subfinder/README.md

# SubFinder
[![License](https://img.shields.io/badge/license-MIT-_red.svg)](https://opensource.org/licenses/MIT)
[![Twitter](https://img.shields.io/badge/twitter-@Ice3man543-blue.svg)](https://twitter.com/Ice3man543)
[![Twitter](https://img.shields.io/badge/twitter-@codingo__-blue.svg)](https://twitter.com/codingo_)

SubFinder is a subdomain discovery tool that uses various techniques to discover massive amounts of subdomains for any target. It has been aimed as a successor to the [sublist3r project](https://github.com/aboul3la/Sublist3r). SubFinder uses Passive Sources, Search Engines, Pastebins, Internet Archives, etc to find subdomains and then it uses a permutation module inspired by altdns to generate permutations and resolve them quickly using a powerful bruteforcing engine. It can also perform plain bruteforce if needed. The tool is highly customizable, and the code is built with a modular approach in mind making it easy to add functionalities and remove errors.

[![asciicast](https://raw.githubusercontent.com/Ice3man543/ice3man543.github.io/master/assets/asciinema.png)](https://asciinema.org/a/177851)

# Why?

This project began it's life as a Bug Bounty World slack channel discussion. We were talking about how the cornerstone subdomain tool at the time, sublist3r, appeared to have been abandoned. The goal of this project was to make a low dependancy, manageable project in Go that would continue to be maintained over time. I decided to rewrite the sublist3r project and posted about it. @codingo offered to contribute to the project and subfinder was born. 

So finally after working hard, here is something that I hope you guys will :heart:.

# Features

- Simple and modular code base making it easy to contribute.
- Fast And Powerful Bruteforcing Module (In Development)
- Powerful Permutation generation engine. (In Development)
- Many Passive Data Sources (CertDB, CertSpotter, crtsh, DNSDumpster, FindSubdomains, Hackertarget, Netcraft, PassiveTotal, PTRArchive, SecurityTrails, Threatcrowd, VirusTotal, Waybackarchive, Threatminer, Riddler)
- Multiple Output formats

## Sources

| Source         	| Usage        	|
|----------------	|--------------	|
| ask            	| Natively     	|
| certdb         	| Natively     	|
| certspotter    	| Natively     	|
| crtsh          	| Natively     	|
| dnsdumpster    	| Natively     	|
| findsubdomains 	| Natively     	|
| hackertarget   	| Natively     	|
| netcraft       	| Natively     	|
| passivetotal   	| With API key 	|
| ptrarchive     	| Natively     	|
| riddler        	| Natively     	|
| securitytrails 	| With API key 	|
| threatcrowd    	| Natively     	|
| threatminer    	| Natively     	|
| virustotal     	| With API key 	|
| waybackarchive 	| Natively     	|

# Usage

```bash
./subfinder -h 
```
This will display help for the tool. Here are all the switches it supports.

| Flag | Description | Example |
|------|-------------|---------|
| -b   | Use bruteforcing top find subdomains | ./subfinder -d example.com -b |
| -c   | Don't show colored output            | ./subfinder -c |
| -d   | Domain to find subdomains for        | ./subfinder -d example.com |
| -nw  | Remove wildcard subdomains           | ./subfinder -nw |
| -o   | Name of the output file (Optional)   | ./subfinder -o output.txt | 
| -oJ  | Write output in JSON format          | ./subfinder -o output.json -oJ |
| -r   | Use recursive subdomain finding (default: true) | ./subfinder -r |
| --set-config | Sets a configuration option | ./subfinder --set-config example=something |
| --silent | Show only the subdomains found    | ./subfinder --silent |
| --sources | Comma separated list of sources to use (optional) | ./subfinder --sources threatcrowd,virustotal |
| -t   | Number of concurrent threads (Bruteforce) | ./subfinder -t 10 |
| --timeout | Seconds to wait until quitting connection | ./subfinder --timeout 10 |
| -v | Display verbose output  | ./subfinder -v |
| -w | Wordlist for doing bruteforcing and permutation | ./subfinder -w words.txt | 

# Installation Instructions
## Direct Installation
The installation is easy. Git clone the repo and run go build.

```bash
go get github.com/ice3man543/subfinder
```

