loading
loading
Recon
The complete solution for domain recognition.
overview
findomain enumerates subdomains for a target by querying certificate transparency logs and a broad set of passive sources, then folds in optional active steps so one pass produces a usable attack surface. Point it at a host with --target and it returns the subdomains those sources know about; with --resolved and --ip it keeps names that resolve and records their addresses.
Beyond plain enumeration it carries stages teams often bolt on afterward. --http-status checks which names answer over HTTP, --pscan scans a port range you set with --iport and --lport, and supplying --wordlist enables a bruteforce pass. You can import names with --import-subdomains, drop noisy sources with --exclude-sources, and pace wide scopes with --rate-limit.
In a Trickest workflow findomain takes a target and writes a file and a folder of results. Chain it early to seed a pipeline, then pass its resolved, live subdomains to a prober such as httpx and a scanner such as nuclei so later stages work from real hosts.
use cases
Run findomain with --target to pull subdomains from certificate transparency and passive sources in one pass, then write them for the rest of the workflow.
Enable --resolved to keep only subdomains that resolve, record addresses with --ip, and run --http-status so downstream stages start from hosts that answer.
Supply --wordlist to bruteforce additional names and turn on --pscan over a chosen port range to map exposed services alongside discovered subdomains.
Import subdomains with --import-subdomains, exclude noisy sources or string patterns, and feed the cleaned list into a probing and scanning pipeline.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target-host | STRING | --target | Target host. |
| subdomains | FILE | --file | Use a list of subdomains writen in a file as input. |
| resolved | BOOLEAN | --resolved | Show/write only resolved subdomains. |
| show-resolved-ip | BOOLEAN | --ip | Show/write the ip address of resolved subdomains. |
| http-status | BOOLEAN | --http-status | Check the HTTP status of subdomains. |
| pscan | BOOLEAN | --pscan | Enable port scanner. |
| wordlist | FILE | --wordlist | Wordlist file to use in the bruteforce process. Using it option automatically enables bruteforce mode. |
| exclude-sources | STRING | --exclude-sources | Exclude sources from searching subdomains in. |
Showing key inputs. findomain exposes 39 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| pscan | BOOLEAN | --pscan | Enable port scanner. |
| quiet | BOOLEAN | --quiet | Remove informative messages but show fatal errors or subdomains not found message. |
| aempty | BOOLEAN | --aempty | Send alert to webhooks still when no new subdomains have been found. |
| filter | STRING | --filter | Filter subdomains containing specifics strings. |
| jobname | STRING | --jobname | Use an database identifier for jobs. It is useful when you want to relate different targets into a same job name. To extract the data by job name identifier, use the query-jobname option. |
| resolved | BOOLEAN | --resolved | Show/write only resolved subdomains. |
| wordlist | FILE | --wordlist | Wordlist file to use in the bruteforce process. Using it option automatically enables bruteforce mode. |
| ipv6-only | BOOLEAN | --ipv6-only | Perform a IPv6 lookup only |
| last-port | STRING | --lport | Last port to scan. Default 1000. |
| randomize | BOOLEAN | --randomize | Enable randomization when reading targets from files. |
| resolvers | FILE | --resolvers | Path to a file containing a list of DNS IP address. If no specified then Google, Cloudflare and Quad9 DNS servers are used. |
| enable-dot | BOOLEAN | --enable-dot | Enable DNS over TLS for resolving subdomains IPs. |
| no-monitor | BOOLEAN | --no-monitor | Disable monitoring mode while saving data to database. |
| no-resolve | BOOLEAN | --no-resolve | Disable pre-screenshotting jobs (http check and ip discover) when used as resolver to take screenshots. |
| rate-limit | STRING | --rate-limit | Set the rate limit in seconds for each target during enumeration. |
| subdomains | FILE | --file | Use a list of subdomains writen in a file as input. |
| as-resolver | BOOLEAN | --as-resolver | Use Findomain as resolver for a list of domains in a file. |
| config-file | FILE | --config | Use a configuration file. The default configuration file is findomain and the format can be toml, json, hjson, ini or yml. |
| http-status | BOOLEAN | --http-status | Check the HTTP status of subdomains. |
| target-host | STRING | --target | Target host. |
| user-agents | FILE | --ua | Path to file containing user agents strings. |
| http-timeout | STRING | --http-timeout | Value in seconds for the HTTP Status check of subdomains. Default 5 |
| initial-port | STRING | --iport | Initial port to scan. Default 0. |
| no-wildcards | BOOLEAN | --no-wildcards | Disable wilcard detection when resolving subdomains. |
| verbose-mode | BOOLEAN | --verbose | Enable verbose mode (useful to debug problems). |
| postgres-host | STRING | --postgres-host | Postgresql host. |
| postgres-port | STRING | --postgres-port | Postgresql port. |
| postgres-user | STRING | --postgres-user | Postgresql username. |
| query-jobname | STRING | --query-jobname | Extract all the subdomains from the database where the job name is the specified using the jobname option. |
| chrome-sandbox | BOOLEAN | --sandbox | Enable Chrome/Chromium sandbox. It is disabled by default because a big number of users run the tool using the root user by default. Make sure you are not running the program as root user before using this option. |
| monitoring-mde | BOOLEAN | --monitoring-flag | Activate Findomain monitoring mode |
| query-database | BOOLEAN | --query-database | Query the findomain database to search subdomains that have already been discovered. |
| exclude-sources | STRING | --exclude-sources | Exclude sources from searching subdomains in. [possible values: certspotter, crtsh, virustotal, sublist3r, facebook, spyse, bufferover, threatcrowd, virustotalapikey, anubis, urlscan, securitytrails, threatminer,archiveorg, c99, ctsearch] |
| show-resolved-ip | BOOLEAN | --ip | Show/write the ip address of resolved subdomains. |
| import-subdomains | FILE | --import-subdomains | Import subdomains from one or multiple files. Subdomains need to be one per line in the file to import. |
| postgres-database | STRING | --postgres-database | Postgresql database. |
| postgres-password | STRING | --postgres-password | Postgresql password. |
| external-subdomains | BOOLEAN | --external-subdomains | Get external subdomains with amass and subfinder |
| exclude-subdomain-strings | STRING | --exclude | Exclude subdomains containing specifics strings. |
example
# findomain: passive enum, resolved names only, with IPsfindomain --target example.com --resolved --ip --quietapi.example.comapp.example.comstaging.example.comdev.example.commail.example.comvpn.example.comcdn.example.comwww.example.comguidance
Reach for Findomain when you want subdomain enumeration with resolution, HTTP checks, and an optional port scan in one node. For deeper passive plus active discovery use amass, and for a fast passive-only pull use subfinder. Findomain sits between them and adds built-in resolution and monitoring.
Passive subdomain discovery. Faster and source-focused, but has no built-in resolution, port scan, or HTTP check.
Deeper passive and active enumeration with richer correlation. Heavier to run than Findomain.
Minimal passive subdomain finder. Useful as an extra source to feed Findomain's import option.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A target feeds Findomain, which enumerates and resolves its subdomains and passes the live hosts to httpx before they land as a queryable output.
Facts on this page come from the live Trickest tool library.