enterprise security tips privacy

SecurityTrails Blog · Aug 06 · by Esteban Borges

Subfinder: A Practical Subdomain Exploration Tool

Reading time: 5 minutes

In one of our previous posts about information gathering, we covered the basics on how to get the right intel information about any organization, and that of course includes DNS intelligence.

Part of that intel is related to DNS servers and their data, which includes subdomains. That’s why performing a full DNS mapping of all available subdomains is essential.

There are many ways to find subdomains, including manual methods and automated techniques using tools such as Amass, as we covered a few weeks ago.

And today we’ll be exploring another infosec tool that aims to help red-teamers build up a full subdomain map of their target: we’re talking about Subfinder, one of the best subdomain discovery tools available to help you with your information gathering tasks.

What is Subfinder?

Subfinder is a massive subdomain recon tool that can be used to generate a complete list of subdomains that are active on any domain name.

How does it work? Essentially, by discovering any valid subdomain, which it does by using passive online sources that include security APIs.

Its authors have designed it to excel at one thing: passive DNS subdomain enumeration.

With this in mind, know that subfinder is not a complete DNS enumeration intelligence tool. It focuses solely on subdomains. And yet, it proves to be a tremendous bonus for infosec researchers, bug-bounty hunters, and many other professionals within the market.

Main features

  • CLI-based tool
  • Modular code base
  • Fast DNS resolution
  • Easy API configuration interface
  • Ability to exclude certain sources
  • Output available in JSON, File and Stdout
  • Lightweight resource usage
  • Support for Stdin and Stdout
  • Uses 26 passive DNS sources (including SecurityTrails!)
  • Docker, tar and pre-built binaries available

Installation

The only requirement Subfinder has is that you need go1.13+, so once you know you have that covered, we suggest you go to https://github.com/projectdiscovery/subfinder/releases/ to download your preferred version.

In our case, we tested two installations.

Downloading the classic tar file:

    wget https://github.com/projectdiscovery/subfinder/releases/download/v2.3.2/subfinder-linux-amd64.tar
    tar -xzvf subfinder-linux-amd64.tar
    mv subfinder-linux-amd64 /usr/bin/subfinder
    subfinder

And building our own with Go:

    go get -v github.com/projectdiscovery/subfinder/cmd/subfinder

Expected output:

    root@securitytrails-kali:~/temp# go get -v github.com/projectdiscovery/subfinder/cmd/subfinder
    github.com/projectdiscovery/subfinder (download)
    github.com/projectdiscovery/gologger (download)
    github.com/logrusorgru/aurora (download)
    github.com/json-iterator/go (download)
    github.com/modern-go/concurrent (download)
    …
    …
    gopkg.in/yaml.v3
    github.com/projectdiscovery/subfinder/pkg/runner
    github.com/projectdiscovery/subfinder/cmd/subfinder

Both methods work great, and the installation should be completed within one minute.

If you’d like to check out more installation options, there is also a Docker image ready for you.

Configuring passive sources

Once your installation is ready, Subfinder should be properly configured to begin using any of the 20+ passive DNS sources, making it a really useful subdomain discovery tool.

Certain services require an API key in order to work, including our own SecurityTrails API, VirusTotal, Censys, BinaryEdge, Shodan and URLScan.

API keys can be configured at the $HOME/.config/subfinder/config.yaml file (which will be created after you execute the tool for the first time).

In the following case, we’ll show you how to configure the SecurityTrails API key.

First, let’s edit the API configuration file:

    nano -w $HOME/.config/subfinder/config.yaml

Then, find this block:

    binaryedge: []
    censys: []
    certspotter: []
    passivetotal: []
    securitytrails: []
    shodan: []
    urlscan: []
    virustotal: []

At securitytrails: [], specify your API key, so it looks like this:

    securitytrails: [your.api.key.here]

Save and close the file. That’s it, your first API key is ready to be used! You can configure as many as you like from other intelligence providers, as you saw on the list.

Testing Subfinder

Once Subfinder has been installed and you have configured the required API keys, it’s time to play with it.

Just type:

    subfinder -d freelancer.com

The output should show you something like this:

Testing Subfinder

Other popular options you can use are:

-dL: These two parameters will let you load a file that contains a list of domains to enumerate

    subfinder -dL securitytrails-domains.txt

-exclude-sources: This option enables you to exclude certain passive sources from the domain enumeration

subfinder -exclude-sources:virustotal -d facebook.com

-max-time: Allows you to set a new timeout while waiting for the subdomain enumeration results (default is set to 10)

    subfinder -max-time 1 -d adobe.com

-o: Enables users to save the output on an external file.

    subfinder -d microsoft.com -o microsoft-output.txt

-oJ: sets the output in JSON format:

    subfinder -d linkedin.com -o linkedin-output.json -oJ -nW

-nW: This parameter is an absolute must if you use the JSON output we mentioned. It enables domain resolving, ensuring an effective search for this kind of format.

The tool offers a lot of other great options, which can be seen by running:

    subfinder -h
Subfinder options

Analyzing the results

Important: As passive DNS sources change from day to day, the default sources used by this tool may increase or decrease (in our case, always increasing the numbers of subdomains found). So know that results may vary as days and weeks pass.

After playing around with Subfinder, we were highly satisfied with the results obtained by using this tool. Even when there was no API configured, it was able to find numerous subdomains by default—to be precise, up to 7159 subdomains for linkedin.com:

    root@securitytrails-kali:~# wc linkedin.txt
    7159 7159 217486 linkedin.txt

However, after configuring the SecurityTrails API, we were able to fetch up to 7844 subdomains, which is around 10% more than the previous result:

    root@securitytrails-kali:~# wc linkedin-st.txt
    7844 7844 231546 linkedin-st.txt

The same tests against other domain names (such as microsoft.com, facebook.com, apple.com and other big players) showed the same difference, between 8-11% more results after configuring our API.

Final words

Finding subdomains is easy with a tool like Subfinder. Its installation is straightforward, fast and works almost out of the box without any advanced configuration than merely setting up API keys.

Its native integration with the SecurityTrails API makes it even more powerful than other subdomain mapping tools that are based on DNS zone transfers or brute-forcing techniques.

ESTEBAN BORGES

Esteban is a seasoned security researcher and cybersecurity specialist with over 15 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.