## Running in a Docker Container

Git clone the repo, then build and run subfinder in a container with the following commands

- Clone the repo using `git clone https://github.com/ice3man543/subfinder.git`
- Build your docker container
```bash
docker build -t subfinder .
```

- After building the container, run the following.
```bash
docker run -it subfinder
```
> The above command is the same as running `-h`

***NOTE: Please follow the Post Install steps given after this to correctly configure the tool.***

For example, this runs the tool against uber.com and output the results to your host file system:
```bash
docker run -v $HOME/.config/subfinder:/root/.config/subfinder -it subfinder -d uber.com > uber.com.txt
```

## Post Installation Instructions

Subfinder will work after using the installation instructions however to configure Subfinder to work with certain services, you will need to have setup API keys. These following services do not work without an API key:

- [Virustotal](https://www.virustotal.com/) 
- [Passivetotal](http://passivetotal.org/)
- [SecurityTrails](http://securitytrails.com/)

Theses values are stored in the $HOME/.config/subfinder/config.json file which will be created when you run the tool for the first time. To configure the services to use an API key, you need to use the tool with --set-config option which will allow you to set a configuration option. For example:

```bash
./subfinder --set-config VirustotalAPIKey=0x41414141
./subfinder --set-config PassivetotalUsername=hacker,PassivetotalKey=supersecret
```

If you are using docker, you need to first create your directory structure holding subfinder configuration file. You can either run the binary in your host system and let it create the directory structure of files, after which you can use --set-config flag to set the api values like before. Or you can run:
```bash
mkdir $HOME/.config/subfinder
cp config.json $HOME/.config/subfinder/config.json
nano $HOME/.config/subfinder/config.json (optional)
```
After that, you can pass it as a volume using the following sample command.
```bash
sudo docker run -v $HOME/.config/subfinder:/root/.config/subfinder -it subfinder -d freelancer.com
```
Now, you can also pass --set-config inside the docker to change the configuration options.

# Acknowledgements

- @FranticFerret for his work on adding docker support.
Added Project Files Via Upload 2018-03-31 09:51:08 +00:00			`# SubFinder`
Update README.md 2018-04-06 23:45:23 +00:00			`[![License](https://img.shields.io/badge/license-MIT-_red.svg)](https://opensource.org/licenses/MIT)`
			`[![Twitter](https://img.shields.io/badge/twitter-@Ice3man543-blue.svg)](https://twitter.com/Ice3man543)`
			`[![Twitter](https://img.shields.io/badge/twitter-@codingo__-blue.svg)](https://twitter.com/codingo_)`
Added Project Files Via Upload 2018-03-31 09:51:08 +00:00
Update README.md 2018-04-07 08:15:33 +00:00			SubFinder is a subdomain discovery tool that uses various techniques to discover massive amounts of subdomains for any target. It has been aimed as a successor to the [sublist3r project](https://github.com/aboul3la/Sublist3r). SubFinder uses Passive Sources, Search Engines, Pastebins, Internet Archives, etc to find subdomains and then it uses a permutation module inspired by altdns to generate permutations and resolve them quickly using a powerful bruteforcing engine. It can also perform plain bruteforce if needed. The tool is highly customizable, and the code is built with a modular approach in mind making it easy to add functionalities and remove errors.
Added Project Files Via Upload 2018-03-31 09:51:08 +00:00
Updated README 2018-04-23 10:20:51 +00:00			`[![asciicast](https://raw.githubusercontent.com/Ice3man543/ice3man543.github.io/master/assets/asciinema.png)](https://asciinema.org/a/177851)`
Update README.md 2018-04-09 04:41:48 +00:00
Update README.md 2018-04-24 13:14:52 +00:00			`# Why?`
Added Project Files Via Upload 2018-03-31 09:51:08 +00:00
Updated README 2018-04-22 16:59:51 +00:00			`This project began it's life as a Bug Bounty World slack channel discussion. We were talking about how the cornerstone subdomain tool at the time, sublist3r, appeared to have been abandoned. The goal of this project was to make a low dependancy, manageable project in Go that would continue to be maintained over time. I decided to rewrite the sublist3r project and posted about it. @codingo offered to contribute to the project and subfinder was born.`
Updated README.md 2018-04-04 16:54:30 +00:00
			`So finally after working hard, here is something that I hope you guys will :heart:.`

