The Complete Guide to Using Subfinder

by

Subfinder is a powerful tool for discovering subdomains. It’s a subdomain enumeration tool that uses passive online sources to gather subdomains and is designed for ease of use and fast results. This guide will take you through everything you need to know to get started with Subfinder, from installation to advanced usage.

Table of Contents

  1. Introduction to Subfinder
  2. Installation
  3. Basic Usage
  4. Configuration and API Keys
  5. Advanced Options
  6. Integrating with Other Tools
  7. Best Practices
  8. Conclusion

1. Introduction to Subfinder

Subfinder is a command-line tool written in Go that helps security researchers and penetration testers find subdomains for a given domain. It uses passive sources, meaning it doesn’t interact directly with the target domain, making it a stealthy option for subdomain discovery.

Key Features:

  • Fast and efficient subdomain enumeration.
  • Passive sources to avoid detection.
  • Easy integration with other tools.

2. Installation

To install Subfinder, you need to have Go installed on your system. Here’s a step-by-step guide:

Prerequisites:

Installation Steps:

  1. Install Go: Download and install Go from the official site.
  2. Set up Go environment:export GOPATH=$HOME/go export PATH=$PATH:$GOPATH/bin
  3. Install Subfinder:go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

Verify Installation:

To confirm Subfinder is installed correctly, run:

subfinder -h

You should see the help menu for Subfinder.

3. Basic Usage

Using Subfinder is straightforward. The basic command to find subdomains is:

subfinder -d example.com

This will enumerate subdomains for example.com.

4. Configuration and API Keys

Subfinder supports various APIs to improve the results. You need to configure API keys for the services you want to use.

Configuring API Keys:

  1. Create Configuration File:shCopy codesubfinder config
  2. Edit Configuration File: Add your API keys to the configuration file located at ~/.config/subfinder/config.yaml.

Example Configuration (config.yaml):

sources:
  - alienvault
  - certspotter
  - securitytrails

keys:
  alienvault: "your_alienvault_api_key"
  certspotter: "your_certspotter_api_key"
  securitytrails: "your_securitytrails_api_key"

5. Advanced Options

Subfinder offers several advanced options to customize its behavior:

Specify Output Format:

subfinder -d example.com -o results.txt

This will save the output to results.txt.

Use Specific Sources:

subfinder -d example.com -s crtsh,shodan

This command will use crtsh and shodan as sources.

Exclude Sources:

subfinder -d example.com -es threatminer,virustotal

This will exclude threatminer and virustotal sources.

Enumerate multiple domains:

subfinder -dL domains.txt

6. Integrating with Other Tools

Subfinder can be integrated with other tools to enhance your workflow. For example, you can pipe the output to tools like httpx for further analysis.

Example Integration:

subfinder -d example.com | httpx | anew subdomains.txt

This will find subdomains and then check their HTTP status using httpx.

7. Best Practices

  • Regular Updates: Ensure the Subfinder and its sources are regularly updated.
  • API Limits: Be mindful of API rate limits to avoid being blocked.
  • Combine Tools: Use Subfinder in combination with other enumeration tools for comprehensive results.

8. Conclusion

Subfinder is a versatile tool that should be part of any security researcher’s toolkit. By following this guide, you should be able to install, configure, and use Subfinder effectively to discover subdomains. Its ability to integrate with other tools makes it a powerful component in any penetration testing workflow.

References:

Feel free to explore and experiment with Subfinder to discover its full potential. Happy subdomain hunting!

Leave a Comment