loading
loading
Recon
Efficiently identify known subdomains from curated passive sources.
overview
xsubfind3r finds a domain's known subdomains by querying a curated set of passive OSINT sources: certificate transparency logs, search and threat-intel datasets, and web archives. It aggregates what those providers already record, so the requests reach the data sources instead of the target and the domain sees no scan traffic.
The tool is built for pipeline use. Scan one domain with --domain or a whole scope from a --list file, narrow coverage with --sources-to-use and --sources-to-exclude, and run --silent to emit nothing but subdomains, one per line. A --configuration file holds source settings and the API keys that providers like Shodan or VirusTotal need.
On Trickest, xsubfind3r is a Recon node that takes a domain or list and writes a file and a folder of results. Reach for it at the front of an attack-surface workflow, then resolve and probe the names downstream to turn a passive list into live, classified hosts.
use cases
Aggregate known subdomains from passive sources so you build an attack-surface picture without sending a single request to the target.
Pass a --list file of domains so every asset in scope gets passive subdomain discovery in one node, with results deduplicated across the inputs.
Select providers with --sources-to-use or drop them with --sources-to-exclude to trade coverage against speed and skip sources whose keys you do not hold.
Run --silent to emit only subdomains, one per line, so a resolver and prober downstream consume the list without parsing a banner or color codes.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| domain | STRING | --domain | Target domain to enumerate. |
| list | FILE | --list | File of target domains for bulk discovery. |
| sources-to-use | STRING | --sources-to-use | Comma-separated sources to include. |
| sources-to-exclude | STRING | --sources-to-exclude | Comma-separated sources to skip. |
| configuration | FILE | --configuration | Configuration file with source settings and API keys. |
| silent | BOOLEAN | --silent | Print only subdomains, one per line. |
Showing key inputs. xsubfind3r exposes 8 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| domain | STRING | --domain | target domain |
| list | FILE | --list | target domains list file path |
| sources-to-use | STRING | --sources-to-use | comma separated sources to use |
| sources-to-exclude | STRING | --sources-to-exclude | comma separated sources to exclude |
| configuration | FILE | --configuration | configuration file holding source settings and API keys |
| silent | BOOLEAN | --silent | display output subdomains only |
| verbose | BOOLEAN | --verbose | display verbose output |
| monochrome | BOOLEAN | --monochrome | display no-color output |
example
# passive subdomain discovery from a chosen set of sources, quiet outputxsubfind3r --domain example.com --sources-to-use crtsh,wayback --silent > subdomains.txtapi.example.comwww.example.commail.example.comdev.example.comstaging.example.comvpn.example.comblog.example.comcdn.example.comadmin.example.com… (37 subdomains aggregated from crtsh, wayback, and otx)guidance
Use xsubfind3r when you want quiet, passive subdomain discovery from curated sources. To brute-force subdomains actively, pair it with a resolver-based tool; to crawl an app's endpoints, use katana.
Widely used passive subdomain finder. Similar approach; choose by source coverage and the keys you hold.
Heavier surface mapper with passive and active modes. More thorough, slower than a passive-only run.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A domain feeds xsubfind3r, which gathers known subdomains from passive sources and passes them to httpx for probing before they land as classified live hosts.
Facts on this page come from the live Trickest tool library.