In the era of application security, bug bounties have evolved and become mainstream for hackers around the globe. Hackers are constantly looking for new tactics to automate the process of reconnaissance and find different types of vulnerabilities. One of the first steps to hacking a larger scoped program is subdomain enumeration.

You can find subdomains by using tools like amass, assetfinder, sudomy, and others. However, in this post, we'll discuss one of the most popular, subfinder, from ProjectDiscovery.

Introduction To Subfinder

Subfinder is a popular open-source tool used for subdomain enumeration. It allows users to quickly and easily discover subdomains of a given domain by using a variety of different active and passive methods. This can be useful for a variety of purposes, such as security assessments, penetration testing, and research.

There are several similar tools available, including Sublist3r, Knockpy, and Amass. However, Subfinder is generally considered to be one of the most effective due to its speed, active development and the strong community. Subfinder is written in Golang, making full use of Golang's native concurrency to gather subdomains from multiple sources simultaneously. Subfinder gathers potential subdomain lists from passive online sources such as Binaryedge, C99, Certspotter, Chinaz, Censys, Chaos, and others.

Core Features

Below are some of Subfinder's core features:

  • Fast and powerful resolution and wildcard elimination module
  • Curated passive sources to maximize results
  • Multiple Output formats supported (JSON, File, Stdout)
  • Optimized for speed, very fast and lightweight on resources
  • STDIN/OUT support for integrating with workflows
  • Command Line Interface (CLI) based tool
  • Easy API configuration interface
  • Ability to exclude certain sources
  • Uses up to 26 passive DNS sources (including SecurityTrails!)
  • Docker, tar and pre-built binaries available

The ProjectDiscovery Community Factor

The ProjectDiscovery community is a major factor in the success of Subfinder, and has helped to make it one of the most popular tools for subdomain enumeration. Their passion and engagement have helped to drive the development of the tool and ensure that it continues to meet their needs, including penetration testing, security research and bug bounty hunting.

The ProjectDiscovery community plays a crucial role in the development and success of Subfinder and other tools. They provide valuable feedback and suggestions for improving the tool, contribute code and other resources to the project, develop content related to the tool, and help to battle test it.

Table of Contents

Installation of Subfinder

We can install Subfinder using four different methods:

Source

Subfinder is written in Golang. Therefore, we can install it from source by using Golang utilities. To achieve that, you'll need to install Go on your local machine.

go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
Figure 1: Subfinder Installation

Binary

First, download the release that is compatible with your operating system, to get started. Then unzip the folder, and move the subfinder binary file to /usr/local/bin.

tar -xzvf subfinder-linux-amd64.tar.gz
mv subfinder /usr/local/bin/
subfinder -h

GitHub

Clone the repository at repo and change to subfinder/v2/cmd/subfinder. Now run go build .. Subfinder is now available for use after the binary file has been moved to /usr/local/bin.

git clone https://github.com/projectdiscovery/subfinder.git
cd subfinder/v2/cmd/subfinder
go build .
mv subfinder /usr/local/bin/
subfinder -h

Docker

docker pull projectdiscovery/subfinder:latest

In this section, we will cover all the different features and usage options that Subfinder provides.

Getting Help

subfinder -h
Figure 2: Subfinder Help

Performing Basic Subdomain Enumeration

subfinder -d tesla.com -v
Figure 3: Subfinder Subdomain

Enumerating Subdomains From a List of Domains

subfinder -dL list.txt -v
Figure 4: Subfinder Subdomains Using Domain List (Tesla)
Figure 5: Subfinder Subdomain Using Domain List (Facebook)

Enumerating Subdomains Using Specific Sources

subfinder -d tesla.com -s virustotal
Figure 6: Subfinder Sources

The screenshot below shows how we retrieved the subdomains using the virustotal API Key. To retrieve subdomains from other alternative sources, the API Keys must be added to the file ~/.config/subfinder/provider-config.yaml. You can learn more about these API keys below in the Post Installation Instructions section.

The example of sample API Keys has being shown in the screenshot below:

Figure 7: Subfinder API Key Configuration

Enumerating Subdomains Using All Sources

subfinder -d tesla.com -v -all 
Figure 8: Subfinder All Sources

Using the -all option, we can fetch all the subdomains using the default sources and sources with configured API Keys.