Update README.md 2018-04-24 13:14:52 +00:00			`# Features`
Updated README.md 2018-04-04 16:54:30 +00:00
Added DOCS.md and some extra changes 2018-04-14 07:17:42 +00:00			`- Simple and modular code base making it easy to contribute.`
			`- Fast And Powerful Bruteforcing Module (In Development)`
			`- Powerful Permutation generation engine. (In Development)`
Added Riddler Data Source 2018-04-24 10:20:01 +00:00			`- Many Passive Data Sources (CertDB, CertSpotter, crtsh, DNSDumpster, FindSubdomains, Hackertarget, Netcraft, PassiveTotal, PTRArchive, SecurityTrails, Threatcrowd, VirusTotal, Waybackarchive, Threatminer, Riddler)`
Updated README 2018-04-23 00:09:34 +00:00			`- Multiple Output formats`
Added DOCS.md and some extra changes 2018-04-14 07:17:42 +00:00
Update README.md 2018-04-24 13:14:52 +00:00			`## Sources`

			`\| Source \| Usage \|`
			`\|---------------- \|-------------- \|`
			`\| ask \| Natively \|`
			`\| certdb \| Natively \|`
			`\| certspotter \| Natively \|`
			`\| crtsh \| Natively \|`
			`\| dnsdumpster \| Natively \|`
			`\| findsubdomains \| Natively \|`
			`\| hackertarget \| Natively \|`
			`\| netcraft \| Natively \|`
			`\| passivetotal \| With API key \|`
			`\| ptrarchive \| Natively \|`
			`\| riddler \| Natively \|`
			`\| securitytrails \| With API key \|`
			`\| threatcrowd \| Natively \|`
			`\| threatminer \| Natively \|`
			`\| virustotal \| With API key \|`
			`\| waybackarchive \| Natively \|`

			`# Usage`
Added DOCS.md and some extra changes 2018-04-14 07:17:42 +00:00
Update README.md 2018-04-24 13:14:52 +00:00			```bash
			`./subfinder -h`
			```
			`This will display help for the tool. Here are all the switches it supports.`

			`\| Flag \| Description \| Example \|`
			`\|------\|-------------\|---------\|`
			`\| -b \| Use bruteforcing top find subdomains \| ./subfinder -d example.com -b \|`
			`\| -c \| Don't show colored output \| ./subfinder -c \|`
			`\| -d \| Domain to find subdomains for \| ./subfinder -d example.com \|`
			`\| -nw \| Remove wildcard subdomains \| ./subfinder -nw \|`
			`\| -o \| Name of the output file (Optional) \| ./subfinder -o output.txt \|`
			`\| -oJ \| Write output in JSON format \| ./subfinder -o output.json -oJ \|`
			`\| -r \| Use recursive subdomain finding (default: true) \| ./subfinder -r \|`
			`\| --set-config \| Sets a configuration option \| ./subfinder --set-config example=something \|`
			`\| --silent \| Show only the subdomains found \| ./subfinder --silent \|`
			`\| --sources \| Comma separated list of sources to use (optional) \| ./subfinder --sources threatcrowd,virustotal \|`
			`\| -t \| Number of concurrent threads (Bruteforce) \| ./subfinder -t 10 \|`
			`\| --timeout \| Seconds to wait until quitting connection \| ./subfinder --timeout 10 \|`
			`\| -v \| Display verbose output \| ./subfinder -v \|`
			`\| -w \| Wordlist for doing bruteforcing and permutation \| ./subfinder -w words.txt \|`

			`# Installation Instructions`
			`## Direct Installation`
Added DOCS.md and some extra changes 2018-04-14 07:17:42 +00:00			`The installation is easy. Git clone the repo and run go build.`

			```bash
Updated Install instructions 2018-04-15 10:41:50 +00:00			`go get github.com/ice3man543/subfinder`
			```
Updated README 2018-04-15 13:34:56 +00:00
Update README.md 2018-04-24 13:14:52 +00:00			`## Running in a Docker Container`
Update README.md Add instructions to run with Docker 2018-04-17 06:36:23 +00:00
			`Git clone the repo, then build and run subfinder in a container with the following commands`

Updated with some misc changes 2018-04-17 09:21:18 +00:00			- Clone the repo using `git clone https://github.com/ice3man543/subfinder.git`
			`- Build your docker container`
Update README.md Add instructions to run with Docker 2018-04-17 06:36:23 +00:00			```bash
			`docker build -t subfinder .`
			```

