Subdomain Discovery Tool: SubFinder

SubFinder is a subdomain discovery tool that uses various techniques to discover massive amounts of subdomains for any target. It has been aimed as a successor to the sublist3r project. SubFinder uses Passive Sources, Search Engines, Pastebins, Internet Archives, etc to find subdomains and then it uses a permutation module inspired by altdns to generate permutations and resolve them quickly using a powerful bruteforcing engine. It can also perform plain bruteforce if needed. The tool is highly customizable, and the code is built with a modular approach in mind making it easy to add functionalities and remove errors.


Related image


  • Simple and modular code base making it easy to contribute.

  • Fast And Powerful Bruteforcing Module

  • Powerful Permutation generation engine. (In Development)

  • Many Passive Data Sources (29 At Present)

  • Multiple Output formats

Ask,, Baidu, Bing, Censys, CertDB, CertSpotter, CrtSH, DnsDB, DNSDumpster, Dogpile, Entrust CT-Search, Exalead, FindSubdomains, Hackertarget, IPv4Info, Netcraft, PassiveTotal, PTRArchive, Riddler, SecurityTrails, SiteDossier, Shodan, SSL Certificates, ThreatCrowd, ThreatMiner, Virustotal, WaybackArchive, Yahoo

Installation Instructions

The installation is easy. Git clone the repo and run go build.
go get


Post Installation Instructions

Subfinder will work after using the installation instructions however to configure Subfinder to work with certain services, you will need to have setup API keys. These following services do not work without an API key:


./subfinder -h
This will display help for the tool. Here are all the switches it supports.
Flag Description Example
-b Use bruteforcing to find subdomains ./subfinder -d -b
-c Don’t show colored output ./subfinder -c
-d Domain to find subdomains for ./subfinder -d
-dL List of domains to find subdomains for ./subfinder -dl hosts.txt
-nW Remove wildcard subdomains ./subfinder -nw
-o Name of the output file (Optional) ./subfinder -o output.txt
-oT Write output in Aquatone style JSON format (Required -nW) ./subfinder -o output.txt -nw -oA
-oJ Write output in JSON format ./subfinder -o output.json -oJ
-oD Output to directory (When using multiple hosts) ./subfinder -od ~/misc/out/
-r Comma-separated list of resolvers to use ./subfinder -r,
-rL File containing list of resolvers to use ./subfinder -rL resolvers.txt
–recursive Use recursive subdomain finding (default: true) ./subfinder –recursive
–set-config Sets a configuration option ./subfinder –set-config example=something
–set-settings Sets a setting option ./subfinder –set-settings CensysPages=10
–silent Show only the subdomains found ./subfinder –silent
–sources Comma separated list of sources to use (optional) ./subfinder –sources threatcrowd,virustotal
–exclude-sources Comma separated list of sources not to use (optional) ./subfinder –exclude-sources threatcrowd,virustotal
-t Number of concurrent threads (Bruteforce) ./subfinder -t 10
–timeout Seconds to wait until quitting connection ./subfinder –timeout 10
-v Display verbose output ./subfinder -v
-w Wordlist for doing bruteforcing and permutation ./subfinder -w words.txt

Download : SubFinder

Leave a Reply

Your email address will not be published. Required fields are marked *