Figure 9: Subfinder All Sources (rapiddns, crth.sh, sonarsearch, etc)

Excluding Specific Sources

subfinder -d tesla.com -es virustotal,securitytrails,dnsdumpster 
Figure 10: Subfinder Excluded Sources

The -es option allows you to exclude specific sources. The total count of subdomains decreases significantly. The domain count originally with all sources was more than 854 domains.

After removing these sources, the picture below only displays the 559 domains.

Figure 11: Count of Domains Excluding the sources

Output Options

Outputting Results to a File

subfinder -d tesla.com -o subdomain.txt 
Figure 12: Writing Subdomains Output To File

Outputting Results in JSON Format

subfinder -d tesla.com -o tesla.json -oJ 
Figure 13: Writing Subdomains Output To JSON File

In the example below, we've utilized JQ to transform JSON data into a format that is easier to read. Using the head command, we can obtain the first ten lines of the tesla.json file.

Figure 14: Beautified JSON Output with JQ

Specifying a Directory to Write the Output

subfinder -dL list.txt -oD results
Figure 15: Subfinder Directory To Write Output

To supply a list of domains for subdomain enumeration, the -oD option is used in conjunction with -dL. As you can see in the picture shown below, when the command has been performed, a directory containing the appropriate files is created.

Figure 16: Directory with respective list of subdomains

Only Displaying Active Subdomains

subfinder -d tesla.com -o tesla_domain.json -nW
Figure 17: Subfinder Display Active Subdomains

The option -nW performs DNS resolution on discovered subdomains, and discards any that don't respond. Use of the JSON output requires this parameter. It makes domain resolving easier, completing that part of your reconnaissance in one step.

Hiding Unnecessary Output

subfinder -d tesla.com -silent
Figure 18: Subfinder Silent Option

Being More Verbose

subfinder -d tesla.com -v
Figure 19: Subfinder Verbose Option

Advanced Options

Viewing Available Sources

subfinder -ls
Figure 20: Subfinder All Sources

Setting a Timeout

subfinder -d tesla.com -max-time 5
Figure 21: Subfinder Max Timeout

Piping to/from Other Tools

Subfinder accepts root domains from STDIN, like this:

echo "tesla.com" | subfinder -silent | httprobe
Figure 22: Subfinder Piping (STDIN/OUT)

Specifying a DNS Resolver

subfinder -d tesla.com -o output.txt -nW -v -r 8.8.8.8
Figure 23: Subfinder Custom DNS Resolution

Specifying a List of DNS Resolvers

subfinder -d tesla.com -o output.txt -nW -v -r -rL resolver.txt
Figure 24: Subfinder Custom List of DNS Resolution

Post Installation Instructions

Subfinder will function after following the installation instructions. However, API keys need to be set up for Subfinder to function with certain services that have been customized. Without an API key, the following services will not function: Binaryedge, C99, Certspotter, Chinaz, Censys, Chaos, DnsDB, Fofa, Github, Intelx, Passivetotal, Robtex, SecurityTrails, Shodan, Threatbook, Virustotal, WhoisXML API, Zoomeye.

When you first run the program, a file called $HOME/.config/subfinder/provider-config.yaml will be produced that contains these settings. The configuration file is formatted in YAML. Each of these services allows the specification of multiple API keys, one of which will be used for enumeration.

For sources like Censys and Passivetotal that need several keys, you may add them by separating them with a colon (:).

binaryedge:
  - 1bf8919b-aab9-42e4-9574-d3b639324598
  - bc244e2f-b635-4581-878a-33f4e79a2c14
censys:
  - cc244e2f-b635-4581-878a-33f4e79a2c13:dd510d6e-1b6e-4655-83f6-f347b363def8
certspotter: []
passivetotal:
  - sample-email@user.com:sample_password
securitytrails: []
shodan:
  - AAAAClP1bJJSRMEYJazgwhJKrggRwKA
github:
  - ghp_lkyJGU3jv1xmwk4SDXavrLDJ4dl2pSJMzj4X
  - ghp_gkUuhkIYdQPj13ifH4KA3cXRn8JD2lqir2d4

Conclusion

Subfinder is a fantastic tool for gathering subdomains from various passive sources. It is straightforward to use and does not require much configuration. Due to its extensive integrations, it is far more powerful than most other subdomain mapping solutions currently available. Additionally, because it is implemented in the Go programming language, it is fast. Subfinder is unquestionably among the finest choices for bounty seekers while hunting for subdomains.

Author - Devansh Bordia, @devansh3008

References