[go: up one dir, main page]
Scribd
Upload
87 views10 pages

Subfinder Cheat Sheet

Uploaded by

bagdaran

Sub-domain finder tool for hacking

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt

Subfinder Cheat Sheet

Uploaded by

bagdaran
87 views10 pages
Sub-domain finder tool for hacking

Copyright

© © All Rights Reserved

Available Formats

PDF, TXT or read online from Scribd

Did you find this document useful?

Is this content inappropriate?

Sub-domain finder tool for hacking

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt
87 views10 pages

Subfinder Cheat Sheet

Uploaded by

bagdaran
Sub-domain finder tool for hacking

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt
You are on page 1/ 10

7/10/24, 4:04 PM Subfinder Cheat Sheet

Subfinder Cheat Sheet ∞

09 Mar 2023 Arr0way

What is Table of Contents


Subfinder What is Subfinder

Install Subfinder
Subfinder is a passive
subdomain discovery Subfinder API Setup
tool made by Project Subfinder Config File
Discovery. The Subfinder API Sources
following subfinder
Example Subfinder API Config File
cheat sheet provides an
overview of the Subfinder Usage
command flags for
Example Subfinder Commands
Subfinder and common
Find Subdomains Single Domain
command examples for
real world usage. Verify Subfinder Results With HTTPX
Subfinder can be used Subfinder + Naabu Portscan
to obtain a number of
valid subdomains both Conclusion
passively and actively, Document Changelog
to identify more attack
surface for penetration
testing or bug bounty recon or assessment.

Install Subfinder

go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfin

https://highon.coffee/blog/subfinder-cheat-sheet/ 1/10
7/10/24, 4:04 PM Subfinder Cheat Sheet

★ Configure API Keys


Subfinder works straight after install, however with API keys (even a free key) will improve
passive subdomain results.

Subfinder Flags & Syntax

root:~# subfinder -h

Subfinder API Setup


Configuring Subfinder to use free or paid API services will likely improve the
discovered domains the tool can find. You can list the sources Subfinder uses
by running subfinder -ls .

Subfinder Config File

In order to setup subfinder API keys you need to create or modify the
existing configuration file. The filesystem location for the subfinder config
file is at: $HOME/.config/subfinder/provider-config.yaml the subfinder
config file needs to be populated with the API keys that you will need to
obtain from the various sources that have (kindly) been listed below.

Subfinder API Sources

Subfinder supports the following data API sources:

NAME URL

BeVigil https://bevigil.com/osint-api

BinaryEdge https://binaryedge.io

BufferOver https://tls.bufferover.run

C99 https://api.c99.nl/

Censys https://censys.io

https://highon.coffee/blog/subfinder-cheat-sheet/ 2/10
7/10/24, 4:04 PM Subfinder Cheat Sheet

CertSpotter https://sslmate.com/certspotter/api/

Chaos https://chaos.projectdiscovery.io

Chinaz http://my.chinaz.com/ChinazAPI/DataCenter/MyDataApi

DNSDB https://api.dnsdb.info

Fofa https://fofa.info/static_pages/api_help

FullHunt https://fullhunt.io

GitHub https://github.com

Intelx https://intelx.io

PassiveTotal http://passivetotal.org

quake https://quake.360.cn

Robtex https://www.robtex.com/api/

SecurityTrails http://securitytrails.com

Shodan https://shodan.io

ThreatBook https://x.threatbook.cn/en

VirusTotal https://www.virustotal.com

WhoisXML https://whoisxmlapi.com/
API

ZoomEye https://www.zoomeye.org

ZoomEye https://api.zoomeye.org
API

dnsrepo https://dnsrepo.noc.org

Hunter https://hunter.qianxin.com/

Facebook https://developers.facebook.com

BuiltWith https://api.builtwith.com/domain-api

https://highon.coffee/blog/subfinder-cheat-sheet/ 3/10
7/10/24, 4:04 PM Subfinder Cheat Sheet

Example Subfinder API Config File


The following is an example of the API config file:

binaryedge:
- 0bf8919b-aab9-42e4-9574-d3b639324597
- ac244e2f-b635-4581-878a-33f4e79a2c13
censys:
- ac244e2f-b635-4581-878a-33f4e79a2c13:dd510d6e-1b6e-4655-83f6-
certspotter: []
passivetotal:
- sample-email@user.com:sample_password
redhuntlabs:
- ENDPOINT:API_TOKEN
- https://reconapi.redhuntlabs.com/community/v1/domains/subdoma
securitytrails: []
shodan:
- AAAAClP1bJJSRMEYJazgwhJKrggRwKA
github:
- ghp_lkyJGU3jv1xmwk4SDXavrLDJ4dl2pSJMzj4X
- ghp_gkUuhkIYdQPj13ifH4KA3cXRn8JD2lqir2d4
zoomeyeapi:
- 4f73021d-ff95-4f53-937f-83d6db719eec
quake:
- 0cb9030c-0a40-48a3-b8c4-fca28e466ba3
facebook:
- APP_ID:APP_SECRET
intelx:
- HOST:API_KEY
- 2.intelx.io:s4324-b98b-41b2-220e8-3320f6a1284d

Above file source:


https://docs.projectdiscovery.io/tools/subfinder/install#post-install-
configuration

Subfinder Usage

https://highon.coffee/blog/subfinder-cheat-sheet/ 4/10
7/10/24, 4:04 PM Subfinder Cheat Sheet

How to use Subfinder to find domains:

