How to use subfinder

Mastering Subfinder: The Ultimate Guide to Finding Subdomains

What is subfinder ?

Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed. subfinder is built for doing one thing only – passive subdomain enumeration, and it does that very well.


Subfinder requires go1.17 to install successfully. Run the following command to install the latest version:

To run subfinder from anywhere onto your terminal you have to run the following command:

After running all the commands you are all ready to go. You can check it by running this command:

This command will print the help menu of the tool.

Let’s talk about this tools options in brief about all the options:

   -d, -domain string[]  domains to find subdomains for
   -dL, -list string     file containing list of domains for subdomain discovery
   -s, -sources string[]           sources to use for discovery (-s crtsh,github)
   -recursive                      use only recursive sources
   -all                            Use all sources (slow) for enumeration
   -es, -exclude-sources string[]  sources to exclude from enumeration (-es archiveis,zoomeye)
   -rl, -rate-limit int  maximum number of http requests to send per second
   -t int                number of concurrent goroutines for resolving (-active only) (default 10)
   -o, -output string       file to write output to
   -oJ, -json               write output in JSONL(ines) format
   -oD, -output-dir string  directory to write output (-dL only)
   -cs, -collect-sources    include all sources in the output (-json only)
   -oI, -ip                 include host IP in output (-active only)
   -config string                flag config file (default "$HOME/.config/subfinder/config.yaml")
   -pc, -provider-config string  provider config file (default "$HOME/.config/subfinder/provider-config.yaml")
   -r string[]                   comma separated list of resolvers to use
   -rL, -rlist string            file containing list of resolvers to use
   -nW, -active                  display active subdomains only
   -proxy string                 http proxy to use with subfinder
   -ls       list all available sources
   -silent   show only subdomains in output
   -version  show version of subfinder
   -v        show verbose output
   -nc, -no-color      disable color in output
   -timeout int   seconds to wait before timing out (default 30)
   -max-time int  minutes to wait for enumeration results (default 10)


Usage of the tool


So, you can see in the image it has collected 33 subdomains.

This kind of websites are very large and contains many inactive subdomains. So for this you can use  httpx to filter out only active subdomains. So, for this you have to use this command.

So, at this time you can see that it had httpx has filtered out active subdomains.


So, this way you can enumerate active subdomains for your further pentesting.

Scroll to Top