How to Find Subdomains Using Subfinder
Subfinder. Subfinder is an open-source subdomain discovery tool that helps users find subdomains associated with a target domain. It is fast, reliable, and leverages numerous sources to gather subdomain information.
In this article, we will guide you through the process of finding subdomains using Subfinder, explain its features, and provide tips for making the most of it.
1. What is Subfinder?
Subfinder is an open-source tool that focuses on quickly discovering subdomains of a given domain. It relies on multiple public sources, including search engines, APIs, and third-party services, to gather subdomain information. The main goal of Subfinder is to provide accurate and fast subdomain enumeration with minimal configuration.
Subfinder is especially popular among security professionals for conducting initial reconnaissance (footprinting) during penetration testing or vulnerability assessments.
2. Setting Up Subfinder
Before you can begin using Subfinder, you need to install it. Subfinder is a Go-based tool, so you'll need to have Go installed on your system.
Prerequisites:
- Go programming language installed on your system.
- A terminal or command-line interface (CLI) for running the tool.
Installation Steps:
Step 1: Install Go
If you don’t have Go installed, download and install it from the official Go website: https://golang.org/dl/.
Follow the installation instructions specific to your operating system.
Step 2: Install Subfinder
Once Go is installed, you can install Subfinder using the following command:
GO111MODULE=on go get -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder
This will download and compile Subfinder into your Go workspace.
Step 3: Verify Installation
To verify that Subfinder has been installed correctly, run the following command:
subfinder -h
This will display the help message for Subfinder, confirming that the installation was successful.
3. Basic Usage of Subfinder
Subfinder is simple to use and provides several options for customizing the subdomain discovery process. The basic command syntax is:
subfinder -d <domain>
Where <domain> is the target domain for which you want to find subdomains.
Example:
subfinder -d example.com
This command will query public sources and return a list of discovered subdomains associated with example.com.
4. Using Additional Options with Subfinder
Subfinder has a variety of options that allow you to fine-tune the enumeration process. Below are some of the most useful flags and features:
- -d: The domain you are targeting. This is a required flag.
Example: subfinder -d example.com
- -o: Output file where the results will be saved. You can specify the file format, such as .txt or .json.
Example: subfinder -d example.com -o subdomains.txt
- -v: Enable verbose mode to get detailed information about the tool’s progress and sources.
Example: subfinder -d example.com -v
- -t: Set the number of concurrent threads. The default is 5, but you can increase this to speed up the enumeration process.
Example: subfinder -d example.com -t 20
- -silent: Suppress output to the terminal and only save the results to a file.
Example: subfinder -d example.com -silent -o subdomains.txt
- -config: Specify a configuration file for custom API keys. Some data sources may require API keys for access, such as VirusTotal or Shodan.
Example: subfinder -d example.com -config /path/to/config.yaml
5. Leveraging Subfinder’s Integration with Other Tools
Subfinder can be integrated with other tools, enhancing its utility in a larger reconnaissance pipeline. Here are a few ways to do this:
- Sublist3r: Sublist3r is another popular subdomain enumeration tool. You can use Subfinder and Sublist3r together for a more comprehensive subdomain discovery process.
- Amass: Amass is a more advanced subdomain enumeration tool. Combining Subfinder’s speed with Amass’ deep enumeration capabilities can provide robust results.
- DNSDumpster & Shodan: Subfinder supports integrations with services like Shodan and DNSDumpster. These services can provide additional subdomains through their APIs.
6. Advanced Features
Subfinder also includes some advanced features for power users:
- Active Scanning: While Subfinder mainly relies on passive data sources, it can also perform active scanning to gather more subdomains. This is useful when you want to discover subdomains that are not listed in passive sources.
- Custom API Integrations: Subfinder allows you to configure API keys for various sources like VirusTotal, Shodan, and others to enhance subdomain discovery. These API keys can be configured via a YAML file.
- Rate Limiting: To prevent IP blocking from sources, Subfinder includes rate limiting, ensuring that you don’t hit servers too frequently.
7. How to Filter Subdomain Results
After running Subfinder, you will likely have a large list of discovered subdomains. You can use various methods to filter and organize these results:
- Remove Duplicates: Sometimes, Subfinder may return duplicate subdomains. You can remove duplicates by using a tool like sort and uniq:
- sort subdomains.txt | uniq > unique_subdomains.txt
- Use a DNS Resolver: You can resolve subdomains to IP addresses to verify if they are active. Tools like dnsmasq or massdns can help with DNS resolution.
8. Limitations of Subfinder
While Subfinder is an excellent tool, there are some limitations to keep in mind:
- Incomplete Results: No tool can guarantee 100% coverage of subdomains. Some subdomains may not be listed in public databases or data sources.
- False Positives: Some discovered subdomains may not be valid or may no longer exist.
- API Key Limits: Some data sources require API keys with usage limits, which could hinder the discovery of subdomains when hitting rate limits.
9. Conclusion
Subfinder is a fast and reliable tool for subdomain discovery, widely used in penetration testing, bug bounty hunting, and general security assessments. Its ease of use, along with support for multiple data sources, makes it an essential tool for any security professional. By following the steps outlined in this article, you can quickly set up Subfinder and start gathering valuable subdomain information to help identify attack vectors and secure your infrastructure.
Tags : subdomain finder, hacker, bug bounty, reward, domain, xss, sqli, brute force, golang, subfinder, Sublist3r, Amass, DNSDumpster, Shodan
