Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources.

Related tags

Security Subfinder
Overview

Subfinder

Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed. subfinder is built for doing one thing only - passive subdomain enumeration, and it does that very well.

subfinder

Fast passive subdomain enumeration tool.


Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed. subfinder is built for doing one thing only - passive subdomain enumeration, and it does that very well.

We have designed subfinder to comply with all passive sources licenses, and usage restrictions, as well as maintained a consistently passive model to make it useful to both penetration testers and bug bounty hunters alike.

Features

subfinder

  • Fast and powerful resolution and wildcard elimination module
  • Curated passive sources to maximize results
  • Multiple Output formats supported (Json, File, Stdout)
  • Optimized for speed, very fast and lightweight on resources
  • STDIN/OUT support for integrating in workflows

Usage

subfinder -h

This will display help for the tool. Here are all the switches it supports.

Flag Description Example
-all Use all sources (slow) for enumeration subfinder -d uber.com -all
-config Configuration file for API Keys, etc subfinder -config config.yaml
-d Domain to find subdomains for subfinder -d uber.com
-dL File containing list of domains to enumerate subfinder -dL hackerone-hosts.txt
-exclude-sources List of sources to exclude from enumeration subfinder -exclude-sources archiveis
-max-time Minutes to wait for enumeration results (default 10) subfinder -max-time 1
-nC Don't Use colors in output subfinder -nC
-nW Remove Wildcard & Dead Subdomains from output subfinder -nW
-ls List all available sources subfinder -ls
-o File to write output to (optional) subfinder -o output.txt
-oD Directory to write enumeration results to (optional) subfinder -oD ~/outputs
-oI Write output in Host,IP format subfinder -oI
-oJ Write output in JSON lines Format subfinder -oJ
-r Comma-separated list of resolvers to use subfinder -r 1.1.1.1,1.0.0.1
-rL Text file containing list of resolvers to use subfinder -rL resolvers.txt
-recursive Enumeration recursive subdomains subfinder -d news.yahoo.com -recursive
-silent Show only subdomains in output subfinder -silent
-sources Comma separated list of sources to use subfinder -sources shodan,censys
-t Number of concurrent goroutines for resolving (default 10) subfinder -t 100
-timeout Seconds to wait before timing out (default 30) subfinder -timeout 30
-v Show Verbose output subfinder -v
-version Show current program version subfinder -version

Installation

Subfinder requires go1.14+ to install successfully. Run the following command to get the repo -

▶ GO111MODULE=on go get -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder

Post Installation Instructions

Subfinder will work after using the installation instructions however to configure Subfinder to work with certain services, you will need to have setup API keys. The following services do not work without an API key:

Theses values are stored in the $HOME/.config/subfinder/config.yaml file which will be created when you run the tool for the first time. The configuration file uses the YAML format. Multiple API keys can be specified for each of these services from which one of them will be used for enumeration.

For sources that require multiple keys, namely Censys, Passivetotal, they can be added by separating them via a colon (:).

An example config file -

resolvers:
  - 1.1.1.1
  - 1.0.0.1
sources:
  - binaryedge
  - bufferover
  - censys
  - passivetotal
  - sitedossier
binaryedge:
  - 0bf8919b-aab9-42e4-9574-d3b639324597
  - ac244e2f-b635-4581-878a-33f4e79a2c13
censys:
  - ac244e2f-b635-4581-878a-33f4e79a2c13:dd510d6e-1b6e-4655-83f6-f347b363def9
certspotter: []
passivetotal:
  - [email protected]:sample_password
securitytrails: []
shodan:
  - AAAAClP1bJJSRMEYJazgwhJKrggRwKA
github:
  - d23a554bbc1aabb208c9acfbd2dd41ce7fc9db39
  - asdsd54bbc1aabb208c9acfbd2dd41ce7fc9db39

Running Subfinder

To run the tool on a target, just use the following command.

▶ subfinder -d example.com

The verbose flag v can be used to display verbose information.

[bufferover] lutin.dima.example.com
[bufferover] izosimdima.example.com
[bufferover] glazkovdima.example.com
[bufferover] dengshima.example.com
[bufferover] wwwkima.example.com
[bufferover] proxima.example.com
[bufferover] mma.example.com
[bufferover] damidoma.example.com
[bufferover] nomerdoma.example.com
[bufferover] soti.croma.example.com

The -o command can be used to specify an output file.

▶ subfinder -d example.com -o output.txt

To run the tool on a list of domains, -dL option can be used. This requires a directory to write the output files. Subdomains for each domain from the list are written in a text file in the directory specified by the -oD flag with their name being the domain name.

