Information Gatheringsubdomainenumerationpassivediscoveryreconnaissance

Subfinder

Subfinder is a subdomain discovery tool that finds valid subdomains for websites using passive online sources. It features a simple modular architecture optimized for speed.

Description

Subfinder is designed exclusively for passive subdomain enumeration, leveraging various online sources to identify valid subdomains efficiently. It avoids active scanning, focusing instead on intelligence gathered from public databases and services, making it ideal for reconnaissance phases in penetration testing and security assessments.

Use cases include mapping attack surfaces during bug bounty hunting, domain reconnaissance in red team engagements, and initial information gathering for vulnerability research. Its speed and modularity allow users to target specific sources or use all available ones for comprehensive enumeration.

The tool supports filtering, rate limiting, and output customization, enabling tailored workflows. It integrates well with other Kali tools for further analysis of discovered subdomains.

How It Works

Subfinder operates by querying passive online sources such as certificate transparency logs, GitHub, and other providers to collect subdomain data without directly interacting with target domains. It uses a modular architecture where each source is independent, allowing selective or full enumeration. Resolvers validate subdomains, with options for active resolution via goroutines. Rate limits per provider prevent detection, and recursive sources handle nested subdomain discovery.

Installation

bash
sudo apt install subfinder

Flags

-d, -domaindomains to find subdomains for
-dL, -listfile containing list of domains for subdomain discovery
-s, -sourcesspecific sources to use for discovery (-s crtsh,github). Use -ls to display all available sources.
-recursiveuse only sources that can handle subdomains recursively rather than both recursive and non-recursive sources
-alluse all sources for enumeration (slow)
-es, -exclude-sourcessources to exclude from enumeration (-es alienvault,zoomeyeapi)
-m, -matchsubdomain or list of subdomain to match (file or comma separated)
-f, -filtersubdomain or list of subdomain to filter (file or comma separated)
-rl, -rate-limitmaximum number of http requests to send per second (global)
-rls, -rate-limitsmaximum number of http requests to send per second for providers in key=value format (-rls hackertarget=10/m) (default ["github=30/m", "fullhunt=60/m", "pugrecon=10/s", "robtex=18446744073709551615/ms", "securitytrails=1/s", "shodan=1/s", "virustotal=4/m", "hackertarget=2/s", "waybackarchive=15/m", "whoisxmlapi=50/s", "securitytrails=2/s", "sitedossier=8/m", "netlas=1/s", "github=83/m", "hudsonrock=5/s"])
-tnumber of concurrent goroutines for resolving (-active only) (default 10)
-up, -updateupdate subfinder to latest version
-duc, -disable-update-checkdisable automatic subfinder update check
-o, -outputfile to write output to
-oJ, -jsonwrite output in JSONL(ines) format
-oD, -output-dirdirectory to write output (-dL only)
-cs, -collect-sourcesinclude all sources in the output (-json only)
-oI, -ipinclude host IP in output (-active only)
-configflag config file (default "/root/.config/subfinder/config.yaml")
-pc, -provider-configprovider config file (default "/root/.config/subfinder/provider-config.yaml")
-rcomma separated list of resolvers to use
-rL, -rlistfile containing list of resolvers to use
-nW, -activedisplay active subdomains only
-proxyhttp proxy to use with subfinder
-ei, -exclude-ipexclude IPs from the list of domains
-silentshow only subdomains in output
-versionshow version of subfinder
-vshow verbose output
-nc, -no-colordisable color in output
-ls, -list-sourceslist all available sources
-statsreport source statistics
-timeoutseconds to wait before timing out (default 30)
-max-timeminutes to wait for enumeration results (default 10)

Examples

Display help and usage information for subfinder
subfinder -h
Find subdomains for a single domain
subfinder -d example.com
Use a file containing a list of domains for subdomain discovery
subfinder -dL domains.txt
Use specific sources like crtsh and github for discovery on a domain
subfinder -s crtsh,github -d example.com
Use all sources for enumeration (slow)
subfinder -all -d example.com
Exclude specific sources from enumeration
subfinder -es alienvault,zoomeyeapi -d example.com
Write subdomains to an output file
subfinder -o output.txt -d example.com
List all available sources
subfinder -ls
Updated 2026-04-16kali.org ↗