Table Of Contents :
What is subfinder ?
Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed. subfinder is built for doing one thing only – passive subdomain enumeration, and it does that very well.
Installation
Subfinder requires go1.17 to install successfully. Run the following command to install the latest version:
go install -v github.com/projectdiscovery/subfinder/v2/cmd/[email protected]
To run subfinder from anywhere onto your terminal you have to run the following command:
cp ~/go/bin/subfinder /usr/local/bin
After running all the commands you are all ready to go. You can check it by running this command:
subfinder -h
This command will print the help menu of the tool.
Let’s talk about this tools options in brief about all the options:
Flags: INPUT: -d, -domain string[] domains to find subdomains for -dL, -list string file containing list of domains for subdomain discovery SOURCE: -s, -sources string[] sources to use for discovery (-s crtsh,github) -recursive use only recursive sources -all Use all sources (slow) for enumeration -es, -exclude-sources string[] sources to exclude from enumeration (-es archiveis,zoomeye) RATE-LIMIT: -rl, -rate-limit int maximum number of http requests to send per second -t int number of concurrent goroutines for resolving (-active only) (default 10) OUTPUT: -o, -output string file to write output to -oJ, -json write output in JSONL(ines) format -oD, -output-dir string directory to write output (-dL only) -cs, -collect-sources include all sources in the output (-json only) -oI, -ip include host IP in output (-active only) CONFIGURATION: -config string flag config file (default "$HOME/.config/subfinder/config.yaml") -pc, -provider-config string provider config file (default "$HOME/.config/subfinder/provider-config.yaml") -r string[] comma separated list of resolvers to use -rL, -rlist string file containing list of resolvers to use -nW, -active display active subdomains only -proxy string http proxy to use with subfinder DEBUG: -ls list all available sources -silent show only subdomains in output -version show version of subfinder -v show verbose output -nc, -no-color disable color in output OPTIMIZATION: -timeout int seconds to wait before timing out (default 30) -max-time int minutes to wait for enumeration results (default 10)
Usage of the tool
THE FIRST BASIC COMMAND TO FIND SUBDOMAINS IS :
subfinder -d freecharge.in
So, you can see in the image it has collected 33 subdomains.


This kind of websites are very large and contains many inactive subdomains. So for this you can use httpx to filter out only active subdomains. So, for this you have to use this command.
subfinder -d freecharge.in | tee freecharge.txt
cat freecharge.txt | httpx | tee livesub.txt
So, at this time you can see that it had httpx has filtered out active subdomains.


So, this way you can enumerate active subdomains for your further pentesting.