-

7 min read

An in-depth guide to subfinder: beginner to advanced

An in-depth guide to subfinder: beginner to advanced

In the era of application security, bug bounties have evolved and become mainstream for hackers around the globe. Hackers are constantly looking for new tactics to automate the process of reconnaissance and find different types of vulnerabilities. One of the first steps to hacking a larger scoped program is subdomain enumeration.

You can find subdomains by using tools like amass, assetfinder, sudomy, and others. However, in this post, we'll discuss one of the most popular, subfinder, from ProjectDiscovery.

Introduction To Subfinder

Subfinder is a popular open-source tool used for subdomain enumeration. It allows users to quickly and easily discover subdomains of a given domain by using a variety of different active and passive methods. This can be useful for a variety of purposes, such as security assessments, penetration testing, and research.

There are several similar tools available, including Sublist3r, Knockpy, and Amass. However, Subfinder is generally considered to be one of the most effective due to its speed, active development and the strong community. Subfinder is written in Golang, making full use of Golang's native concurrency to gather subdomains from multiple sources simultaneously. Subfinder gathers potential subdomain lists from passive online sources such as Binaryedge, C99, Certspotter, Chinaz, Censys, Chaos, and others.

Core Features

Below are some of Subfinder's core features:

  • Fast and powerful resolution and wildcard elimination module
  • Curated passive sources to maximize results
  • Multiple Output formats supported (JSON, File, Stdout)
  • Optimized for speed, very fast and lightweight on resources
  • STDIN/OUT support for integrating with workflows
  • Command Line Interface (CLI) based tool
  • Easy API configuration interface
  • Ability to exclude certain sources
  • Uses up to 26 passive DNS sources (including SecurityTrails!)
  • Docker, tar and pre-built binaries available

The ProjectDiscovery Community Factor

The ProjectDiscovery community is a major factor in the success of Subfinder, and has helped to make it one of the most popular tools for subdomain enumeration. Their passion and engagement have helped to drive the development of the tool and ensure that it continues to meet their needs, including penetration testing, security research and bug bounty hunting.

The ProjectDiscovery community plays a crucial role in the development and success of Subfinder and other tools. They provide valuable feedback and suggestions for improving the tool, contribute code and other resources to the project, develop content related to the tool, and help to battle test it.

Table of Contents

Installation of Subfinder

We can install Subfinder using four different methods:

Source

Subfinder is written in Golang. Therefore, we can install it from source by using Golang utilities. To achieve that, you'll need to install Go on your local machine.

cli

1
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

Binary

First, download the release that is compatible with your operating system, to get started. Then unzip the folder, and move the subfinder binary file to /usr/local/bin.

cli

1
tar -xzvf subfinder-linux-amd64.tar.gz
2
mv subfinder /usr/local/bin/
3
subfinder -h

GitHub

Clone the repository at repo and change to subfinder/v2/cmd/subfinder. Now run go build .. Subfinder is now available for use after the binary file has been moved to /usr/local/bin.

cli

1
git clone https://github.com/projectdiscovery/subfinder.git
2
cd subfinder/v2/cmd/subfinder
3
go build .
4
mv subfinder /usr/local/bin/
5
subfinder -h

Docker

cli

1
docker pull projectdiscovery/subfinder:latest

In this section, we will cover all the different features and usage options that Subfinder provides.

Getting Help

cli

1
subfinder -h

Performing Basic Subdomain Enumeration

cli

1
subfinder -d tesla.com -v

Enumerating Subdomains From a List of Domains

cli

1
subfinder -dL list.txt -v

Enumerating Subdomains Using Specific Sources

cli

1
subfinder -d tesla.com -s virustotal

The screenshot below shows how we retrieved the subdomains using the virustotal API Key. To retrieve subdomains from other alternative sources, the API Keys must be added to the file ~/.config/subfinder/provider-config.yaml. You can learn more about these API keys below in the Post Installation Instructions section.