Updated with some misc changes 2018-04-17 09:21:18 +00:00			`- After building the container, run the following.`
Update README.md Add instructions to run with Docker 2018-04-17 06:36:23 +00:00			```bash
Updated README 2018-04-23 00:09:34 +00:00			`docker run -it subfinder`
Update README.md Add instructions to run with Docker 2018-04-17 06:36:23 +00:00			```
Updated with some misc changes 2018-04-17 09:21:18 +00:00			> The above command is the same as running `-h`
Update README.md Add instructions to run with Docker 2018-04-17 06:36:23 +00:00
Update README.md 2018-04-24 13:14:52 +00:00			`*NOTE: Please follow the Post Install steps given after this to correctly configure the tool.*`
Corrected Docker Running Bug 2018-04-23 10:43:03 +00:00
Updated with some misc changes 2018-04-17 09:21:18 +00:00			`For example, this runs the tool against uber.com and output the results to your host file system:`
Update README.md Add instructions to run with Docker 2018-04-17 06:36:23 +00:00			```bash
Corrected Docker Running Bug 2018-04-23 10:43:03 +00:00			`docker run -v $HOME/.config/subfinder:/root/.config/subfinder -it subfinder -d uber.com > uber.com.txt`
Update README.md Add instructions to run with Docker 2018-04-17 06:36:23 +00:00			```
Updated README.md 2018-04-17 09:27:38 +00:00
Update README.md 2018-04-24 13:14:52 +00:00			`## Post Installation Instructions`
Updated README 2018-04-23 00:09:34 +00:00
Update README.md 2018-04-24 13:14:52 +00:00			`Subfinder will work after using the installation instructions however to configure Subfinder to work with certain services, you will need to have setup API keys. These following services do not work without an API key:`
Updated README 2018-04-23 00:09:34 +00:00
			`- [Virustotal](https://www.virustotal.com/)`
			`- [Passivetotal](http://passivetotal.org/)`
			`- [SecurityTrails](http://securitytrails.com/)`

Update README.md 2018-04-24 13:14:52 +00:00			`Theses values are stored in the $HOME/.config/subfinder/config.json file which will be created when you run the tool for the first time. To configure the services to use an API key, you need to use the tool with --set-config option which will allow you to set a configuration option. For example:`
Updated README 2018-04-23 00:09:34 +00:00
			```bash
			`./subfinder --set-config VirustotalAPIKey=0x41414141`
			`./subfinder --set-config PassivetotalUsername=hacker,PassivetotalKey=supersecret`
			```

Update README.md 2018-04-24 13:14:52 +00:00			`If you are using docker, you need to first create your directory structure holding subfinder configuration file. You can either run the binary in your host system and let it create the directory structure of files, after which you can use --set-config flag to set the api values like before. Or you can run:`
Corrected Docker Running Bug 2018-04-23 10:43:03 +00:00			```bash
			`mkdir $HOME/.config/subfinder`
			`cp config.json $HOME/.config/subfinder/config.json`
			`nano $HOME/.config/subfinder/config.json (optional)`
			```
			`After that, you can pass it as a volume using the following sample command.`
Updated README 2018-04-23 00:09:34 +00:00			```bash
Corrected Docker Running Bug 2018-04-23 10:43:03 +00:00			`sudo docker run -v $HOME/.config/subfinder:/root/.config/subfinder -it subfinder -d freelancer.com`
Updated README 2018-04-23 00:09:34 +00:00			```
Corrected Docker Running Bug 2018-04-23 10:43:03 +00:00			`Now, you can also pass --set-config inside the docker to change the configuration options.`

Update README.md 2018-04-24 13:14:52 +00:00			`# Acknowledgements`
Updated README.md 2018-04-17 09:27:38 +00:00
			`- @FranticFerret for his work on adding docker support.`