daffainfo
/
subfinder
mirror of https://github.com/daffainfo/subfinder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Subfinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.
458 Commits
4 Branches
35 Tags
8.6 MiB
Go 99.5%
Makefile 0.3%
Dockerfile 0.2%
 
 
 
Go to file
Ice3man 690d7e0974
Merge pull request #187 from projectdiscovery/v2.0 
Updated README, added dep
 		2019-12-05 03:20:04 -08:00
cmd/subfinder Changed URLs to point to new repo 2019-12-05 16:11:06 +05:30
pkg Naming change 2019-12-05 16:29:49 +05:30
.gitignore Added dep files, added README 2019-12-05 16:49:11 +05:30
Dockerfile Added dep files, added README 2019-12-05 16:49:11 +05:30
Gopkg.lock Added dep files, added README 2019-12-05 16:49:11 +05:30
Gopkg.toml Added dep files, added README 2019-12-05 16:49:11 +05:30
ISSUE_TEMPLATE.md Create ISSUE_TEMPLATE.md 2018-04-09 14:35:33 +10:00
LICENSE Changed URLs to point to new repo 2019-12-05 16:11:06 +05:30
README.md Added dep files, added README 2019-12-05 16:49:11 +05:30
THANKS.md Added dep files, added README 2019-12-05 16:49:11 +05:30

README.md

subfinder

License Go Report Card contributions welcome

Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed. Subfinder is built for doing one thing only - passive subdomain enumeration, and it does that very well.

We have designed SubFinder to comply with all passive sources licenses, and usage restrictions, as well as maintained a consistently passive model to make it useful to both penetration testers and bug bounty hunters alike.

Resources

Features

  • Simple and modular code base making it easy to contribute.
  • Fast And Powerful Resolution and wildcard elimination module
  • Curated passive sources to maximize results (26 Sources as of now)
  • Multiple Output formats supported (Json, File, Stdout)
  • Optimized for speed, very fast and lightweight on resources
  • Stdin and stdout support for integrating in workflows

Usage

subfinder -h

This will display help for the tool. Here are all the switches it supports.

Flag Description Example
-config string Configuration file for API Keys, etc subfinder -config config.yaml
-d Domain to find subdomains for subfinder -d uber.com
-dL File containing list of domains to enumerate subfinder -d hackerone-hosts.txt
-exclude-sources List of sources to exclude from enumeration subfinder -exclude-sources archiveis
-max-time Minutes to wait for enumeration results (default 10) subfinder -max-time 1
-nC Don't Use colors in output subfinder -nC
-nW Remove Wildcard & Dead Subdomains from output subfinder -nW
-o File to write output to (optional) subfinder -o output.txt
-oD Directory to write enumeration results to (optional) subfinder -oD ~/outputs
-oI Write output in Host,IP format subfinder -oI
-oJ Write output in JSON lines Format subfinder -oJ
-r Comma-separated list of resolvers to use subfinder -r 1.1.1.1,1.0.0.1
-rL Text file containing list of resolvers to use subfinder -rL resolvers.txt
-silent Show only subdomains in output subfinder -silent
-sources Comma separated list of sources to use subfinder -sources shodan,censys
-t Number of concurrent goroutines for resolving (default 10) subfinder -t 100
-timeout Seconds to wait before timing out (default 30) subfinder -timeout 30
-v Show Verbose output subfinder -v

Installation Instructions

Direct Installation

SubFinder requires go1.12+ to install successfully !

