Today, most of the vulnerability or exploitation is done over the subdomains of a website where developers have less interest, which gives an attacker an open invitation to exploit their main website.
In some cases, the developer doesn’t even know which subdomain was created. From a security point of view, if you are doing security research, then it is your responsibility to know how to get a list of subdomains of the root domain.
Now, there are multiple ways to find a subdomain. For example, if you are a site admin and have access to a DNS record, then you can easily view the list of registered subdomains.
In case you are not a site admin and just a security researcher looking for a subdomain of the root site to check a security flaw, then you should take the help of the subfinder tool.
Table of Contents
What is the Subfinder Tool on Linux
Subfinder is a free and open-source subdomain discovery tool that discovers valid subdomains for websites. It uses passive online sources to find the subdomain of the site following all the licenses and usage restrictions.
The application is wrapped in Go programming language to give you fast results making it the favourite subdomain finder tool for both penetration testers and bug bounty hunters.
Subfinder Tool Features
- Fast and powerful resolution and wildcard elimination module
- Optimized for speed, very fast and lightweight on resources
- Curated passive sources to maximize results
- Multiple Output formats supported (Json, File, Stdout)
- STDIN/OUT support for integrating with workflows
Install Subfinder Tool on Linux
To install this make sure to have Go installed and configured on your system and have access to the go
command. After that, you can pass the following command to start the installation.
$ go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
After the installation is finished, try to execute subfinder
command. If you got the command is not found error then execute the following command to create a symbolic link for subfinder
which gives it global access.
$ sudo ln -s ~/go/bin/subfinder /usr/bin/
Once again try to execute subfinder
command if it throws the same error then reinstall the Go-lang.
Subfinder Tool Configuration
Even if you start using it after the installation it will work. However, to configure Subfinder to work with certain services, you will need to set up API keys.
The following services do not work without a valid API key:
Binaryedge, C99, Certspotter, Chinaz, Censys, Chaos, DnsDB, Fofa, Github, Intelx, Passivetotal, Robtex, SecurityTrails, Shodan, Threatbook, Virustotal, WhoisXML API, and Zoomeye
You can edit the configuration file located at ~/.config/subfinder/provider-config.yaml
, (which is created when you run the command for the first time) by using the following command.
$ nano ~/.config/subfinder/provider-config.yaml
Below is the output when the above command is executed.
After you add the API key your configuration file will look like the below.
Lastly, save and close the file after the changes.
Subfinder Tool Usage
The usage of this tool is pretty simple and straightforward. Execute the following with the target URL and it will find all the subdomains linked to that URL.
$ subfinder -d github.com
Below is the output of the above command.
If you want to query multiple sites at once, then create a new text file and add each URL in a new file and pass the text file as a parameter.
$ subfinder -dL url.txt
Below is the output of the above command.
The best thing about this tool is that you can easily pipe the output of Subfinder with other tools. For example, you can pipe the subdomain discovered by subfinder with httpx tool to determine the protocol being used by the subdomain.
$ echo github.com | subfinder -silent | httpx -silent
Below is the output of the above command.
That is enough, I think now it is your turn to dig more about this tool by first checking the help section by executing the subfinder -h
command.
Removing Subfinder Tool from Linux
If are done with finding a subdomain and don’t have any interest left to find a subdomain for any other website then pass the following command to remove it from your Linux system.
$ rm ~/go/bin/subfinder
$ sudo unlink /usr/bin/subfinder
If you have any question or query do let us know in the comment section.
Innovative tech mind with 12 years of experience working as a computer programmer, web developer, and security researcher. Capable of working with a variety of technology and software solutions, and managing databases.
I just like the helpful information you provide in your articles
Great information shared.. really enjoyed reading this post thank you author for sharing this post .. appreciated