FLAG DESCRIPTION

-d, -domain string[] domains to find subdomains for

file containing list of domains for


-dL, -list string
subdomain discovery

specific sources to use for discovery (-s


-s, -sources string[] crtsh,github). Use -ls to display all
available sources.

use only sources that can handle


-recursive subdomains recursively (e.g.
subdomain.domain.tld vs domain.tld)

-all use all sources for enumeration (slow)

sources to exclude from enumeration (-es


-es, -exclude-sources string[]
alienvault,zoomeye)

subdomain or list of subdomain to match


-m, -match string[]
(file or comma separated)

subdomain or list of subdomain to filter


-f, -filter string[]
(file or comma separated)

maximum number of http requests to


-rl, -rate-limit int
send per second

number of concurrent goroutines for


-t int
resolving (-active only) (default 10)

-o, -output string file to write output to

-oJ, -json write output in JSONL(ines) format

-oD, -output-dir string directory to write output (-dL only)

include all sources in the output (-json


-cs, -collect-sources
only)

-oI, -ip include host IP in output (-active only)

https://highon.coffee/blog/subfinder-cheat-sheet/ 5/10
7/10/24, 4:04 PM Subfinder Cheat Sheet

flag config file (default


-config string
"$HOME/.config/subfinder/config.yaml")

provider config file (default


-pc, -provider-config string "$HOME/.config/subfinder/provider-
config.yaml")

-r string[] comma separated list of resolvers to use

-rL, -rlist string file containing list of resolvers to use

-nW, -active display active subdomains only

-proxy string http proxy to use with subfinder

-ei, -exclude-ip exclude IPs from the list of domains

-silent show only subdomains in output

-version show version of subfinder

-v show verbose output

-nc, -no-color disable color in output

-ls, -list-sources list all available sources

seconds to wait before timing out


-timeout int
(default 30)

minutes to wait for enumeration results


-max-time int
(default 10)

Example Subfinder Commands


Find Subdomains Single Domain

Find subdomains for a single domain with subfinder:

https://highon.coffee/blog/subfinder-cheat-sheet/ 6/10
7/10/24, 4:04 PM Subfinder Cheat Sheet

https://highon.coffee/blog/subfinder-cheat-sheet/ 7/10
7/10/24, 4:04 PM Subfinder Cheat Sheet

subfinder -d hackerone.com

__ _____ __
_______ __/ /_ / __(_)___ ____/ /__ _____
/ ___/ / / / __ \/ /_/ / __ \/ __ / _ \/ ___/
(__ ) /_/ / /_/ / __/ / / / / /_/ / __/ /
/____/\__,_/_.___/_/ /_/_/ /_/\__,_/\___/_/ v2.5.1

projectdiscovery.io

Use with caution. You are responsible for your actions


Developers assume no liability and are not responsible for any mi
By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for hackerone.com


info.hackerone.com
design.hackerone.com
docs.hackerone.com
events.hackerone.com
web-seo-content-for-business.theflyingkick.websitedesignresource.
zendesk2.hackerone.com
fsdkim.hackerone.com
email.gh-mail.hackerone.com
a.ns.hackerone.com
support.hackerone.com
www.hackerone.com
mta-sts.managed.hackerone.com
api.hackerone.com
gslink.hackerone.com
zendesk1.hackerone.com
3d.hackerone.com
links.hackerone.com
mta-sts.hackerone.com
resources.hackerone.com
zendesk4.hackerone.com
zendesk3.hackerone.com
go.hackerone.com
mta-sts.forwarding.hackerone.com
_dmarc.hackerone.com
https://highon.coffee/blog/subfinder-cheat-sheet/ 8/10
7/10/24, 4:04 PM Subfinder Cheat Sheet

b.ns.hackerone.com
hackerone.com
defcon.hackerone.com
[INF] Found 27 subdomains for hackerone.com in 30 seconds 33 mill

Verify Subfinder Results With HTTPX

Chain up other tools within your workflow, such as verifying targets have
web servers using HTTPX:

echo hackerone.com | subfinder -silent | httpx -silent


https://docs.hackerone.com
https://mta-sts.forwarding.hackerone.com
https://mta-sts.hackerone.com
https://mta-sts.managed.hackerone.com
http://a.ns.hackerone.com
https://www.hackerone.com
http://b.ns.hackerone.com
http://zendesk4.hackerone.com
http://fsdkim.hackerone.com
http://zendesk1.hackerone.com
http://zendesk2.hackerone.com
http://zendesk3.hackerone.com
https://hackerone.com
https://support.hackerone.com
https://resources.hackerone.com
https://gslink.hackerone.com
https://api.hackerone.com

Subfinder + Naabu Portscan

https://highon.coffee/blog/subfinder-cheat-sheet/ 9/10
7/10/24, 4:04 PM Subfinder Cheat Sheet

echo hackerone.com | subfinder -silent | naabu -silent


docs.hackerone.com:443
docs.hackerone.com:80
mta-sts.forwarding.hackerone.com:443
mta-sts.forwarding.hackerone.com:80
mta-sts.hackerone.com:80
mta-sts.hackerone.com:443
mta-sts.managed.hackerone.com:80
mta-sts.managed.hackerone.com:443
<--SNIP-->

Conclusion
We hope you found this Subfinder cheat sheet useful, and it helps you get
started with this powerful subdomain enumeration tool to find more assets
for assessment.

https://highon.coffee/blog/subfinder-cheat-sheet/ 10/10

You might also like