Sign up to save your podcasts
Or
Share Subfinder: A Practical Subdomain Exploration Tool
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Subfinder: A Practical Subdomain Exploration Tool
Note: The audio version doesn't include code or commands. Those parts of the post can be seen in the text version.
In one of our previous posts about information gathering, we covered the basics on how to get the right intel information about any organization, and that of course includes DNS intelligence.
Part of that intel is related to DNS servers and their data, which includes subdomains. That's why performing a full DNS mapping of all available subdomains is essential.
There are many ways to find subdomains, including manual methods and automated techniques using tools such as Amass, as we covered a few weeks ago.
And today we'll be exploring another infosec tool that aims to help "red-teamers" build up a full subdomain map of their target: we're talking about Subfinder, one of the best subdomain discovery tools available to help you with your information gathering tasks.
What is Subfinder?
Subfinder is a massive subdomain recon tool that can be used to generate a complete list of subdomains that are active on any domain name.
How does it work? Essentially, by discovering any valid subdomain, which it does by using passive online sources that include security APIs.
Its authors have designed it to excel at one thing: passive DNS subdomain enumeration.
With this in mind, know that subfinder is not a complete DNS enumeration intelligence tool. It focuses solely on subdomains. And yet, it proves to be a tremendous bonus for infosec researchers, bug-bounty hunters, and many other professionals within the market.
Main features
CLI-based tool
Modular code base
Fast DNS resolution
Easy API configuration interface
Ability to exclude certain sources
Output available in JSON, File and Stdout
Lightweight resource usage
Support for Stdin and Stdout
Uses 26 passive DNS sources (including SecurityTrails!)
Docker, tar and pre-built binaries available
Installation
The only requirement Subfinder has is that you need go1.13+, so once you know you have that covered, we suggest you go to github.com/projectdiscovery/subfinder/releases/ to download your preferred version.
In our case, we tested two installations.
Downloading the classic tar file:
And building our own with Go:
Expected output:
Both methods work great, and the installation should be completed within one minute.
If you'd like to check out more installation options, there is also a Docker image ready for you.
Configuring passive sources
Once your installation is ready, Subfinder should be properly configured to begin using any of the 20+ passive DNS sources, making it a really useful subdomain discovery tool.
Certain services require an API key in order to work, including our own SecurityTrails API, VirusTotal, Censys, BinaryEdge, Shodan and URLScan.
API keys can be configured at the $HOME/.config/subfinder/config.yaml file (which will be created after you execute the tool for the first time).
In the following case, we'll show you how to configure the SecurityTrails API key.
First, let's edit the API configuration file:
Then, find this block:
At securitytrails: [], specify your API key, so it looks like this:
Save and close the file. That's it, your first API key is ready to be used! You can configure as many as you like from other intelligence providers, as you saw on the list.
Testing Subfinder
Once Subfinder has been installed and you have configured the required API keys, it's time to play with it.
Just type:
The output should show you something like this:
Other popular options you can use are:
**-dL**: These two parameters will let you load a file that contains a list of domains to enumerate
**-exclude-sources**: This option enables you to exclude certain passive sources from the domain enumeration
**-max-time**: Allows you to set a new timeout while waiting for the subdomain enumeration results (default is set to 10)
**-o**: Enables users to save the output on an external file.
**-...
View all episodes
By SecurityTrailsNote: The audio version doesn't include code or commands. Those parts of the post can be seen in the text version.
In one of our previous posts about information gathering, we covered the basics on how to get the right intel information about any organization, and that of course includes DNS intelligence.
Part of that intel is related to DNS servers and their data, which includes subdomains. That's why performing a full DNS mapping of all available subdomains is essential.
There are many ways to find subdomains, including manual methods and automated techniques using tools such as Amass, as we covered a few weeks ago.
And today we'll be exploring another infosec tool that aims to help "red-teamers" build up a full subdomain map of their target: we're talking about Subfinder, one of the best subdomain discovery tools available to help you with your information gathering tasks.
What is Subfinder?
Subfinder is a massive subdomain recon tool that can be used to generate a complete list of subdomains that are active on any domain name.
How does it work? Essentially, by discovering any valid subdomain, which it does by using passive online sources that include security APIs.
Its authors have designed it to excel at one thing: passive DNS subdomain enumeration.
With this in mind, know that subfinder is not a complete DNS enumeration intelligence tool. It focuses solely on subdomains. And yet, it proves to be a tremendous bonus for infosec researchers, bug-bounty hunters, and many other professionals within the market.
Main features
CLI-based tool
Modular code base
Fast DNS resolution
Easy API configuration interface
Ability to exclude certain sources
Output available in JSON, File and Stdout
Lightweight resource usage
Support for Stdin and Stdout
Uses 26 passive DNS sources (including SecurityTrails!)
Docker, tar and pre-built binaries available
Installation
The only requirement Subfinder has is that you need go1.13+, so once you know you have that covered, we suggest you go to github.com/projectdiscovery/subfinder/releases/ to download your preferred version.
In our case, we tested two installations.
Downloading the classic tar file:
And building our own with Go:
Expected output:
Both methods work great, and the installation should be completed within one minute.
If you'd like to check out more installation options, there is also a Docker image ready for you.
Configuring passive sources
Once your installation is ready, Subfinder should be properly configured to begin using any of the 20+ passive DNS sources, making it a really useful subdomain discovery tool.
Certain services require an API key in order to work, including our own SecurityTrails API, VirusTotal, Censys, BinaryEdge, Shodan and URLScan.
API keys can be configured at the $HOME/.config/subfinder/config.yaml file (which will be created after you execute the tool for the first time).
In the following case, we'll show you how to configure the SecurityTrails API key.
First, let's edit the API configuration file:
Then, find this block:
At securitytrails: [], specify your API key, so it looks like this:
Save and close the file. That's it, your first API key is ready to be used! You can configure as many as you like from other intelligence providers, as you saw on the list.
Testing Subfinder
Once Subfinder has been installed and you have configured the required API keys, it's time to play with it.
Just type:
The output should show you something like this:
Other popular options you can use are:
**-dL**: These two parameters will let you load a file that contains a list of domains to enumerate
**-exclude-sources**: This option enables you to exclude certain passive sources from the domain enumeration
**-max-time**: Allows you to set a new timeout while waiting for the subdomain enumeration results (default is set to 10)
**-o**: Enables users to save the output on an external file.
**-...