Description
Subfinder is a subdomain discovery tool that returns valid subdomains for websites using passive online sources. It has a simple modular architecture and is optimized for speed. Subfinder is built for doing one thing only — passive subdomain enumeration, and it does that very well.
Installation
BASH
# Using Go
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
# Using Docker
docker pull projectdiscovery/subfinder:latest
# Using Homebrew
brew install subfinderBasic Usage
BASH
# Enumerate subdomains for a domain
subfinder -d target.com
# Save output to file
subfinder -d target.com -o subs.txt
# Silent mode (only subdomains in output)
subfinder -d target.com -silent
# Multiple domains from file
subfinder -dL domains.txt -o all-subs.txtAdvanced Usage
BASH
# Use specific sources
subfinder -d target.com -sources shodan,virustotal,censys,chaos
# Recursive enumeration
subfinder -d target.com -recursive
# Resolve domains
subfinder -d target.com -nW
# Exclude specific sources
subfinder -d target.com -es github
# Rate limiting
subfinder -d target.com -rL 10
# JSON output
subfinder -d target.com -json -o results.json
# Use all sources with API keys configured
subfinder -d target.com -allCommon Workflows
BASH
# Full recon pipeline: subdomains → alive check → vulnerability scan
subfinder -d target.com -silent | httpx -silent | nuclei -s critical,high
# Pipe to httpx for tech detection
subfinder -d target.com -silent | httpx -title -status-code -tech-detect
# Combine with other subdomain tools
(subfinder -d target.com -silent; amass enum -passive -d target.com) | sort -u > all-subs.txt
# Monitor for new subdomains
subfinder -d target.com -silent | anew subs.txtConfiguration
Create ~/.config/subfinder/provider-config.yaml with API keys:
YAML
securitytrails:
- YOUR_API_KEY
shodan:
- YOUR_API_KEY
virustotal:
- YOUR_API_KEY
chaos:
- YOUR_API_KEY