Subfinder Subdomain Enumeration Cheat Sheet
Overview
Subfinder is a powerful subdomain discovery tool developed by Project Discovery that discovers valid subdomains for websites using passive online sources. It has a simple modular architecture and is optimized for speed and efficiency. Subfinder uses various public and private sources to find subdomains, including search engines, DNS aggregators, and certificate transparency logs.
What sets Subfinder apart from other subdomain enumeration tools is its extensive source coverage and its ability to use API keys for enhanced results. By leveraging multiple data sources simultaneously, Subfinder can discover subdomains that might be missed by other tools. It's designed to be easily integrated into security workflows and can be used in combination with other tools for comprehensive reconnaissance.
Subfinder is widely used by security researchers, bug bounty hunters, and penetration testers as the first step in reconnaissance to map the attack surface of a target organization. Its passive approach means it doesn't generate suspicious traffic to the target, making it suitable for stealthy reconnaissance.
Installation
Using Go
# Install using Go (requires Go 1.20 or later)
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
# Verify installation
subfinder -version
Using Docker
# Pull the latest Docker image
docker pull projectdiscovery/subfinder:latest
# Run Subfinder using Docker
docker run -it projectdiscovery/subfinder:latest -h
Using Homebrew (macOS)
# Install using Homebrew
brew install subfinder
# Verify installation
subfinder -version
Using PDTM (Project Discovery Tools Manager)
# Install PDTM first if not already installed
go install -v github.com/projectdiscovery/pdtm/cmd/pdtm@latest
# Install Subfinder using PDTM
pdtm -i subfinder
# Verify installation
subfinder -version
On Kali Linux
# Install using apt
sudo apt install subfinder
# Verify installation
subfinder -version
Basic Usage
Enumerating Subdomains
# Enumerate subdomains for a single domain
subfinder -d example.com
# Enumerate subdomains for multiple domains
subfinder -d example.com,hackerone.com
# Enumerate subdomains from a list of domains
subfinder -dL domains.txt
Output Options
# Save results to a file
subfinder -d example.com -o results.txt
# Output in JSON format
subfinder -d example.com -oJ -o results.json
# Output in JSONL format
subfinder -d example.com -oJ -nW -o results.jsonl
# Output in CSV format
subfinder -d example.com -oC -o results.csv
# Silent mode (only subdomains)
subfinder -d example.com -silent
Basic Filtering
# Remove wildcard subdomains
subfinder -d example.com -nW
# Exclude specific subdomains
subfinder -d example.com -exclude-domains dev.example.com,stage.example.com
# Match specific subdomains
subfinder -d example.com -match-domain api.example.com
Advanced Usage
Source Selection
# List all available sources
subfinder -ls
# Use specific sources
subfinder -d example.com -sources censys,shodan,virustotal
# Exclude specific sources
subfinder -d example.com -exclude-sources alienvault,threatcrowd
API Configuration
# Set API keys interactively
subfinder -set-config
# Set specific API key
subfinder -set-config VirusTotal=APIKEY
# Use a custom configuration file
subfinder -d example.com -config config.yaml
Recursive Enumeration
# Enable recursive subdomain discovery
subfinder -d example.com -recursive
# Set maximum recursion depth
subfinder -d example.com -recursive -max-depth 2
DNS Resolution
# Resolve discovered subdomains
subfinder -d example.com -resolve
# Use custom resolvers
subfinder -d example.com -resolve -r resolvers.txt
Active Enumeration
# Enable active enumeration
subfinder -d example.com -active
# Set timeout for active enumeration
subfinder -d example.com -active -timeout 10
Performance Optimization
Concurrency and Rate Limiting
# Set source concurrency (default: 10)
subfinder -d example.com -sc 20