The example of sample API Keys has being shown in the screenshot below:

Enumerating Subdomains Using All Sources

cli

1
subfinder -d tesla.com -v -all

Using the -all option, we can fetch all the subdomains using the default sources and sources with configured API Keys.

Excluding Specific Sources

cli

1
subfinder -d tesla.com -es virustotal,securitytrails,dnsdumpster

The -es option allows you to exclude specific sources. The total count of subdomains decreases significantly. The domain count originally with all sources was more than 854 domains.

After removing these sources, the picture below only displays the 559 domains.

Output Options

Outputting Results to a File

cli

1
subfinder -d tesla.com -o subdomain.txt

Outputting Results in JSON Format

cli

1
subfinder -d tesla.com -o tesla.json -oJ

In the example below, we've utilized JQ to transform JSON data into a format that is easier to read. Using the head command, we can obtain the first ten lines of the tesla.json file.

Specifying a Directory to Write the Output

cli

1
subfinder -dL list.txt -oD results

To supply a list of domains for subdomain enumeration, the -oD option is used in conjunction with -dL. As you can see in the picture shown below, when the command has been performed, a directory containing the appropriate files is created.

Only Displaying Active Subdomains

cli

1
subfinder -d tesla.com -o tesla_domain.json -nW

The option -nW performs DNS resolution on discovered subdomains, and discards any that don't respond. Use of the JSON output requires this parameter. It makes domain resolving easier, completing that part of your reconnaissance in one step.

Hiding Unnecessary Output

cli

1
subfinder -d tesla.com -silent

Being More Verbose

cli

1
subfinder -d tesla.com -v

Advanced Options

Viewing Available Sources

cli

1
subfinder -ls

Setting a Timeout

cli

1
subfinder -d tesla.com -max-time 5

Piping to/from Other Tools

Subfinder accepts root domains from STDIN, like this:

cli

1
echo "tesla.com" | subfinder -silent | httprobe

Specifying a DNS Resolver

cli

1
subfinder -d tesla.com -o output.txt -nW -v -r 8.8.8.8

Specifying a List of DNS Resolvers

cli

1
subfinder -d tesla.com -o output.txt -nW -v -r -rL resolver.txt

Post Installation Instructions

Subfinder will function after following the installation instructions. However, API keys need to be set up for Subfinder to function with certain services that have been customized. Without an API key, the following services will not function: Binaryedge, C99, Certspotter, Chinaz, Censys, Chaos, DnsDB, Fofa, Github, Intelx, Passivetotal, Robtex, SecurityTrails, Shodan, Threatbook, Virustotal, WhoisXML API, Zoomeye.

When you first run the program, a file called $HOME/.config/subfinder/provider-config.yaml will be produced that contains these settings. The configuration file is formatted in YAML. Each of these services allows the specification of multiple API keys, one of which will be used for enumeration.

For sources like Censys and Passivetotal that need several keys, you may add them by separating them with a colon (:).

binaryedge:
  - 1bf8919b-aab9-42e4-9574-d3b639324598
  - bc244e2f-b635-4581-878a-33f4e79a2c14
censys:
  - cc244e2f-b635-4581-878a-33f4e79a2c13:dd510d6e-1b6e-4655-83f6-f347b363def8
certspotter: []
passivetotal:
  - sample-email@user.com:sample_password
securitytrails: []
shodan:
  - AAAAClP1bJJSRMEYJazgwhJKrggRwKA
github:
  - ghp_lkyJGU3jv1xmwk4SDXavrLDJ4dl2pSJMzj4X
  - ghp_gkUuhkIYdQPj13ifH4KA3cXRn8JD2lqir2d4

Conclusion

Subfinder is a fantastic tool for gathering subdomains from various passive sources. It is straightforward to use and does not require much configuration. Due to its extensive integrations, it is far more powerful than most other subdomain mapping solutions currently available. Additionally, because it is implemented in the Go programming language, it is fast. Subfinder is unquestionably among the finest choices for bounty seekers while hunting for subdomains.

References