Table of Contents
- Introduction To Subfinder
- Core Features
- The ProjectDiscovery Community Factor
- Table of Contents
- Installation of Subfinder
- Source
- Binary
- GitHub
- Docker
- Navigating through Subfinder
- Getting Help
- Enumerating Subdomains From a List of Domains
- Enumerating Subdomains Using Specific Sources
- Enumerating Subdomains Using All Sources
- Excluding Specific Sources
- Output Options
- Outputting Results to a File
- Outputting Results in JSON Format
- Specifying a Directory to Write the Output
- Only Displaying Active Subdomains
- Hiding Unnecessary Output
- Being More Verbose
- Advanced Options
- Viewing Available Sources
- Setting a Timeout
- Piping to/from Other Tools
- Specifying a DNS Resolver
- Specifying a List of DNS Resolvers
- Post Installation Instructions
- Conclusion
- References
Authors
In the era of application security, bug bounties have evolved and become mainstream for hackers around the globe. Hackers are constantly looking for new tactics to automate the process of reconnaissance and find different types of vulnerabilities. One of the first steps to hacking a larger scoped program is subdomain enumeration.
You can find subdomains by using tools like amass, assetfinder, sudomy, and others. However, in this post, we'll discuss one of the most popular, subfinder, from ProjectDiscovery.
Introduction To Subfinder
Subfinder is a popular open-source tool used for subdomain enumeration. It allows users to quickly and easily discover subdomains of a given domain by using a variety of different active and passive methods. This can be useful for a variety of purposes, such as security assessments, penetration testing, and research.
There are several similar tools available, including Sublist3r, Knockpy, and Amass. However, Subfinder is generally considered to be one of the most effective due to its speed, active development and the strong community. Subfinder is written in Golang, making full use of Golang's native concurrency to gather subdomains from multiple sources simultaneously. Subfinder gathers potential subdomain lists from passive online sources such as Binaryedge, C99, Certspotter, Chinaz, Censys, Chaos, and others.
Core Features
Below are some of Subfinder's core features:
- Fast and powerful resolution and wildcard elimination module
- Curated passive sources to maximize results
- Multiple Output formats supported (JSON, File, Stdout)
- Optimized for speed, very fast and lightweight on resources
- STDIN/OUT support for integrating with workflows
- Command Line Interface (CLI) based tool
- Easy API configuration interface
- Ability to exclude certain sources
- Uses up to 26 passive DNS sources (including SecurityTrails!)
- Docker, tar and pre-built binaries available
The ProjectDiscovery Community Factor
The ProjectDiscovery community is a major factor in the success of Subfinder, and has helped to make it one of the most popular tools for subdomain enumeration. Their passion and engagement have helped to drive the development of the tool and ensure that it continues to meet their needs, including penetration testing, security research and bug bounty hunting.
The ProjectDiscovery community plays a crucial role in the development and success of Subfinder and other tools. They provide valuable feedback and suggestions for improving the tool, contribute code and other resources to the project, develop content related to the tool, and help to battle test it.
Table of Contents
Installation of Subfinder
We can install Subfinder using four different methods:
Source
Subfinder is written in Golang. Therefore, we can install it from source by using Golang utilities. To achieve that, you'll need to install Go on your local machine.
cli
1go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
Binary
First, download the release that is compatible with your operating system, to get started. Then unzip the folder, and move the subfinder binary file to /usr/local/bin.
cli
1tar -xzvf subfinder-linux-amd64.tar.gz
2mv subfinder /usr/local/bin/
3subfinder -h
GitHub
Clone the repository at repo and change to subfinder/v2/cmd/subfinder. Now run go build .
. Subfinder is now available for use after the binary file has been moved to /usr/local/bin.
cli
1git clone https://github.com/projectdiscovery/subfinder.git
2cd subfinder/v2/cmd/subfinder
3go build .
4mv subfinder /usr/local/bin/
5subfinder -h
Docker
cli
1docker pull projectdiscovery/subfinder:latest
Navigating through Subfinder
In this section, we will cover all the different features and usage options that Subfinder provides.
