So what is this subfinder tool all about?
Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed. subfinder is built for doing one thing only – passive subdomain enumeration, and it does that very well.
It is designed as a subfinder to comply with all passive sources licenses, and usage restrictions, as well as maintaining a consistently passive model to make it useful to both penetration testers and bug bounty hunters alike.
There are three different ways to install the subfinder.
- From Binary
It is the easiest way to install, download the pre-built binaries from the releases page. Download the only binary which is compatible with your system. Extract them using tar and move the binary to your “`$PATH“`.
The other two methods are manual installation of the tool, it requires go1.14+ install in your system. To check the install version of the go language below command is used if go is not installed it can be installed by using the following link.
Using the go get command it can install.
GO111MODULE=on go get -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder
git clone https://github.com/projectdiscovery/subfinder.git cd subfinder/v2/cmd/subfinder go build . mv subfinder /usr/local/bin/ subfinder -h
Post Installation Instructions (Optional)
It will suggest do these steps so the tool can give the maximum results. Subfinder fetches the results from various sources with some requiring an API key to fetch results. You can follow this link to see which services do. API keys will be added in the config which is stored in “` $HOME/.config/subfinder/config.yaml“`.
How Subfinder works
To start scanning the target domain, provide the subfinder the domain in the following format.
subfinder -d <domain_name>
The tool makes the request to different sources to fetch the subdomains such as shodan,virustotal,censys, etc.
To store the output in a file, the following command is used.
Subfinder -d domain-name -o results.txt
To use all the sources and show only the subdomain the following command is used.
subfinder -all -silent -d domain-name -o result.txt
What Bunny rating does it get?
The tool is helpful in identifying subdomains passively utilising various sources with great speed and efficiency, as a result, we will be awarding this tool a rating of 4 out of 5 bunnies.