The installation is easy. Go get the repo

go get -v github.com/projectdiscovery/subfinder/cmd/subfinder

Upgrading

If you wish to upgrade the package you can use:

go get -u -v github.com/projectdiscovery/subfinder/cmd/subfinder

Running in a Docker Container

Git clone the repo, then build and run subfinder in a container with the following commands

  • Clone the repo using git clone https://github.com/projectdiscovery/subfinder.git
  • Build your docker container
docker build -t subfinder .
  • After building the container, run the following.
docker run -it subfinder

The above command is the same as running -h

For example, this runs the tool against uber.com and output the results to your host file system:

docker run -v $HOME/.config/subfinder:/root/.config/subfinder -it subfinder -d uber.com > uber.com.txt

Post Installation Instructions

Subfinder will work after using the installation instructions however to configure Subfinder to work with certain services, you will need to have setup API keys. The following services do not work without an API key:

Theses values are stored in the $HOME/.config/subfinder/config.yaml file which will be created when you run the tool for the first time. The configuration file uses the YAML format. Multiple API keys can be specified for each of these services from which one of them will be used for enumeration.

For sources that require multiple keys, namely Censys, Passivetotal, they can be added by separating them via a colon (:).

An example config file -

resolvers:
  - 1.1.1.1
  - 1.0.0.1
sources:
  - binaryedge
  - bufferover
  - censys
  - passivetotal
  - sitedossier
binaryedge:
  - 0bf8919b-aab9-42e4-9574-d3b639324597
  - ac244e2f-b635-4581-878a-33f4e79a2c13
censys:
  - ac244e2f-b635-4581-878a-33f4e79a2c13:dd510d6e-1b6e-4655-83f6-f347b363def9
certspotter: []
passivetotal: 
  - sampleemail@user.com:sample_password
securitytrails: []
shodan: []

If you are using docker, you need to first create your directory structure holding subfinder configuration file. You can either run the binary in your host system and let it create the directory structure of files, after which you can use --set-config flag to set the api values like before. Or you can run:

mkdir $HOME/.config/subfinder
cp config.json $HOME/.config/subfinder/config.yaml
nano $HOME/.config/subfinder/config.yaml

After that, you can pass it as a volume using the following sample command.

sudo docker run -v $HOME/.config/subfinder:/root/.config/subfinder -it subfinder -d freelancer.com

Now, you can also pass --set-config inside the docker to change the configuration options.

Running Subfinder

To run the tool on a target, just use the following command.

./subfinder -d freelancer.com

This will run the tool against freelancer.com. There are a number of configuration options that you can pass along with this command. The verbose switch (-v) can be used to display verbose information.

[CERTSPOTTER] www.fi.freelancer.com
[DNSDUMPSTER] hosting.freelancer.com
[DNSDUMPSTER] support.freelancer.com
[DNSDUMPSTER] accounts.freelancer.com
[DNSDUMPSTER] phabricator.freelancer.com
[DNSDUMPSTER] cdn1.freelancer.com
[DNSDUMPSTER] t1.freelancer.com
[DNSDUMPSTER] wdc.t1.freelancer.com
[DNSDUMPSTER] dal.t1.freelancer.com

The -o command can be used to specify an output file.

./subfinder -d freelancer.com -o output.txt

You can also get output in json format using -oJ switch. This switch saves the output in the JSON lines format.

If you use the JSON format, or the Host:IP format, then it becomes mandatory for you to use the -nW format as resolving is essential for these output format. By default, resolving the found subdomains is disabled.

> ./subfinder -d hackerone.com -o output.json -oJ -nW
> cat output.json
{"host":"www.hackerone.com","ip":"104.16.99.52"}
{"host":"mta-sts.hackerone.com","ip":"185.199.108.153"}
{"host":"hackerone.com","ip":"104.16.100.52"}
{"host":"mta-sts.managed.hackerone.com","ip":"185.199.110.153"}

The --silent switch can be used to show only subdomains found without any other info. The --set-config switch can be used to set the value of any configuration option as explained above in the readme.

You can specify custom resolvers too.

./subfinder -d freelancer.com -o result_aquatone.json -nW -v -r 8.8.8.8,1.1.1.1
./subfinder -d freelancer.com -o result_aquatone.json -nW -v -rL resolvers.txt

License

subfinder is made with 🖤 by the projectdiscovery team. See the Thanks.md file for more details.