subfinder
Basic Usage Examples
Subdomain Enumeration of One Domain
Pass a domain (e.g. trickest.io) to thedomain input (type string)
Enumerate subdomains of one domain with subfinder
Subdomain Enumeration of Multiple Domains
Pass a list of domains to the domain-list input (type file)
trickest.com
trickest.io
Enumerate subdomains of a list of domains with subfinder
Improvements
API Keys
Pass API keys to the provider-config parameter to allow the tool to query more data sources. Example config file (README):
binaryedge:
- 0bf8919b-aab9-42e4-9574-d3b639324597
- ac244e2f-b635-4581-878a-33f4e79a2c13
censys:
- ac244e2f-b635-4581-878a-33f4e79a2c13:dd510d6e-1b6e-4655-83f6-f347b363def9
certspotter: []
passivetotal:
- sample-email@user.com:sample_password
securitytrails: []
shodan:
- AAAAClP1bJJSRMEYJazgwhJKrggRwKA
github:
- ghp_lkyJGU3jv1xmwk4SDXavrLDJ4dl2pSJMzj4X
- ghp_gkUuhkIYdQPj13ifH4KA3cXRn8JD2lqir2d4
zoomeye:
- zoomeye_username:zoomeye_password
Add provider-config to subfinder to query more data sources
All Sources
Turn on the Use-all-enumeration-services boolean input to potentially get more results, but keep in mind that this will make it slower.
Query all sources with subfinder
Active Subdomains Only
Turn on the remove-dead-subdomains boolean input to display active subdomains only. You can also turn on the include-ip parameter to include IP addresses in the output, and adjust the threads input to control how fast it will resolve subdomains.
Enumerate active subdomains with subfinders
Output Formats
- List of Hostnames (default)
- Hostnames and IP Addresses CSV (with
include-ip)
Notable Workflows
- Asset Discovery & Vulnerability Scanning
- Simple Content Discovery
- Full Subdomain Enumeration
- Inventory 2.0 - Hostnames