Subfinder Cheat Sheet

What is Subfinder
Install Subfinder
Subfinder API Setup
- Subfinder Config File
- Subfinder API Sources
Example Subfinder API Config File
Subfinder Usage
Example Subfinder Commands
Conclusion
Document Changelog

What is Subfinder

Subfinder is a passive subdomain discovery tool made by Project Discovery. The following subfinder cheat sheet provides an overview of the command flags for Subfinder and common command examples for real world usage. Subfinder can be used to obtain a number of valid subdomains both passively and actively, to identify more attack surface for penetration testing or bug bounty recon or assessment.

Install Subfinder

go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

Configure API Keys

Subfinder works straight after install, however with API keys (even a free key) will improve passive subdomain results.

Subfinder Flags & Syntax

root:~# subfinder -h

Subfinder API Setup

Configuring Subfinder to use free or paid API services will likely improve the discovered domains the tool can find. You can list the sources Subfinder uses by running subfinder -ls.

Subfinder Config File

In order to setup subfinder API keys you need to create or modify the existing configuration file. The filesystem location for the subfinder config file is at: $HOME/.config/subfinder/provider-config.yaml the subfinder config file needs to be populated with the API keys that you will need to obtain from the various sources that have (kindly) been listed below.

Subfinder API Sources

Subfinder supports the following data API sources:

NAME	URL
BeVigil	`https://bevigil.com/osint-api`
BinaryEdge	`https://binaryedge.io`
BufferOver	`https://tls.bufferover.run`
C99	`https://api.c99.nl/`
Censys	`https://censys.io`
CertSpotter	`https://sslmate.com/certspotter/api/`
Chaos	`https://chaos.projectdiscovery.io`
Chinaz	`http://my.chinaz.com/ChinazAPI/DataCenter/MyDataApi`
DNSDB	`https://api.dnsdb.info`
Fofa	`https://fofa.info/static_pages/api_help`
FullHunt	`https://fullhunt.io`
GitHub	`https://github.com`
Intelx	`https://intelx.io`
PassiveTotal	`http://passivetotal.org`
quake	`https://quake.360.cn`
Robtex	`https://www.robtex.com/api/`
SecurityTrails	`http://securitytrails.com`
Shodan	`https://shodan.io`
ThreatBook	`https://x.threatbook.cn/en`
VirusTotal	`https://www.virustotal.com`
WhoisXML API	`https://whoisxmlapi.com/`
ZoomEye	`https://www.zoomeye.org`
ZoomEye API	`https://api.zoomeye.org`
dnsrepo	`https://dnsrepo.noc.org`
Hunter	`https://hunter.qianxin.com/`
Facebook	`https://developers.facebook.com`
BuiltWith	`https://api.builtwith.com/domain-api`

Example Subfinder API Config File

The following is an example of the API config file:

binaryedge:
  - 0bf8919b-aab9-42e4-9574-d3b639324597
  - ac244e2f-b635-4581-878a-33f4e79a2c13
censys:
  - ac244e2f-b635-4581-878a-33f4e79a2c13:dd510d6e-1b6e-4655-83f6-f347b363def9
certspotter: []
passivetotal:
  - sample-email@user.com:sample_password
redhuntlabs:
  - ENDPOINT:API_TOKEN
  - https://reconapi.redhuntlabs.com/community/v1/domains/subdomains:joEPzJJp2AuOCw7teAj63HYrPGnsxuPQ
securitytrails: []
shodan:
  - AAAAClP1bJJSRMEYJazgwhJKrggRwKA
github:
  - ghp_lkyJGU3jv1xmwk4SDXavrLDJ4dl2pSJMzj4X
  - ghp_gkUuhkIYdQPj13ifH4KA3cXRn8JD2lqir2d4
zoomeyeapi:
  - 4f73021d-ff95-4f53-937f-83d6db719eec
quake:
  - 0cb9030c-0a40-48a3-b8c4-fca28e466ba3
facebook:
  - APP_ID:APP_SECRET
intelx:
  - HOST:API_KEY
  - 2.intelx.io:s4324-b98b-41b2-220e8-3320f6a1284d

Above file source: https://docs.projectdiscovery.io/tools/subfinder/install#post-install-configuration

Subfinder Usage

How to use Subfinder to find domains:

