Today, most of the vulnerability or exploitation is done over the subdomains of a website where developers have less interest, which gives an attacker an open invitation to exploit their main website.
In some cases, the developer doesn’t even know which subdomain was created. From a security point of view, if you are doing security research, then it is your responsibility to know how to get a list of subdomains of the root domain.
Now, there are multiple ways to find a subdomain. For example, if you are a site admin and have access to a DNS record, then you can easily view the list of registered subdomains.
In case you are not a site admin and just a security researcher looking for a subdomain of the root site to check a security flaw, then you should take the help of the subfinder tool.
Table of Contents
What is the Subfinder Tool on Linux
Subfinder is a free and open-source subdomain discovery tool that discovers valid subdomains for websites. It uses passive online sources to find the subdomain of the site following all the licenses and usage restrictions.
The application is wrapped in Go programming language to give you fast results making it the favourite subdomain finder tool for both penetration testers and bug bounty hunters.
Subfinder Tool Features
- Fast and powerful resolution and wildcard elimination module
- Optimized for speed, very fast and lightweight on resources
- Curated passive sources to maximize results
- Multiple Output formats supported (Json, File, Stdout)
- STDIN/OUT support for integrating with workflows
Install Subfinder Tool on Linux
To install this make sure to have Go installed and configured on your system and have access to the go command. After that, you can pass the following command to start the installation.
$ go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latestAfter the installation is finished, try to execute subfinder command. If you got the command is not found error then execute the following command to create a symbolic link for subfinder which gives it global access.
$ sudo ln -s ~/go/bin/subfinder /usr/bin/Once again try to execute subfinder command if it throws the same error then reinstall the Go-lang.
Subfinder Tool Configuration
Even if you start using it after the installation it will work. However, to configure Subfinder to work with certain services, you will need to set up API keys.
The following services do not work without a valid API key:
Binaryedge, C99, Certspotter, Chinaz, Censys, Chaos, DnsDB, Fofa, Github, Intelx, Passivetotal, Robtex, SecurityTrails, Shodan, Threatbook, Virustotal, WhoisXML API, and Zoomeye
You can edit the configuration file located at ~/.config/subfinder/provider-config.yaml, (which is created when you run the command for the first time) by using the following command.
$ nano ~/.config/subfinder/provider-config.yamlBelow is the output when the above command is executed.
After you add the API key your configuration file will look like the below.
Lastly, save and close the file after the changes.
Subfinder Tool Usage
The usage of this tool is pretty simple and straightforward. Execute the following with the target URL and it will find all the subdomains linked to that URL.
$ subfinder -d github.comBelow is the output of the above command.
If you want to query multiple sites at once, then create a new text file and add each URL in a new file and pass the text file as a parameter.
$ subfinder -dL url.txtBelow is the output of the above command.
The best thing about this tool is that you can easily pipe the output of Subfinder with other tools. For example, you can pipe the subdomain discovered by subfinder with httpx tool to determine the protocol being used by the subdomain.
$ echo github.com | subfinder -silent | httpx -silentBelow is the output of the above command.
That is enough, I think now it is your turn to dig more about this tool by first checking the help section by executing the subfinder -h command.
Removing Subfinder Tool from Linux
If are done with finding a subdomain and don’t have any interest left to find a subdomain for any other website then pass the following command to remove it from your Linux system.
$ rm ~/go/bin/subfinder$ sudo unlink /usr/bin/subfinderIf you have any question or query do let us know in the comment section.
