subfinder
Passive subdomain discovery tool
TLDR
Find subdomains
$ subfinder -d [example.com]
Output to file$ subfinder -d [example.com] -o [subdomains.txt]
Use all sources$ subfinder -d [example.com] -all
Show only active hosts$ subfinder -d [example.com] -active
Silent mode (subdomains only)$ subfinder -d [example.com] -silent
Multiple domains$ subfinder -dL [domains.txt]
SYNOPSIS
subfinder [options]
DESCRIPTION
subfinder is a subdomain discovery tool that uses passive sources to find subdomains of a target domain. It queries certificate transparency logs, DNS datasets, and various APIs.
The tool is designed for authorized security assessments and bug bounty hunting.
PARAMETERS
-d domain
Target domain.-dL file
List of domains.-o file
Output file.-oJ
JSON output.-all
Use all sources.-active
Verify active subdomains.-silent
Output subdomains only.-v
Verbose output.-t n
Threads.-timeout n
Timeout in seconds.-rl n
Rate limit.
CONFIGURATION
~/.config/subfinder/provider-config.yaml
API keys and credentials for data sources such as Shodan, Censys, SecurityTrails, and VirusTotal.
CAVEATS
API keys improve results. Rate limits apply. Only for authorized testing. Results depend on available data.
HISTORY
subfinder was created by projectdiscovery as a fast subdomain enumeration tool. It's part of their security toolkit and is widely used in the bug bounty community.
SEE ALSO
amass(1), findomain(1), assetfinder(1), dnsx(1)