subfinder

Find subdomains for a specific domain

$ subfinder [[-d|-domain]] [example.com]

$ subfinder -silent [[-d|-domain]] [example.com]

$ subfinder [[-nW|-active]] [[-d|-domain]] [example.com]

$ subfinder -all [[-d|-domain]] [example.com]

$ subfinder -r [8.8.8.8,1.1.1.1,...] [[-d|-domain]] [example.com]

subfinder [OPTIONS] -d <domain> | -dL <domain_list_file>
subfinder [OPTIONS] -h

-d, -domain domain
    Target domain to find subdomains for.

-dL, -list file
    Path to a file containing a list of domains to find subdomains for (one per line).

-o, -output file
    Path to a file to write the discovered subdomains to.

-nW, -no-wildcard
    Exclude wildcard subdomains from the results.

-silent
    Only display subdomains in the output, suppressing other verbose messages.

-v, -verbose
    Show verbose output, including more details about the discovery process.

-r, -resolver ip
    Custom DNS resolver(s) to use (comma-separated IP addresses).

-rL, -resolver-list file
    Path to a file containing a list of custom DNS resolvers (one per line).

-t, -threads count
    Number of concurrent goroutines to use for faster enumeration (default 10).

-timeout seconds
    Maximum DNS resolution timeout in seconds (default 30).

-config file
    Path to the subfinder configuration file (e.g., to load API keys).

-sources list
    Comma-separated list of specific sources to use (e.g., certsh,virustotal).

-exclude-sources list
    Comma-separated list of sources to exclude from the enumeration.

-version
    Show the current version of subfinder.

-h, -help
    Show the help message and exit.

subfinder is a powerful and efficient command-line tool designed for passive subdomain enumeration. It rapidly discovers valid subdomains for a given target domain by leveraging various online sources such as Certificate Transparency logs, VirusTotal, Shodan, Censys, and many others, without sending active probes to the target infrastructure.

This makes it a valuable asset for reconnaissance, bug bounty hunting, and penetration testing, providing a comprehensive list of subdomains that might otherwise be missed. It's built for speed and accuracy, supporting concurrent requests and allowing users to configure custom resolvers and API keys for enhanced performance and results.

Its strength lies in its ability to gather a vast array of subdomains from publicly available information, minimizing the footprint on the target. Users can specify a single domain or a list of domains, direct output to a file, and filter results based on specific criteria like excluding wildcard domains.

subfinder's effectiveness relies heavily on the availability and accuracy of external data sources. Some sources require API keys (e.g., VirusTotal, Shodan, Censys) configured in its default or specified `config.yaml` file; without them, certain enumeration capabilities will be limited. Results may contain false positives or incomplete lists due to rate limiting by sources or network issues. As a passive tool, it does not actively probe target DNS servers, which means it might miss newly registered or internal-only subdomains not exposed publicly.

For optimal results and to unlock the full potential of subfinder, users should configure API keys for various third-party services (e.g., VirusTotal, Shodan, Censys) within the subfinder configuration file. This file is typically located at ~/.config/subfinder/config.yaml (or specified with the -config flag), allowing subfinder to access more comprehensive datasets.

subfinder is often used in conjunction with other ProjectDiscovery tools as part of a reconnaissance pipeline. For instance, its output can be piped directly into httpx (for quickly probing found subdomains for live HTTP/S servers) and subsequently into nuclei (for automated vulnerability scanning), forming a powerful and efficient workflow for security assessments.

subfinder was developed by the ProjectDiscovery team, a prominent group of security researchers and developers known for creating open-source tools for bug bounty hunting and penetration testing. It was designed to be a fast, reliable, and highly configurable subdomain enumeration tool, leveraging a wide array of passive data sources. Since its initial release, it has undergone continuous development, with regular updates incorporating new data sources, performance improvements, and bug fixes, establishing itself as a staple in many reconnaissance workflows.

assetfinder(1), amass(1), findomain(1), dnsrecon(1), dnsenum(1)