Subfinder: Fast Passive Subdomain Enumeration Tool in Linux

Today, most of the vulnerability or exploitation is done over the subdomains of a website where developers have less interest, which gives an attacker an open invitation to exploit their main website.

In some cases, the developer doesn’t even know which subdomain was created. From a security point of view, if you are doing security research, then it is your responsibility to know how to get a list of subdomains of the root domain.

Now, there are multiple ways to find a subdomain. For example, if you are a site admin and have access to a DNS record, then you can easily view the list of registered subdomains.

In case you are not a site admin and just a security researcher looking for a subdomain of the root site to check a security flaw, then you should take the help of the subfinder tool.

What is the Subfinder Tool on Linux

Subfinder is a free and open-source subdomain discovery tool that discovers valid subdomains for websites. It uses passive online sources to find the subdomain of the site following all the licenses and usage restrictions.

The application is wrapped in Go programming language to give you fast results making it the favourite subdomain finder tool for both penetration testers and bug bounty hunters.

Subfinder Tool Features

  • Fast and powerful resolution and wildcard elimination module
  • Optimized for speed, very fast and lightweight on resources
  • Curated passive sources to maximize results
  • Multiple Output formats supported (Json, File, Stdout)
  • STDIN/OUT support for integrating with workflows

Install Subfinder Tool on Linux

To install this make sure to have Go installed and configured on your system and have access to the go command. After that, you can pass the following command to start the installation.

$ go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

After the installation is finished, try to execute subfinder command. If you got the command is not found error then execute the following command to create a symbolic link for subfinder which gives it global access.

$ sudo ln -s ~/go/bin/subfinder /usr/bin/

Once again try to execute subfinder command if it throws the same error then reinstall the Go-lang.

Subfinder Tool Configuration

Even if you start using it after the installation it will work. However, to configure Subfinder to work with certain services, you will need to set up API keys.

The following services do not work without a valid API key:

Binaryedge, C99, Certspotter, Chinaz, Censys, Chaos, DnsDB, Fofa, Github, Intelx, Passivetotal, Robtex, SecurityTrails, Shodan, Threatbook, Virustotal, WhoisXML API, and Zoomeye

You can edit the configuration file located at ~/.config/subfinder/provider-config.yaml, (which is created when you run the command for the first time) by using the following command.

$ nano ~/.config/subfinder/provider-config.yaml

Below is the output when the above command is executed.

Subfinder configuration file
Subfinder: configuration file

After you add the API key your configuration file will look like the below.

Subfinder configuration file with API keys
Subfinder configuration file with API keys

Lastly, save and close the file after the changes.

Subfinder Tool Usage

The usage of this tool is pretty simple and straightforward. Execute the following with the target URL and it will find all the subdomains linked to that URL.

$ subfinder -d github.com

Below is the output of the above command.

Finding subdomain for single site
Finding a subdomain for a single site

If you want to query multiple sites at once, then create a new text file and add each URL in a new file and pass the text file as a parameter.

$ subfinder -dL url.txt

Below is the output of the above command.

Finding subdomain for multiple site
Finding subdomain for multiple sites

The best thing about this tool is that you can easily pipe the output of Subfinder with other tools. For example, you can pipe the subdomain discovered by subfinder with httpx tool to determine the protocol being used by the subdomain.

$ echo github.com | subfinder -silent | httpx -silent

Below is the output of the above command.

Piping the subfinder output to other command
Piping the subfinder output to another command

That is enough, I think now it is your turn to dig more about this tool by first checking the help section by executing the subfinder -h command.

Removing Subfinder Tool from Linux

If are done with finding a subdomain and don’t have any interest left to find a subdomain for any other website then pass the following command to remove it from your Linux system.

$ rm ~/go/bin/subfinder
$ sudo unlink /usr/bin/subfinder

If you have any question or query do let us know in the comment section.

This Post Has 2 Comments

  1. Jay

    I just like the helpful information you provide in your articles

  2. Pauk

    Great information shared.. really enjoyed reading this post thank you author for sharing this post .. appreciated

Leave a Reply