How to use the command 'subfinder' (with examples)
The ‘subfinder’ command is a subdomain discovery tool that is used to discover valid subdomains for websites. It is designed to be a passive framework that is useful for bug bounties and safe for penetration testing. It can be helpful for individuals or organizations looking to identify potential security vulnerabilities in their websites by identifying all related subdomains.
Use case 1: Find subdomains for a specific domain
Code:
subfinder -d example.com
Motivation:
Finding all subdomains for a specific domain can help in identifying potential vulnerabilities and ensuring the security of the overall website. By discovering all possible subdomains, an organization can gain better visibility into their attack surface and proactively address any security concerns.
Explanation:
- ‘subfinder’ is the command used to initiate the subdomain discovery process.
- ‘-d example.com’ specifies the domain name for which subdomains need to be discovered. Replace ’example.com’ with the desired domain name.
Example output:
subdomain1.example.com
subdomain2.example.com
subdomain3.example.com
Use case 2: Show only the subdomains found
Code:
subfinder --silent -d example.com
Motivation:
Sometimes, you may only want to see the list of subdomains found without any additional information or logs. This can be useful for simplicity and clarity, especially when dealing with a large number of subdomains.
Explanation:
- ‘–silent’ is an argument that tells ‘subfinder’ to only display the subdomains found without any additional information or logs.
- ‘-d example.com’ specifies the domain name for which subdomains need to be discovered. Replace ’example.com’ with the desired domain name.
Example output:
subdomain1.example.com
subdomain2.example.com
subdomain3.example.com
Use case 3: Use a brute-force attack to find subdomains
Code:
subfinder -d example.com -b
Motivation:
A brute-force attack can be used to discover additional subdomains that may not be found through regular techniques. By using a brute-force attack, you can exhaustively search for all possible subdomains and ensure that no potential vulnerabilities go unnoticed.
Explanation:
- ‘-b’ is an argument that enables the brute-force attack mode in ‘subfinder’. This tells the tool to use a brute-force approach to find subdomains.
- ‘-d example.com’ specifies the domain name for which subdomains need to be discovered. Replace ’example.com’ with the desired domain name.
Example output:
subdomain1.example.com
subdomain2.example.com
subdomain3.example.com
Use case 4: Remove wildcard subdomains
Code:
subfinder -nW -d example.com
Motivation:
Wildcard subdomains are unpredictable and can lead to security vulnerabilities. By removing wildcard subdomains, you can reduce the attack surface and ensure better security for your website.
Explanation:
- ‘-nW’ is an argument that tells ‘subfinder’ to remove any wildcard subdomains from the list of discovered subdomains.
- ‘-d example.com’ specifies the domain name for which subdomains need to be discovered. Replace ’example.com’ with the desired domain name.
Example output:
subdomain1.example.com
subdomain2.example.com
subdomain3.example.com
Use case 5: Use a given comma-separated list of resolvers
Code:
subfinder -r 8.8.8.8,1.1.1.1 -d example.com
Motivation:
By specifying a list of resolvers, you can control which DNS servers ‘subfinder’ uses to perform the subdomain discovery. This can be useful if you want to use specific DNS servers that are known to be reliable or if you want to avoid using certain DNS servers for privacy reasons.
Explanation:
- ‘-r 8.8.8.8,1.1.1.1’ is an argument that tells ‘subfinder’ to use the specified comma-separated list of resolvers for DNS resolution.
- ‘-d example.com’ specifies the domain name for which subdomains need to be discovered. Replace ’example.com’ with the desired domain name.
Example output:
subdomain1.example.com
subdomain2.example.com
subdomain3.example.com
Conclusion:
The ‘subfinder’ command is a powerful tool for discovering valid subdomains for websites. By utilizing its various options and arguments, users can gain better visibility into their attack surface and proactively address any security concerns. Whether it is to find all subdomains, perform a brute-force attack, remove wildcard subdomains, or customize the list of resolvers, ‘subfinder’ provides the flexibility and functionality required for effective subdomain discovery.