Flag	Description
`-d, -domain string[]`	domains to find subdomains for
`-dL, -list string`	file containing list of domains for subdomain discovery
`-s, -sources string[]`	specific sources to use for discovery (-s crtsh,github). Use -ls to display all available sources.
`-recursive`	use only sources that can handle subdomains recursively (e.g. subdomain.domain.tld vs domain.tld)
`-all`	use all sources for enumeration (slow)
`-es, -exclude-sources string[]`	sources to exclude from enumeration (-es alienvault,zoomeye)
`-m, -match string[]`	subdomain or list of subdomain to match (file or comma separated)
`-f, -filter string[]`	subdomain or list of subdomain to filter (file or comma separated)
`-rl, -rate-limit int`	maximum number of http requests to send per second
`-t int`	number of concurrent goroutines for resolving (-active only) (default 10)
`-o, -output string`	file to write output to
`-oJ, -json`	write output in JSONL(ines) format
`-oD, -output-dir string`	directory to write output (-dL only)
`-cs, -collect-sources`	include all sources in the output (-json only)
`-oI, -ip`	include host IP in output (-active only)
`-config string`	flag config file (default "$HOME/.config/subfinder/config.yaml")
`-pc, -provider-config string`	provider config file (default "$HOME/.config/subfinder/provider-config.yaml")
`-r string[]`	comma separated list of resolvers to use
`-rL, -rlist string`	file containing list of resolvers to use
`-nW, -active`	display active subdomains only
`-proxy string`	http proxy to use with subfinder
`-ei, -exclude-ip`	exclude IPs from the list of domains
`-silent`	show only subdomains in output
`-version`	show version of subfinder
`-v`	show verbose output
`-nc, -no-color`	disable color in output
`-ls, -list-sources`	list all available sources
`-timeout int`	seconds to wait before timing out (default 30)
`-max-time int`	minutes to wait for enumeration results (default 10)

Example Subfinder Commands

Find Subdomains Single Domain

Find subdomains for a single domain with subfinder:

subfinder -d hackerone.com

               __    _____           __
   _______  __/ /_  / __(_)___  ____/ /__  _____
  / ___/ / / / __ \/ /_/ / __ \/ __  / _ \/ ___/
 (__  ) /_/ / /_/ / __/ / / / / /_/ /  __/ /
/____/\__,_/_.___/_/ /_/_/ /_/\__,_/\___/_/ v2.5.1

		projectdiscovery.io

Use with caution. You are responsible for your actions
Developers assume no liability and are not responsible for any misuse or damage.
By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for hackerone.com
info.hackerone.com
design.hackerone.com
docs.hackerone.com
events.hackerone.com
web-seo-content-for-business.theflyingkick.websitedesignresource.api.hackerone.com
zendesk2.hackerone.com
fsdkim.hackerone.com
email.gh-mail.hackerone.com
a.ns.hackerone.com
support.hackerone.com
www.hackerone.com
mta-sts.managed.hackerone.com
api.hackerone.com
gslink.hackerone.com
zendesk1.hackerone.com
3d.hackerone.com
links.hackerone.com
mta-sts.hackerone.com
resources.hackerone.com
zendesk4.hackerone.com
zendesk3.hackerone.com
go.hackerone.com
mta-sts.forwarding.hackerone.com
_dmarc.hackerone.com
b.ns.hackerone.com
hackerone.com
defcon.hackerone.com
[INF] Found 27 subdomains for hackerone.com in 30 seconds 33 milliseconds

Verify Subfinder Results With HTTPX

Chain up other tools within your workflow, such as verifying targets have web servers using HTTPX:

echo hackerone.com | subfinder -silent | httpx -silent
https://docs.hackerone.com
https://mta-sts.forwarding.hackerone.com
https://mta-sts.hackerone.com
https://mta-sts.managed.hackerone.com
http://a.ns.hackerone.com
https://www.hackerone.com
http://b.ns.hackerone.com
http://zendesk4.hackerone.com
http://fsdkim.hackerone.com
http://zendesk1.hackerone.com
http://zendesk2.hackerone.com
http://zendesk3.hackerone.com
https://hackerone.com
https://support.hackerone.com
https://resources.hackerone.com
https://gslink.hackerone.com
https://api.hackerone.com

Subfinder + Naabu Portscan

echo hackerone.com | subfinder -silent | naabu -silent
docs.hackerone.com:443
docs.hackerone.com:80
mta-sts.forwarding.hackerone.com:443
mta-sts.forwarding.hackerone.com:80
mta-sts.hackerone.com:80
mta-sts.hackerone.com:443
mta-sts.managed.hackerone.com:80
mta-sts.managed.hackerone.com:443
<--SNIP-->

Conclusion

We hope you found this Subfinder cheat sheet useful, and it helps you get started with this powerful subdomain enumeration tool to find more assets for assessment.

Document Changelog

Last Updated: 04/06/2024 (6th of June 2024)
Author: Arr0way
Notes: Checked syntax was current for latest version of Subfinder + fixed typos.

Last Updated: 12/02/2024 (12th of February 2024)
Author: Dhruv Ambaliya
Notes: Checked syntax was current for latest version of Subfinder + added Subfinder API sources table.

Category	Post Name
`walkthroughs`	FactCheck CTF - Walkthrough
`walkthroughs`	WinAntiDbg0x100 CTF - Walkthrough
`walkthroughs`	packer CTF - Walkthrough
`walkthroughs`	vault-door-1 CTF - Walkthrough
`walkthroughs`	vault-door-training CTF - Walkthrough
`cheat-sheet`	Android Pen Testing Environment Setup
`cheat-sheet`	DNS Tunneling dnscat2 Cheat Sheet
`cheat-sheet`	Katana Cheat Sheet - Commands, Flags & Examples
`cheat-sheet`	httpx Cheat Sheet - Commands & Examples Tutorial
`cheat-sheet`	SSH Lateral Movement Cheat Sheet