# Set host concurrency (default: 10)
subfinder -d example.com -hc 20
# Set rate limit
subfinder -d example.com -rate-limit 100
Timeout Options
# Set timeout for passive sources
subfinder -d example.com -timeout 30
# Set timeout for active resolution
subfinder -d example.com -resolve -timeout-resolve 5
Optimization for Large Scans
# Use all sources for comprehensive results
subfinder -d example.com -all
# Increase concurrency for faster scanning
subfinder -d example.com -sc 50 -hc 50
Integration with Other Tools
Pipeline with HTTPX
# Find subdomains and probe for HTTP services
subfinder -d example.com -silent|httpx -silent
# Find subdomains, resolve them, and probe for HTTP services
subfinder -d example.com -silent -resolve|httpx -silent
Pipeline with Nuclei
# Find subdomains and scan for vulnerabilities
subfinder -d example.com -silent|httpx -silent|nuclei -t cves/
# Find subdomains with specific patterns and scan for vulnerabilities
subfinder -d example.com -silent|grep api|httpx -silent|nuclei -t apis/
Pipeline with Naabu
# Find subdomains and scan for open ports
subfinder -d example.com -silent|naabu -silent
# Find subdomains, scan for open ports, and probe for HTTP services
subfinder -d example.com -silent|naabu -silent|httpx -silent
Output Customization
Custom Output Format
# Output only specific fields in JSON format
subfinder -d example.com -oJ|jq '.host'
# Count total subdomains
subfinder -d example.com -silent|wc -l
# Sort output alphabetically
subfinder -d example.com -silent|sort
Filtering Output
# Filter subdomains by pattern
subfinder -d example.com -silent|grep api
# Filter out specific patterns
subfinder -d example.com -silent|grep -v dev
# Find unique root subdomains
subfinder -d example.com -silent|awk -F. '\\\\{print $(NF-1)"."$NF\\\\}'|sort -u
Advanced Filtering
# Filter by subdomain level
subfinder -d example.com -silent|awk -F. 'NF==3' # 2nd level subdomains
subfinder -d example.com -silent|awk -F. 'NF==4' # 3rd level subdomains
subfinder -d example.com -silent|awk -F. 'NF>=5' # Deep level subdomains
# Filter by specific patterns
subfinder -d example.com -silent|grep -E '(api|dev|stage|test)'
# Exclude common development subdomains
subfinder -d example.com -silent|grep -v -E '(dev|stage|test|uat)'
API Key Configuration
Configuring API Keys
Subfinder supports various API providers. Here's how to configure them:
# Create a configuration file
mkdir -p $HOME/.config/subfinder
cat > $HOME/.config/subfinder/config.yaml << EOF
resolvers:
- 1.1.1.1
- 8.8.8.8
sources:
- alienvault
- censys
- shodan
- virustotal
binaryedge:
- 0bf8919b-aab9-42e4-9574-d3b639324597
censys:
- ac244e2f-b635-4581-878a-33f4e79a2c13:dd510d6e-1b6e-4655-83f6-f347b363def9
certspotter:
- 0412e8d1-5a86-47b4-a1a6-2a3b4a104a1a
github:
- ghp_16C7e42F292c6912E7710c838347Ae178B4a
passivetotal:
- sample-email@user.com:sample-password
securitytrails:
- 9e56ef28-540b-4e0c-a51e-aba1f0d2d4d3
shodan:
- AAAAClP1bJJSRMEYJazgwhJKrggRwKA
virustotal:
- 6f5e5b82a6b5a61951c6a659d4a4522b34b3950d1e35e93131a7f63a3c352553
EOF
Supported API Providers
| Provider | Description |
|---|---|
| BinaryEdge | Search for internet-exposed devices |
| Censys | Search engine for internet-connected devices |
| Certspotter | Certificate transparency monitoring |
| GitHub | Code hosting platform |
| PassiveTotal | Threat intelligence platform |
| SecurityTrails | DNS and domain data provider |
| Shodan | Search engine for internet-connected devices |
| VirusTotal | File and URL analysis service |
Troubleshooting
Common Issues
- Rate Limiting by Sources ```bash # Reduce concurrency subfinder -d example.com -sc 5
# Add delay between requests subfinder -d example.com -delay 2 ```
- API Key Issues ```bash # Verify API key configuration cat $HOME/.config/subfinder/config.yaml
# Test specific source subfinder -d example.com -sources censys ```
- DNS Resolution Issues ```bash # Use custom resolvers subfinder -d example.com -resolve -r resolvers.txt