Getting Help
cli
1subfinder -h
Performing Basic Subdomain Enumeration
cli
1subfinder -d tesla.com -v
Enumerating Subdomains From a List of Domains
cli
1subfinder -dL list.txt -v
Enumerating Subdomains Using Specific Sources
cli
1subfinder -d tesla.com -s virustotal
The screenshot below shows how we retrieved the subdomains using the virustotal API Key. To retrieve subdomains from other alternative sources, the API Keys must be added to the file ~/.config/subfinder/provider-config.yaml
. You can learn more about these API keys below in the Post Installation Instructions section.
The example of sample API Keys has being shown in the screenshot below:
Enumerating Subdomains Using All Sources
cli
1subfinder -d tesla.com -v -all
Using the -all option, we can fetch all the subdomains using the default sources and sources with configured API Keys.
Excluding Specific Sources
cli
1subfinder -d tesla.com -es virustotal,securitytrails,dnsdumpster
The -es option allows you to exclude specific sources. The total count of subdomains decreases significantly. The domain count originally with all sources was more than 854 domains.
After removing these sources, the picture below only displays the 559 domains.
Output Options
Outputting Results to a File
cli
1subfinder -d tesla.com -o subdomain.txt
Outputting Results in JSON Format
cli
1subfinder -d tesla.com -o tesla.json -oJ
In the example below, we've utilized JQ to transform JSON data into a format that is easier to read. Using the head command, we can obtain the first ten lines of the tesla.json file.
Specifying a Directory to Write the Output
cli
1subfinder -dL list.txt -oD results
To supply a list of domains for subdomain enumeration, the -oD option is used in conjunction with -dL. As you can see in the picture shown below, when the command has been performed, a directory containing the appropriate files is created.
Only Displaying Active Subdomains
cli
1subfinder -d tesla.com -o tesla_domain.json -nW
The option -nW performs DNS resolution on discovered subdomains, and discards any that don't respond. Use of the JSON output requires this parameter. It makes domain resolving easier, completing that part of your reconnaissance in one step.
Hiding Unnecessary Output
cli
1subfinder -d tesla.com -silent
Being More Verbose
cli
1subfinder -d tesla.com -v
Advanced Options
Viewing Available Sources
cli
1subfinder -ls
Setting a Timeout
cli
1subfinder -d tesla.com -max-time 5
Piping to/from Other Tools
Subfinder accepts root domains from STDIN, like this:
cli
1echo "tesla.com" | subfinder -silent | httprobe
Specifying a DNS Resolver
cli
1subfinder -d tesla.com -o output.txt -nW -v -r 8.8.8.8
Specifying a List of DNS Resolvers
cli
1subfinder -d tesla.com -o output.txt -nW -v -r -rL resolver.txt
Post Installation Instructions
Subfinder will function after following the installation instructions. However, API keys need to be set up for Subfinder to function with certain services that have been customized. Without an API key, the following services will not function: Binaryedge, C99, Certspotter, Chinaz, Censys, Chaos, DnsDB, Fofa, Github, Intelx, Passivetotal, Robtex, SecurityTrails, Shodan, Threatbook, Virustotal, WhoisXML API, Zoomeye.
When you first run the program, a file called $HOME/.config/subfinder/provider-config.yaml
will be produced that contains these settings. The configuration file is formatted in YAML. Each of these services allows the specification of multiple API keys, one of which will be used for enumeration.
For sources like Censys and Passivetotal that need several keys, you may add them by separating them with a colon (:).
Conclusion
Subfinder is a fantastic tool for gathering subdomains from various passive sources. It is straightforward to use and does not require much configuration. Due to its extensive integrations, it is far more powerful than most other subdomain mapping solutions currently available. Additionally, because it is implemented in the Go programming language, it is fast. Subfinder is unquestionably among the finest choices for bounty seekers while hunting for subdomains.
Author - Devansh Bordia, @devansh3008
References
- https://hakin9.org/subfinder-is-a-subdomain-discovery-tool-that-discovers-valid-subdomains-for-websites/
- https://securitytrails.com/blog/subfinder
- https://www.geeksforgeeks.org/subfinder-tool-in-linux/
- https://lipsonthomas.com/subfinder-subdomain-enumeration-tool/
- https://medium.com/bug-bounty/tagged/subfinder