclei -t cves/
# Find subdomains with specific patterns and scan for vulnerabilities
subfinder -d example.com -silent|grep api|httpx -silent|nuclei -t apis/
Pipeline con Naabu
# Find subdomains and scan for open ports
subfinder -d example.com -silent|naabu -silent
# Find subdomains, scan for open ports, and probe for HTTP services
subfinder -d example.com -silent|naabu -silent|httpx -silent
Personalización de productos
Formato de salida personalizado
# Output only specific fields in JSON format
subfinder -d example.com -oJ|jq '.host'
# Count total subdomains
subfinder -d example.com -silent|wc -l
# Sort output alphabetically
subfinder -d example.com -silent|sort
Filtro de salida
# Filter subdomains by pattern
subfinder -d example.com -silent|grep api
# Filter out specific patterns
subfinder -d example.com -silent|grep -v dev
# Find unique root subdomains
subfinder -d example.com -silent|awk -F. '\\\\{print $(NF-1)"."$NF\\\\}'|sort -u
Filtro avanzado
# Filter by subdomain level
subfinder -d example.com -silent|awk -F. 'NF==3' # 2nd level subdomains
subfinder -d example.com -silent|awk -F. 'NF==4' # 3rd level subdomains
subfinder -d example.com -silent|awk -F. 'NF>=5' # Deep level subdomains
# Filter by specific patterns
subfinder -d example.com -silent|grep -E '(api|dev|stage|test)'
# Exclude common development subdomains
subfinder -d example.com -silent|grep -v -E '(dev|stage|test|uat)'
API Configuración clave
Configuración de API Llaves
Subfinder admite varios proveedores de API. Así es como configurarlos:
# Create a configuration file
mkdir -p $HOME/.config/subfinder
cat > $HOME/.config/subfinder/config.yaml << EOF
resolvers:
- 1.1.1.1
- 8.8.8.8
sources:
- alienvault
- censys
- shodan
- virustotal
binaryedge:
- 0bf8919b-aab9-42e4-9574-d3b639324597
censys:
- ac244e2f-b635-4581-878a-33f4e79a2c13:dd510d6e-1b6e-4655-83f6-f347b363def9
certspotter:
- 0412e8d1-5a86-47b4-a1a6-2a3b4a104a1a
github:
- ghp_16C7e42F292c6912E7710c838347Ae178B4a
passivetotal:
- sample-email@user.com:sample-password
securitytrails:
- 9e56ef28-540b-4e0c-a51e-aba1f0d2d4d3
shodan:
- AAAAClP1bJJSRMEYJazgwhJKrggRwKA
virustotal:
- 6f5e5b82a6b5a61951c6a659d4a4522b34b3950d1e35e93131a7f63a3c352553
EOF
Proveedores de API compatibles
| Provider | Description |
|---|---|
| BinaryEdge | Search for internet-exposed devices |
| Censys | Search engine for internet-connected devices |
| Certspotter | Certificate transparency monitoring |
| GitHub | Code hosting platform |
| PassiveTotal | Threat intelligence platform |
| SecurityTrails | DNS and domain data provider |
| Shodan | Search engine for internet-connected devices |
| VirusTotal | File and URL analysis service |
Solución de problemas
Cuestiones comunes
- ** Limitación de destino por fuentes* *
# Reduce concurrency
subfinder -d example.com -sc 5
# Add delay between requests
subfinder -d example.com -delay 2
```
2. ** Cuestiones clave de la Iniciativa**
```bash
# Verify API key configuration
cat $HOME/.config/subfinder/config.yaml
# Test specific source
subfinder -d example.com -sources censys
```
3. **DNS Resolution Issues**
```bash
# Use custom resolvers
subfinder -d example.com -resolve -r resolvers.txt
# Increase resolution timeout
subfinder -d example.com -resolve -timeout-resolve 10
```
4. * Problemas de memoria*
```bash
# Process domains one by one
for domain in $(cat domains.txt); do subfinder -d $domain -o "$domain-subs.txt"; done
```
### Debugging
```bash
# Enable verbose mode
subfinder -d example.com -v
# Show debug information
subfinder -d example.com -debug
