How to use subfinder

Mastering Subfinder: The Ultimate Guide to Finding Subdomains

Leave a Comment / The Art of Bug Bounty Hunting: A Comprehensive Guide / By
Table Of Contents :

What is subfinder ?

Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed. subfinder is built for doing one thing only – passive subdomain enumeration, and it does that very well.

Installation

Subfinder requires go1.17 to install successfully. Run the following command to install the latest version:

go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

To run subfinder from anywhere onto your terminal you have to run the following command:

cp ~/go/bin/subfinder /usr/local/bin

After running all the commands you are all ready to go. You can check it by running this command:

subfinder -h

This command will print the help menu of the tool.

Let’s talk about this tools options in brief about all the options:

Flags:
INPUT:
   -d, -domain string[]  domains to find subdomains for
   -dL, -list string     file containing list of domains for subdomain discovery
SOURCE:
   -s, -sources string[]           sources to use for discovery (-s crtsh,github)
   -recursive                      use only recursive sources
   -all                            Use all sources (slow) for enumeration
   -es, -exclude-sources string[]  sources to exclude from enumeration (-es archiveis,zoomeye)
RATE-LIMIT:
   -rl, -rate-limit int  maximum number of http requests to send per second
   -t int                number of concurrent goroutines for resolving (-active only) (default 10)
OUTPUT:
   -o, -output string       file to write output to
   -oJ, -json               write output in JSONL(ines) format
   -oD, -output-dir string  directory to write output (-dL only)
   -cs, -collect-sources    include all sources in the output (-json only)
   -oI, -ip                 include host IP in output (-active only)
CONFIGURATION:
   -config string                flag config file (default "$HOME/.config/subfinder/config.yaml")
   -pc, -provider-config string  provider config file (default "$HOME/.config/subfinder/provider-config.yaml")
   -r string[]                   comma separated list of resolvers to use
   -rL, -rlist string            file containing list of resolvers to use
   -nW, -active                  display active subdomains only
   -proxy string                 http proxy to use with subfinder
DEBUG:
   -ls       list all available sources
   -silent   show only subdomains in output
   -version  show version of subfinder
   -v        show verbose output
   -nc, -no-color      disable color in output
OPTIMIZATION:
   -timeout int   seconds to wait before timing out (default 30)
   -max-time int  minutes to wait for enumeration results (default 10)

 

Usage of the tool

THE FIRST BASIC COMMAND TO FIND SUBDOMAINS IS :

subfinder -d freecharge.in

So, you can see in the image it has collected 33 subdomains.

18.06.2022 17.41.07 REC

This kind of websites are very large and contains many inactive subdomains. So for this you can use  httpx to filter out only active subdomains. So, for this you have to use this command.

subfinder -d freecharge.in | tee freecharge.txt

cat freecharge.txt | httpx | tee livesub.txt

So, at this time you can see that it had httpx has filtered out active subdomains.

httpx-demo

So, this way you can enumerate active subdomains for your further pentesting.

Spread the love

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top
www.thecyberblogs.com