▶ cat domains.txt
hackerone.com
google.com
▶ subfinder -dL domains.txt -oD ~/path/to/output
▶ ls ~/path/to/output
hackerone.com.txt
google.com.txt

You can also get output in json format using -oJ switch. This switch saves the output in the JSON lines format.

If you use the JSON format, or the Host:IP format, then it becomes mandatory for you to use the -nW format as resolving is essential for these output format. By default, resolving the found subdomains is disabled.

▶ subfinder -d hackerone.com -o output.json -oJ -nW
▶ cat output.json
{"host":"www.hackerone.com","ip":"104.16.99.52"}
{"host":"mta-sts.hackerone.com","ip":"185.199.108.153"}
{"host":"hackerone.com","ip":"104.16.100.52"}
{"host":"mta-sts.managed.hackerone.com","ip":"185.199.110.153"}

The subdomains discovered can be piped to other tools too. For example, you can pipe the subdomains discovered by subfinder to httpx httpx which will then find running http servers on the host.

echo hackerone.com | subfinder -silent | httpx -silent
http://hackerone.com
http://www.hackerone.com
http://docs.hackerone.com
http://api.hackerone.com
https://docs.hackerone.com
http://mta-sts.managed.hackerone.com

Subfinder with docker

You can use the official dockerhub image at subfinder. Simply run -

▶ docker pull projectdiscovery/subfinder

The above command will pull the latest tagged release from the dockerhub repository.

If you want to build the container yourself manually, git clone the repo, then build and run the following commands

  • Clone the repo using git clone https://github.com/projectdiscovery/subfinder.git
  • Build your docker container
docker build -t projectdiscovery/subfinder .

If you are using docker, you need to first create your directory structure holding subfinder configuration file. After modifying the default config.yaml file, you can run:

▶ mkdir -p $HOME/.config/subfinder
▶ cp config.yaml $HOME/.config/subfinder/config.yaml
▶ nano $HOME/.config/subfinder/config.yaml

After that, you can pass it as a volume using the following sample command.

▶ docker run -v $HOME/.config/subfinder:/root/.config/subfinder -it projectdiscovery/subfinder -d example.com

For example, this runs the tool against example.com and output the results to your host file system:

docker run -v $HOME/.config/subfinder:/root/.config/subfinder -it projectdiscovery/subfinder -d example.com > example.com.txt

Subfinder Go library

Usage example:

package main
import (
	"bytes"
	"context"
	"fmt"
	"io"
	"io/ioutil"
	"log"
	"github.com/projectdiscovery/subfinder/v2/pkg/passive"
	"github.com/projectdiscovery/subfinder/v2/pkg/resolve"
	"github.com/projectdiscovery/subfinder/v2/pkg/runner"
)
func main() {
	config := runner.ConfigFile{
		// Use the default list of resolvers by marshaling it to the config
		Resolvers: resolve.DefaultResolvers,
		// Use the default list of passive sources
		Sources: passive.DefaultSources,
		// Use the default list of all passive sources
		AllSources: passive.DefaultAllSources,
		// Use the default list of recursive sources
		Recursive: passive.DefaultRecursiveSources,
	}
	runnerInstance, err := runner.NewRunner(&runner.Options{
		Threads:            10, // Thread controls the number of threads to use for active enumerations
		Timeout:            30, // Timeout is the seconds to wait for sources to respond
		MaxEnumerationTime: 10, // MaxEnumerationTime is the maximum amount of time in mins to wait for enumeration
		YAMLConfig:         config,
	})
	buf := bytes.Buffer{}
	err = runnerInstance.EnumerateSingleDomain(context.Background(), "projectdiscovery.io", []io.Writer{&buf})
	if err != nil {
		log.Fatal(err)
	}
	data, err := ioutil.ReadAll(&buf)
	if err != nil {
		log.Fatal(err)
	}
	fmt.Printf("%s", data)
}

DEVELOPER DO NOT SUPPORT ANY OF THE ILLEGAL ACTIVITIES.

Contact Me on telegram or twitter: https://twitter.com/TrewisScotch / https://t.me/HiroSCOTCH#

Issues
  • [ImgBot] Optimize images

    [ImgBot] Optimize images

    Beep boop. Your images are optimized!