# Check source statistics
subfinder -d example.com -stats
Configuración
Archivo de configuración
Subfinder utiliza un archivo de configuración ubicado en $HOME/.config/subfinder/config.yaml. Puede personalizar varios ajustes en este archivo:
# Example configuration file
resolvers:
- 1.1.1.1
- 8.8.8.8
sources:
- alienvault
- censys
- shodan
- virustotal
# API keys for different providers
binaryedge:
- API_KEY
censys:
- API_ID:API_SECRET
Medio ambiente
# Set Subfinder configuration via environment variables
export SUBFINDER_CONFIG_PATH=/path/to/config.yaml
export SUBFINDER_SOURCES=censys,shodan,virustotal
export SUBFINDER_RESOLVERS=1.1.1.1,8.8.8.8
Referencia
Opciones de línea de mando
| Flag | Description |
|---|---|
-d, -domain |
Domain to find subdomains for |
-dL, -domain-list |
File containing list of domains |
-o, -output |
File to write output to |
-oJ |
Write output in JSON format |
-oC |
Write output in CSV format |
-silent |
Show only subdomains in output |
-v, -verbose |
Show verbose output |
-ls, -list-sources |
List all available sources |
-s, -sources |
Sources to use for enumeration |
-es, -exclude-sources |
Sources to exclude from enumeration |
-recursive |
Recursive subdomain discovery |
-max-depth |
Maximum recursion depth |
-nW, -no-wildcards |
Remove wildcard subdomains |
-exclude-domains |
Subdomains to exclude from enumeration |
-match-domain |
Subdomains to match in enumeration |
-r, -resolvers |
File containing list of resolvers |
-resolve |
Resolve discovered subdomains |
-active |
Enable active subdomain enumeration |
-timeout |
Timeout for passive sources in seconds |
-timeout-resolve |
Timeout for resolver requests in seconds |
-sc, -source-concurrency |
Number of concurrent sources |
-hc, -host-concurrency |
Number of concurrent hosts |
-rate-limit |
Maximum number of HTTP requests per second |
-all |
Use all sources for enumeration |
-config |
Path to configuration file |
-set-config |
Set configuration values |
-version |
Show Subfinder version |
Fuentes disponibles
| Source | Description | API Key Required |
|---|---|---|
| Alienvault | Open Threat Exchange | No |
| Anubis | Subdomain data from Anubis | No |
| Archiveis | Archive.is URL archive | No |
| Binaryedge | Internet scanning data | Yes |
| BufferOver | DNS data | No |
| Censys | Internet scanning data | Yes |
| CertSpotter | Certificate transparency logs | Yes (for better results) |
| Chaos | Project Discovery's Chaos dataset | Yes |
| Commoncrawl | Web crawl data | No |
| DNSDB | Passive DNS database | Yes |
| DNSRepo | DNS records repository | No |
| Entrust | Certificate transparency logs | No |
| FacebookCT | Facebook's certificate transparency logs | No |
| GitHub | Code search | Yes (for better results) |
| Intelx | Intelligence X data | Yes |
| PassiveTotal | RiskIQ's passive DNS data | Yes |
| Rapiddns | DNS records database | No |
| Riddler | DNS records search | No |
| SecurityTrails | DNS records database | Yes |
| Shodan | Internet scanning data | Yes |
| ThreatBook | Threat intelligence data | Yes |
| ThreatMiner | Threat intelligence data | No |
| URLScan | URL scanning service | No |
| VirusTotal | Security service for files and URLs | Yes |
| Waybackarchive | Internet Archive's Wayback Machine | No |
| ZoomEye | Cyberspace search engine | Yes |
Recursos
-...
*Esta hoja de trampa proporciona una referencia completa para el uso de Subfinder, desde la enumeración básica hasta el filtrado avanzado e integración con otras herramientas. Para la información más actualizada, consulte siempre la documentación oficial. *