Getting started
Knowledge hub
- Overview
-
-
- 34 M Wordlist Subdomain Brute Force
- Asn Based Network Scan
- Asset Discovery and Vulnerability Scanning
- Custom Subdomain Brute Force Wordlist From Ip Ranges
- Enumerate Cloud Resources
- Full Subdomain Enumeration
- Get Ips and Cnames
- Getdns
- Github Recon and Scanner
- Hostnames S3 Bucket Finder
- Simple Content Discovery
-
-
- amass
- anew
- apkurlgrep
- assetfinder
- cent
- cero
- cewl
- cloudenum
- crosslinked
- dnsdumpster-dns-lookup
- dnsdumpster-host-search
- dnstwist
- dnsvalidator
- dsieve
- dumpsterdiver
- eyeballer
- ffuf
- find-gh-poc
- findomain
- gau
- generate-yaml-report
- get-asn-prefixes
- get-trickest-output
- gf
- github-subdomains
- goaltdns
- gospider
- gotator
- hakcheckurl
- httprobe
- httpx
- infoga
- ipinfo
- jldc-subdomains
- katana
- mapcidr
- mass-linkfinder
- masscan
- massdns
- meg
- mksub
- naabu
- notify
- nrich
- nuclei
- oneforall
- puredns
- pymeta
- s3scanner
- securitytrails-subdomains
- spiderfoot
- sslyze
- subdomainizer
- subfinder
- tlsx
- uncover
- unfurl
- uro
- vita
- webanalyze-1
- webanalyze
- x8
Tutorials
- Creating a Workflow
- Downloading a Result
- Executing a Workflow
- How Do Machines Work
- Keeping Track of a Run
- Navigating in Workflow Editor
- Overview
- Saving a Workflow and History
- Scheduling a Workflow
- Using Workflows From Library
Concepts
subfinder
Basic Usage Examples
Subdomain Enumeration of One Domain
Pass a domain (e.g. trickest.io) to thedomain input (type string)
Enumerate subdomains of one domain with subfinder
Subdomain Enumeration of Multiple Domains
Pass a list of domains to the domain-list input (type file)
trickest.com
trickest.io
Enumerate subdomains of a list of domains with subfinder
Improvements
API Keys
Pass API keys to the provider-config parameter to allow the tool to query more data sources. Example config file (README):
binaryedge:
- 0bf8919b-aab9-42e4-9574-d3b639324597
- ac244e2f-b635-4581-878a-33f4e79a2c13
censys:
- ac244e2f-b635-4581-878a-33f4e79a2c13:dd510d6e-1b6e-4655-83f6-f347b363def9
certspotter: []
passivetotal:
- sample-email@user.com:sample_password
securitytrails: []
shodan:
- AAAAClP1bJJSRMEYJazgwhJKrggRwKA
github:
- ghp_lkyJGU3jv1xmwk4SDXavrLDJ4dl2pSJMzj4X
- ghp_gkUuhkIYdQPj13ifH4KA3cXRn8JD2lqir2d4
zoomeye:
- zoomeye_username:zoomeye_password
Add provider-config to subfinder to query more data sources
All Sources
Turn on the Use-all-enumeration-services boolean input to potentially get more results, but keep in mind that this will make it slower.
Query all sources with subfinder
Active Subdomains Only
Turn on the remove-dead-subdomains boolean input to display active subdomains only. You can also turn on the include-ip parameter to include IP addresses in the output, and adjust the threads input to control how fast it will resolve subdomains.
Enumerate active subdomains with subfinders
Output Formats
- List of Hostnames (default)
- Hostnames and IP Addresses CSV (with
include-ip)
Notable Workflows
- Asset Discovery & Vulnerability Scanning
- Simple Content Discovery
- Full Subdomain Enumeration
- Inventory 2.0 - Hostnames
Similar Tools
- amass
- assetfinder
- github-subdomains
- jldc-subdomains
- vita
- subdomainizer
- oneforall
- securitytrails-subdomains
- spiderfoot
Get a Video Demo
Fill out and submit this form to receive an in-depth video demo of the Trickest platform.
Talk To Sales
Fill out the form and we'll get back to you about any questions you have on our products, services, pricing, or scheduling a demo.