Home Free Hacking Tools Subfinder – A Subdomain Discovery Tool

Subfinder – A Subdomain Discovery Tool

by Mic Johnson
Penetration testing tools

So what is this subfinder tool all about?

Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed. subfinder is built for doing one thing only – passive subdomain enumeration, and it does that very well.

It is designed as a subfinder to comply with all passive sources licenses, and usage restrictions, as well as maintaining a consistently passive model to make it useful to both penetration testers and bug bounty hunters alike.

Subfinder Installation

There are three different ways to install the subfinder.

  • From Binary

It is the easiest way to install, download the pre-built binaries from the releases page. Download the only binary which is compatible with your system. Extract them using tar and move the binary to your  “`$PATH“`.

Penetration testing tools

The other two methods are manual installation of the tool, it requires go1.14+ install in your system. To check the install version of the go language below command is used if go is not installed it can be installed by using the following link.

go version

From Source

Using the go get command it can install.

GO111MODULE=on go get -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder

From Github

git clone https://github.com/projectdiscovery/subfinder.git

cd subfinder/v2/cmd/subfinder

go build .

mv subfinder /usr/local/bin/

subfinder -h

Post Installation Instructions (Optional)

It will suggest do these steps so the tool can give the maximum results. Subfinder fetches the results from various sources with some requiring an API key to fetch results. You can follow this link to see which services do. API keys will be added in the config which is stored in “` $HOME/.config/subfinder/config.yaml“`.

How Subfinder works

To start scanning the target domain, provide the subfinder the domain in the following format.

subfinder -d <domain_name>

The tool makes the request to different sources to fetch the subdomains such as shodan,virustotal,censys, etc.

To store the output in a file, the following command is used.

Subfinder -d domain-name -o results.txt

To use all the sources and show only the subdomain the following command is used.

subfinder -all -silent -d domain-name -o result.txt

What Bunny rating does it get?

The tool is helpful in identifying subdomains passively utilising various sources with great speed and efficiency, as a result, we will be awarding this tool a rating of 4 out of 5 bunnies.

You may also like