Maximizing the potential of “Subfinder”

Muhammad Daffa
7 min readJul 20, 2022

--

Hi guys, in this post I will be sharing about how to maximize the potential of subfinder. So, what is subfinder? and how to use it properly?

Subfinder is a subdomain discovery tool created by the ProjectDiscovery team that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing. Subfinder is an open-source tool that you can check on their GitHub.

Golang Installation

First, you need to install Golang on your machine, you can check this website to install golang.

Or you can run some commands below:

$ wget -c https://go.dev/dl/go1.18.4.linux-amd64.tar.gz
$ tar -C /usr/local -xzf go1.18.4.linux-amd64.tar.gz
$ export PATH=$PATH:/usr/local/go/bin
$ go version

If you see the golang version in the terminal when running go version command, so the golang is already installed on your machine.

Golang version

Subfinder Installation

You can check the readme file in the subfinder repository

Or if you still confused about installing subfinder on your machine, you can run some commands below:

$ go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
$ cd go/bin
$ mv subfinder /usr/local/bin
$ subfinder -version

If you see the subfinder version in the terminal when running subfinder -version command, so the subfinder is already installed on your machine.

Subfinder version

How to use it?

There is a basic command that can be used after installing subfinder (I will be using yahoo website for example)

$ subfinder -d yahoo.com

You will see something like this

Subfinder output

Subfinder can fetch ~17643 yahoo subdomains in around 30 seconds

Using “-all” flag

Some people forgot if there is -all a flag when using subfinder. The function of -all the flag is to use all sources (crtsh, Common Crawl, Wayback Archive, etc.) when doing subdomain enumeration. If you use the basic command, then only a few sources are used. Here is the command to use -all flag

$ subfinder -d yahoo.com -all
Using -all flag

As you can see there is a lot of subdomains that subfinder can fetch. If you using -all flag, subfinder can fetch 115266 yahoo subdomains in around 56 seconds.

Maximize the potential of Subfinder

If you check the subfinder repository you will see Post Installation Instructions point.

It is written in the repository that:

Subfinder will work after using the installation instructions however to configure Subfinder to work with certain services, you will need to have setup API keys

So, we need to set up some API keys. First, we need to edit this file. You can run this command

$ nano .config/subfinder/provider-config.yaml

And you will see something like this

File provider-config.yaml

You can see some services that are still empty and we need to fill them by registering on their websites

• bufferover (Free / Paid)

  1. Go to https://tls.bufferover.run/
  2. Scroll a little bit and you will see like this

3. Submit using your Gmail account and check your email

• binaryedge (Free / Paid)

  1. Go to https://app.binaryedge.io/sign-up
  2. Signup first and then log in using the account you have been created
  3. And then go to https://app.binaryedge.io/account/api
  4. Give some name to the token, for example in my case, I gave the name recon
  5. Press create token

• c99 (Paid)

  1. Go to http://api.c99.nl/dashboard/shop

• Censys (Free)

  1. Go to https://censys.io/register
  2. Register and then login into the website
  3. Go to https://censys.io/account/api

• certspotter (Free)

  1. Go to https://sslmate.com/signup?for=certspotter
  2. Register and log in to the website
  3. Go to https://sslmate.com/account/api_keys you will get the API key or you can create some API keys with custom usage

• chaos (Free)

  1. Go to https://chaos.projectdiscovery.io/#/
  2. Press Request Access
  3. If you have contributed to ProjectDiscovery open-source repository, than you can fill

If you have a patience to wait, then you can fill this form

• chinaz (Unkonwn)

I am still confused about how to register on this website. I will update this point if I have figured out how to register

• dnsdb (Free / Paid)

Farsightsecurity has discontinued the DNSDB community edition program. But you can still get free access to DNSDB by applying for grant

Github (Free)

  1. Go to https://github.com/signup
  2. Log in into the website
  3. Go to https://github.com/settings/tokens
  4. And then press Generate New Token

• intelx (Free / Paid)

  1. Go to https://intelx.io/signup
  2. Register and log in
  3. Go to https://intelx.io/account?tab=developer
  4. And you will see the API key

• passivetotal (Free / Paid)

  1. Go to https://community.riskiq.com/login
  2. Register and then log in into the website
  3. Go to https://community.riskiq.com/settings and you can check the API key

• robtex (Free)

  1. Go to https://www.robtex.com/dashboard/
  2. Press Sign in with: Google
  3. And you can see the API key

In this case i can’t login into the website, so there is no screenshot for robtex API key

• securitytrails (Free / Paid)

  1. Go to https://securitytrails.com/app/signup
  2. Register and log in into the website
  3. Go to https://securitytrails.com/app/account/credentials
  4. And then press Create New API Key

• shodan (Free / Paid)

  1. Go to https://account.shodan.io/register
  2. Register and log in into the website
  3. Go to https://account.shodan.io/ and you can see your API key

• threatbook (Free)

  1. Go to https://passport.threatbook.cn/signup
  2. Register and log in into the website
  3. Go to https://x.threatbook.com/v5/myApi
  4. And you will see your API

• urlscan (Free)

  1. Go to https://urlscan.io/user/signup
  2. Register and log in into the website
  3. Go to https://urlscan.io/user/profile/
  4. And you will your API key

• virustotal (Free / Paid)

  1. go to https://www.virustotal.com/gui/join-us
  2. register and login into the website
  3. Go to https://www.virustotal.com/gui/user/daffainfo/apikey
  4. And you will see you API key

• zoomeye and zoomeyeapi (Free / Paid)

  1. Go to https://sso.telnet404.com/accounts/register/
  2. Register and log in into the website
  3. Go to https://www.zoomeye.org/profile
  4. And you can see the zoomapi API key

• fofa (Free)

  1. Go to https://i.nosec.org/register?service=https://fofa.info/f_login
  2. Register and log in into the website
  3. Go to https://fofa.info/userInfo
  4. Press the eye button to see the API key

• fullhunt (Free / Paid)

  1. Go to https://fullhunt.io/signup/
  2. Register and log in into the webiste
  3. Go to https://fullhunt.io/user/settings/
  4. You will get the API key information

After inputting some API keys into provider-config.yaml file, the file will look like this

And re-run this command

$ subfinder -d yahoo.com -all

Final Result

Here are some screenshots where I used the subfinder for different conditions

Not using -all flag
Using -all flag
Using -all flag + using multiple API keys services

As you can see there is a huge difference between not using -all flag, using -all flag, and using -all flag with some multiple API key services. I will compare them using a table.

if you not using -all flag, subfinder only can fetch 17643 subdomains in 30 seconds. If you using -all flag, subfinder can fetch 115266 yahoo subdomains in around 56 seconds, but if you using -all flag and you set up some API key services in provider-config.yaml file, subfinder can fetch 139321 subdomains in 10 minutes and 12 seconds

So, if you want to have a better result with subfinder, don’t forget to set up some API keys.

Thank you for reading this medium post and don't forget to clap this post :D

--

--

Muhammad Daffa

ID/EN. Write anything related to cyber security (Bug Bounty, Penenetration Testing, Malware Analysis, etc.)