Part of that intel is related to DNS servers and their data, which includes subdomains. That’s why performing a full DNS mapping of all available subdomains is essential.
There are many ways to find subdomains, including manual methods and automated techniques using tools such as Amass, as we covered a few weeks ago.
And today we’ll be exploring another infosec tool that aims to help red-teamers build up a full subdomain map of their target: we’re talking about Subfinder, one of the best subdomain discovery tools available to help you with your information gathering tasks.
What is Subfinder?
Subfinder is a massive subdomain recon tool that can be used to generate a complete list of subdomains that are active on any domain name.
How does it work? Essentially, by discovering any valid subdomain, which it does by using passive online sources that include security APIs.
Its authors have designed it to excel at one thing: passive DNS subdomain enumeration.
With this in mind, know that subfinder is not a complete DNS enumeration intelligence tool. It focuses solely on subdomains. And yet, it proves to be a tremendous bonus for infosec researchers, bug-bounty hunters, and many other professionals within the market.
- CLI-based tool
- Modular code base
- Fast DNS resolution
- Easy API configuration interface
- Ability to exclude certain sources
- Output available in JSON, File and Stdout
- Lightweight resource usage
- Support for Stdin and Stdout
- Uses 26 passive DNS sources (including SecurityTrails!)
- Docker, tar and pre-built binaries available
The only requirement Subfinder has is that you need go1.13+, so once you know you have that covered, we suggest you go to https://github.com/projectdiscovery/subfinder/releases/ to download your preferred version.
In our case, we tested two installations.
Downloading the classic tar file:
wget https://github.com/projectdiscovery/subfinder/releases/download/v2.3.2/subfinder-linux-amd64.tar tar -xzvf subfinder-linux-amd64.tar mv subfinder-linux-amd64 /usr/bin/subfinder subfinder
And building our own with Go:
go get -v github.com/projectdiscovery/subfinder/cmd/subfinder
[email protected]:~/temp# go get -v github.com/projectdiscovery/subfinder/cmd/subfinder github.com/projectdiscovery/subfinder (download) github.com/projectdiscovery/gologger (download) github.com/logrusorgru/aurora (download) github.com/json-iterator/go (download) github.com/modern-go/concurrent (download) … … gopkg.in/yaml.v3 github.com/projectdiscovery/subfinder/pkg/runner github.com/projectdiscovery/subfinder/cmd/subfinder
Both methods work great, and the installation should be completed within one minute.
If you’d like to check out more installation options, there is also a Docker image ready for you.
Configuring passive sources
Once your installation is ready, Subfinder should be properly configured to begin using any of the 20+ passive DNS sources, making it a really useful subdomain discovery tool.
Certain services require an API key in order to work, including our own SecurityTrails API, VirusTotal, Censys, BinaryEdge, Shodan and URLScan.
API keys can be configured at the $HOME/.config/subfinder/config.yaml file (which will be created after you execute the tool for the first time).
In the following case, we’ll show you how to configure the SecurityTrails API key.
First, let’s edit the API configuration file:
nano -w $HOME/.config/subfinder/config.yaml
Then, find this block:
binaryedge:  censys:  certspotter:  passivetotal:  securitytrails:  shodan:  urlscan:  virustotal: 
At securitytrails: , specify your API key, so it looks like this:
Save and close the file. That’s it, your first API key is ready to be used! You can configure as many as you like from other intelligence providers, as you saw on the list.
Once Subfinder has been installed and you have configured the required API keys, it’s time to play with it.
subfinder -d freelancer.com
The output should show you something like this:
Other popular options you can use are:
-dL: These two parameters will let you load a file that contains a list of domains to enumerate
subfinder -dL securitytrails-domains.txt
-exclude-sources: This option enables you to exclude certain passive sources from the domain enumeration
subfinder -exclude-sources:virustotal -d facebook.com
-max-time: Allows you to set a new timeout while waiting for the subdomain enumeration results (default is set to 10)
subfinder -max-time 1 -d adobe.com
-o: Enables users to save the output on an external file.
subfinder -d microsoft.com -o microsoft-output.txt
-oJ: sets the output in JSON format:
subfinder -d linkedin.com -o linkedin-output.json -oJ -nW
-nW: This parameter is an absolute must if you use the JSON output we mentioned. It enables domain resolving, ensuring an effective search for this kind of format.
The tool offers a lot of other great options, which can be seen by running:
Analyzing the results
Important: As passive DNS sources change from day to day, the default sources used by this tool may increase or decrease (in our case, always increasing the numbers of subdomains found). So know that results may vary as days and weeks pass.
After playing around with Subfinder, we were highly satisfied with the results obtained by using this tool. Even when there was no API configured, it was able to find numerous subdomains by default—to be precise, up to 7159 subdomains for linkedin.com:
[email protected]:~# wc linkedin.txt 7159 7159 217486 linkedin.txt
However, after configuring the SecurityTrails API, we were able to fetch up to 7844 subdomains, which is around 10% more than the previous result:
[email protected]:~# wc linkedin-st.txt 7844 7844 231546 linkedin-st.txt
The same tests against other domain names (such as microsoft.com, facebook.com, apple.com and other big players) showed the same difference, between 8-11% more results after configuring our API.
Finding subdomains is easy with a tool like Subfinder. Its installation is straightforward, fast and works almost out of the box without any advanced configuration than merely setting up API keys.
Its native integration with the SecurityTrails API makes it even more powerful than other subdomain mapping tools that are based on DNS zone transfers or brute-forcing techniques.