# Increase resolution timeout subfinder -d example.com -resolve -timeout-resolve 10 ```
- Memory Issues
bash # Process domains one by one for domain in $(cat domains.txt); do subfinder -d $domain -o "$domain-subs.txt"; done
Debugging
# Enable verbose mode
subfinder -d example.com -v
# Show debug information
subfinder -d example.com -debug
# Check source statistics
subfinder -d example.com -stats
Configuration
Configuration File
Subfinder uses a configuration file located at $HOME/.config/subfinder/config.yaml. You can customize various settings in this file:
# Example configuration file
resolvers:
- 1.1.1.1
- 8.8.8.8
sources:
- alienvault
- censys
- shodan
- virustotal
# API keys for different providers
binaryedge:
- API_KEY
censys:
- API_ID:API_SECRET
Environment Variables
# Set Subfinder configuration via environment variables
export SUBFINDER_CONFIG_PATH=/path/to/config.yaml
export SUBFINDER_SOURCES=censys,shodan,virustotal
export SUBFINDER_RESOLVERS=1.1.1.1,8.8.8.8
Reference
Command Line Options
| Flag | Description |
|---|---|
-d, -domain |
Domain to find subdomains for |
-dL, -domain-list |
File containing list of domains |
-o, -output |
File to write output to |
-oJ |
Write output in JSON format |
-oC |
Write output in CSV format |
-silent |
Show only subdomains in output |
-v, -verbose |
Show verbose output |
-ls, -list-sources |
List all available sources |
-s, -sources |
Sources to use for enumeration |
-es, -exclude-sources |
Sources to exclude from enumeration |
-recursive |
Recursive subdomain discovery |
-max-depth |
Maximum recursion depth |
-nW, -no-wildcards |
Remove wildcard subdomains |
-exclude-domains |
Subdomains to exclude from enumeration |
-match-domain |
Subdomains to match in enumeration |
-r, -resolvers |
File containing list of resolvers |
-resolve |
Resolve discovered subdomains |
-active |
Enable active subdomain enumeration |
-timeout |
Timeout for passive sources in seconds |
-timeout-resolve |
Timeout for resolver requests in seconds |
-sc, -source-concurrency |
Number of concurrent sources |
-hc, -host-concurrency |
Number of concurrent hosts |
-rate-limit |
Maximum number of HTTP requests per second |
-all |
Use all sources for enumeration |
-config |
Path to configuration file |
-set-config |
Set configuration values |
-version |
Show Subfinder version |
Available Sources
| Source | Description | API Key Required |
|---|---|---|
| Alienvault | Open Threat Exchange | No |
| Anubis | Subdomain data from Anubis | No |
| Archiveis | Archive.is URL archive | No |
| Binaryedge | Internet scanning data | Yes |
| BufferOver | DNS data | No |
| Censys | Internet scanning data | Yes |
| CertSpotter | Certificate transparency logs | Yes (for better results) |
| Chaos | Project Discovery's Chaos dataset | Yes |
| Commoncrawl | Web crawl data | No |
| DNSDB | Passive DNS database | Yes |
| DNSRepo | DNS records repository | No |
| Entrust | Certificate transparency logs | No |
| FacebookCT | Facebook's certificate transparency logs | No |
| GitHub | Code search | Yes (for better results) |
| Intelx | Intelligence X data | Yes |
| PassiveTotal | RiskIQ's passive DNS data | Yes |
| Rapiddns | DNS records database | No |
| Riddler | DNS records search | No |
| SecurityTrails | DNS records database | Yes |
| Shodan | Internet scanning data | Yes |
| ThreatBook | Threat intelligence data | Yes |
| ThreatMiner | Threat intelligence data | No |
| URLScan | URL scanning service | No |
| VirusTotal | Security service for files and URLs | Yes |
| Waybackarchive | Internet Archive's Wayback Machine | No |
| ZoomEye | Cyberspace search engine | Yes |
Resources
This cheat sheet provides a comprehensive reference for using Subfinder, from basic enumeration to advanced filtering and integration with other tools. For the most up-to-date information, always refer to the official documentation.