findomain

findomain [OPTIONS] <TARGETS>

Examples:
findomain -t example.com
findomain -f domains.txt -o results.txt --virustotal-api-key YOUR_KEY

-t <target>, --target <target>
    Specifies the target domain to enumerate.

-f <file>, --file <file>
    Provides a file with target domains (one per line).

-o <file>, --output <file>
    Saves the enumeration results to a specified output file.

-q, --quiet
    Suppresses verbose output, showing only subdomains.

-u, --unique
    Displays only unique subdomains found.

--no-http
    Disables HTTP checks for found subdomains, leading to faster execution.

--disable-sources <sources>
    Comma-separated list of sources to disable (e.g., crtsh,virustotal).

--enable-sources <sources>
    Comma-separated list of sources to exclusively enable.

--threads <num>
    Sets the number of concurrent threads for scanning.

--timeout <seconds>
    Defines the timeout for network requests.

--dns-servers <servers>
    Comma-separated list of custom DNS resolvers to use.

--max-retry <num>
    Sets the maximum number of retries for failed requests.

--json
    Outputs results in JSON format.

--system-resolver
    Forces the use of the system's DNS resolver.

--version
    Displays the findomain version information.

--help
    Shows the command's help message.

--virustotal-api-key <key>
    Provides the VirusTotal API key.

--shodan-api-key <key>
    Provides the Shodan API key.

--binaryedge-api-key <key>
    Provides the BinaryEdge API key.

--fofa-api-key <key>
    Provides the Fofa API key.

--fofa-email <email>
    Provides the Fofa account email.

--fullhunt-api-key <key>
    Provides the FullHunt API key.

--intelx-api-key <key>
    Provides the IntelX API key.

--intelx-host <host>
    Specifies the IntelX host.

--recondev-api-key <key>
    Provides the Recon.dev API key.

--securitytrails-api-key <key>
    Provides the SecurityTrails API key.

--github-token <token>
    Provides the GitHub API token.

--censys-username <username>
    Provides the Censys username.

--censys-password <password>
    Provides the Censys password.

--rapiddns-api-key <key>
    Provides the RapidDNS API key.

--cloudflare-api-key <key>
    Provides the Cloudflare API key.

--passivedns-api-key <key>
    Provides the PassiveDNS API key.

--whoisxmlapi-api-key <key>
    Provides the WhoisXMLAPI key.

findomain is a high-performance subdomain discovery tool written in Rust, designed for penetration testers and security professionals. It rapidly identifies subdomains by leveraging a multitude of passive sources, including certificate transparency logs, DNS databases, web archives, search engines, and third-party APIs (like VirusTotal and Shodan). Its speed and comprehensive approach make it an essential utility for expanding the attack surface during reconnaissance phases. findomain can output results to standard output or a file, and supports various options for customization, such as specifying API keys, limiting concurrent threads, or filtering data sources.

Many advanced features of findomain heavily rely on API keys from third-party services (e.g., VirusTotal, Shodan, BinaryEdge). Without these keys, the tool's effectiveness in finding subdomains might be reduced as it cannot access all its integrated data sources. Users should obtain and provide these keys for comprehensive results.
Additionally, aggressive usage with high thread counts or against numerous targets can lead to IP blocking by some services or DNS resolvers.

For optimal results, it is highly recommended to configure API keys for services like VirusTotal, Shodan, and BinaryEdge. These keys can be passed directly via command-line arguments or, for persistent use, set as environment variables. For example: export VIRUSTOTAL_API_KEY="YOUR_KEY".

findomain primarily performs passive subdomain enumeration. This means it largely gathers information from publicly available sources without directly querying the target domain's servers (unless explicit HTTP checks are enabled). This approach makes it a stealthier option for initial reconnaissance, minimizing the risk of detection by target systems.

findomain emerged as a modern, efficient, and open-source alternative for subdomain enumeration, gaining rapid popularity within the cybersecurity community. Written in Rust, it capitalized on the language's performance benefits, offering faster execution compared to some older tools. Its design goal was to consolidate multiple subdomain discovery techniques into a single, high-performance utility, making it a go-to tool for initial reconnaissance in penetration testing and bug bounty hunting.

subfinder(1), assetfinder(1), dnsrecon(1), amass(1), gobuster(1)