Find Hidden Subdomains on Any Website with Subfinder

During the reconnaissance phase of the target, we collect as much information about the target which includes enumerating subdomains as well. It increases the attack surface providing more opportunities for exploitation and information gathering.

We’re going to use Subfinder to enumerate for hidden subdomains on any website.

Using pre-built Subfinder binary

Before downloading binary you need to install golang on your system.

apt install golang

Now, you can grab the latest releases for your system architecture.

wget https://github.com/projectdiscovery/subfinder/releases/download/v2.4.5/subfinder_2.4.5_linux_amd64.tar.gz

After downloading extract it to your directory.

tar -xvf subfinder_2.4.5_linux_amd64.tar.gz

Now, copy the subfinder binary to Linux system binaries to run it from anywhere in the terminal.

cp subfinder /usr/local/bin/

After installation you can use –help to see usage information on subfinder.

[email protected]:~# subfinder --help
Usage of subfinder:
  -all
        Use all sources (slow) for enumeration
  -cd
        Upload results to the Chaos API (api-key required)
  -config string
        Configuration file for API Keys, etc (default "/root/.config/subfinder/config.yaml")
  -d string
        Domain to find subdomains for
  -dL string
        File containing list of domains to enumerate
  -exclude-sources string
        List of sources to exclude from enumeration
  -json
        Write output in JSON lines Format
  -ls
        List all available sources
  -max-time int
        Minutes to wait for enumeration results (default 10)
  -nC
        Don't Use colors in output
  -nW
        Remove Wildcard & Dead Subdomains from output
  -o string
        File to write output to (optional)
  -oD string
        Directory to write enumeration results to (optional)
  -oI
        Write output in Host,IP format
  -oJ
        Write output in JSON lines Format
  -r string
        Comma-separated list of resolvers to use
  -rL string
        Text file containing list of resolvers to use
  -recursive
        Use only recursive subdomain enumeration sources
  -silent
        Show only subdomains in output
  -sources string
        Comma separated list of sources to use
  -t int
        Number of concurrent goroutines for resolving (default 10)
  -timeout int
        Seconds to wait before timing out (default 30)
  -v    Show Verbose output
  -version
        Show version of subfinder

Find Subdomains Using Subfinder

After the successful installation of the subfinder we can now extract subdomains of any domain.

We have to use the -d flag to enumerate for the subdomain.

subfinder -d thehacktoday.com

[email protected]:~# subfinder -d thehacktoday.com

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_ \  _| | ' \/ _  / -_) '_|
/__/\_,_|_.__/_| |_|_||_\__,_\___|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for thehacktoday.com
www.cityopening.thehacktoday.com
cityopening.thehacktoday.com
webdisk.thehacktoday.com
webmail.thehacktoday.com
www.server.thehacktoday.com
20.thehacktoday.com
mail.thehacktoday.com
www.thehacktoday.com
server.thehacktoday.com
thehacktoday.com
cpanel.thehacktoday.com
[INF] Found 11 subdomains for thehacktoday.com in 18 seconds 310 milliseconds

Usage

Flag Description Example
-all Use all sources (slow) for enumeration subfinder -d uber.com -all
-cd Upload results to the Chaos API (api-key required) subfinder -d uber.com -cd
-config string Configuration file for API Keys, etc subfinder -config config.yaml
-d Domain to find subdomains for subfinder -d uber.com
-dL File containing list of domains to enumerate subfinder -dL hackerone-hosts.txt
-exclude-sources List of sources to exclude from enumeration subfinder -exclude-sources archiveis
-max-time Minutes to wait for enumeration results (default 10) subfinder -max-time 1
-nC Don’t Use colors in output subfinder -nC
-nW Remove Wildcard & Dead Subdomains from output subfinder -nW
-ls List all available sources subfinder -ls
-o File to write output to (optional) subfinder -o output.txt
-oD Directory to write enumeration results to (optional) subfinder -oD ~/outputs
-oI Write output in Host,IP format subfinder -oI
-oJ Write output in JSON lines Format subfinder -oJ
-r Comma-separated list of resolvers to use subfinder -r 1.1.1.1,1.0.0.1
-rL Text file containing list of resolvers to use subfinder -rL resolvers.txt
-recursive Enumeration recursive subdomains subfinder -d news.yahoo.com -recursive
-silent Show only subdomains in output subfinder -silent
-sources Comma separated list of sources to use subfinder -sources shodan,censys
-t Number of concurrent goroutines for resolving (default 10) subfinder -t 100
-timeout Seconds to wait before timing out (default 30) subfinder -timeout 30
-v Show Verbose output subfinder -v
-version Show current program version subfinder -version

Back to top button
Close