    Your image file size has been reduced by 21% 🎉

    Details

    | File | Before | After | Percent reduction | |:--|:--|:--|:--| | /static/subfinder-logo.png | 9.62kb | 5.85kb | 39.18% | | /static/subfinder-run.png | 1,059.53kb | 835.99kb | 21.10% | | | | | | | Total : | 1,069.15kb | 841.84kb | 21.26% |


    📝 docs | :octocat: repo | 🙋🏾 issues | 🏪 marketplace

    ~Imgbot - Part of Optimole family

    opened by imgbot[bot] 0
Owner
Trewis [work] Scotch
✕ Multi-Language Developer ✕ Coder ✕ Phishing DEVELOPER tools ✕
Trewis [work] Scotch
🔮 ✈️ to integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying their signatures

?? ✈️ to integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying their signatures

Batuhan Apaydın 15 Dec 3, 2021
🌀 Dismap - Asset discovery and identification tool

?? Dismap - Asset discovery and identification tool [English readme Click Me] Dismap 定位是一个资产发现和识别工具;其特色功能在于快速识别 Web 指纹信息,定位资产类型。辅助红队快速定位目标资产信息,辅助蓝队发现疑

之乎者也 524 Nov 27, 2021
A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests

Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple to

ProjectDiscovery 1.6k Dec 7, 2021
An improvement on the PoC for the privacy-preserving contact discovery scheme I implemented as part of my UCL masters degree

Privacy-Preserving Contact Discovery / ARKE - PoC This is an improved version of the work I submitted as part of my masters degree dissertation at UCL

Nicolas Mohnblatt 0 Nov 4, 2021
ID hashing and Obfuscation using Knuth's Algorithm

ID Obfuscation/Hashing Transformer for Go There are many times when you want to generate obfuscated ids. This package utilizes Knuth's Hashing Algorit

pj 289 Nov 24, 2021
An easy-to-use XChaCha20-encryption wrapper for io.ReadWriteCloser (even lossy UDP) using ECDH key exchange algorithm, ED25519 signatures and Blake3+Poly1305 checksums/message-authentication for Go (golang). Also a multiplexer.

Quick start Prepare keys (on both sides): [ -f ~/.ssh/id_ed25519 ] && [ -f ~/.ssh/id_ed25519.pub ] || ssh-keygen -t ed25519 scp ~/.ssh/id_ed25519.pub

null 21 Nov 30, 2021
A convenience library for generating, comparing and inspecting password hashes using the scrypt KDF in Go 🔑

simple-scrypt simple-scrypt provides a convenience wrapper around Go's existing scrypt package that makes it easier to securely derive strong keys ("h

Matt Silverlock 173 Nov 9, 2021
🌰 encrypt/decrypt using ssh keys

ssh-vault ?? encrypt/decrypt using ssh private keys Documentation https://ssh-vault.com Usage $ ssh-vault -h Example: $ echo "secret" | ssh-vault -u

ssh-vault 327 Nov 30, 2021
Create strong passwords using words that are easy for you to remember

Grasp Create strong passwords using words that are easy for you to remember A way to circumvent password complexity rules and restrictions while only

Luca Sepe 17 Apr 5, 2021
Tracee: Linux Runtime Security and Forensics using eBPF

Tracee is a Runtime Security and forensics tool for Linux. It is using Linux eBPF technology to trace your system and applications at runtime, and analyze collected events to detect suspicious behavioral patterns.

Aqua Security 1.4k Nov 30, 2021
Demo of process injection, using Nt, direct syscall, etc.

?? Frog For Automatic Scan ?? Doge For Defense Evasion&Offensive Security ?? Doge-Process-Injection Demo of process injection, using Nt, direct syscal

TimWhite 16 Nov 12, 2021
✒ A self-hosted, cross-platform service to sign iOS apps using any CI as a builder

iOS Signer Service A self-hosted, cross-platform service to sign iOS apps using any CI as a builder Introduction There are many reasons to install app

null 552 Nov 27, 2021
Not Yet Another Password Manager written in Go using libsodium

secrets Secure and simple passwords manager written in Go. It aims to be NYAPM (Not Yet Another Password Manager), but tries to be different from othe

Jarmo Pertman 25 Oct 9, 2021
password manager using age for encryption

page ====== password manager using age (https://age-encryption.org/) for encryption. encrypted secrets are files in the $PAGE_SECRETS/ directory that

null 6 Nov 16, 2021
Custom GPG pinentry program for macOS that allows using Touch ID for fetching the password from the macOS keychain.

pinentry-touchid Custom GPG pinentry program for macOS that allows using Touch ID for fetching the password from the macOS keychain. Macbook Pro devic

Jorge Luis Betancourt 112 Dec 6, 2021
Small utility package for stealing tokens from other processes and using them in current threads, or duplicating them and starting other processes

getsystem small utility for impersonating a user in the current thread or starting a new process with a duplicated token. must already be in a high in

Alex Flores 7 Oct 13, 2021