Subfinder Cheat Sheet

Subfinder is a subdomain discovery tool made by Project Discovery, the following cheat sheet provides and overview of the command flags for Subfinder and common commamnd examples for real world usage.

Install Subfinder

go install -v[email protected]
Configure API Keys

Subfinder works straight after install, however with API keys (even a free key) will improve passive subdomain results.

Subfinder Flags & Syntax

root:~#subfinder -h

</table></div>## Example Subfinder Commands### Find Subdomains Single DomainFind subdomains for a single domain with subfinder:

subfinder -d

__ _____ __
_______ __/ /_ / __(_)___ ____/ /__ _____
/ ___/ / / / __ / /_/ / __ / __ / _ / ___/
(__ ) /_/ / /_/ / __/ / / / / /_/ / __/ /
/____/__,_/_.___/_/ /_/_/ /_/__,_/___/_/ v2.5.1

Use with caution. You are responsible for your actions
Developers assume no liability and are not responsible for any misuse or damage.
By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for
[INF] Found 27 subdomains for in 30 seconds 33 milliseconds

### Verify Subfinder Results With HTTPXChain up other tools within your workflow, such as verifying targets have web servers using HTTPX:

echo | subfinder -silent | httpx -silent

### Subfinder + Naabu Portscan

echo | subfinder -silent | naabu -silent
Flag Description
-d, -domain string[] domains to find subdomains for
-dL, -list string file containing list of domains for subdomain discovery
-s, -sources string[] specific sources to use for discovery (-s crtsh,github). Use -ls to display all available sources.
-recursive use only sources that can handle subdomains recursively (e.g. subdomain.domain.tld vs domain.tld)
-all use all sources for enumeration (slow)
-es, -exclude-sources string[] sources to exclude from enumeration (-es alienvault,zoomeye)
-m, -match string[] subdomain or list of subdomain to match (file or comma separated)
-f, -filter string[] subdomain or list of subdomain to filter (file or comma separated)
-rl, -rate-limit int maximum number of http requests to send per second
-t int number of concurrent goroutines for resolving (-active only) (default 10)
-o, -output string file to write output to
-oJ, -json write output in JSONL(ines) format
-oD, -output-dir string directory to write output (-dL only)
-cs, -collect-sources include all sources in the output (-json only)
-oI, -ip include host IP in output (-active only)
-config string flag config file (default \”$HOME/.config/subfinder/config.yaml\”)
-pc, -provider-config string provider config file (default \”$HOME/.config/subfinder/provider-config.yaml\”)
-r string[] comma separated list of resolvers to use
-rL, -rlist string file containing list of resolvers to use
-nW, -active display active subdomains only
-proxy string http proxy to use with subfinder
-ei, -exclude-ip exclude IPs from the list of domains
-silent show only subdomains in output
-version show version of subfinder
-v show verbose output
-nc, -no-color disable color in output
-ls, -list-sources list all available sources
-timeout int seconds to wait before timing out (default 30)
-max-time int minutes to wait for enumeration results (default 10)

Source: /teehs-taehc-rednifbus/golb/eeffoc.nohgih

© 版权声明
点赞7 分享
评论 抢沙发