How To: Discover Hidden Subdomains on Any Website with Subfinder

When approaching a target, having a precise and detailed plan of attack is absolutely necessary. One of the main goals is to increase the attack surface since the more opportunities there are for exploitation, the greater the chances of success. Subdomain enumeration is one method used to increase the attack surface, and we'll be using a tool called Subfinder to discover hidden subdomains.

Subdomain Enumeration Overview

Subdomain enumeration is an indispensable, often overlooked part of the reconnaissance phase. It is basically the process of finding subdomains for any given domain or set of domains. This enumeration can often reveal many subdomains that are hidden or not publicly exposed — plus the chance of finding vulnerabilities on forgotten resources is generally much higher than on those that are more frequently tended to.

Things like admin panels, staging sites, and other internal resources are often found living on subdomains of the target. The thought is, if it is not on the main site, then it can't be found — this couldn't be further from the truth. As we'll soon find out, it's trivial for attackers to uncover hidden subdomains, increasing the attack surface and potentially finding additional vulnerabilities or other juicy information.

There are a variety of methods that attackers use to enumerate subdomains of a target. One method utilizes certificate trust logs to mine information about available subdomains. This can be a stealthy approach, but the downside is sometimes not many results are returned.

Another popular method of subdomain enumeration utilizes passive sources of reconnaissance. Sublist3r used to be to go-to tool for this type of recon, but it hasn't had as much development lately and has since fallen out of favor with many security folks.

Luckily, Subfinder can fill that gap. Written in the Go programming language, it is simple, lightweight, and optimized for speed. The codebase is modular, making it easy to contribute and build upon, and stdin and stdout support are included for effortless workflow integration.

Installing Subfinder

To get started with Subfinder, Go needs to be installed on our system. The easiest way to do this is through the package manager:

~# apt install golang

Next, we can grab the latest release from GitHub:

~# wget https://github.com/projectdiscovery/subfinder/releases/download/v2.4.5/subfinder_2.4.5_linux_amd64.tar.gz

--2020-09-28 14:20:28--  https://github.com/projectdiscovery/subfinder/releases/download/v2.4.5/subfinder_2.4.5_linux_amd64.tar.gz
Resolving github.com (github.com)... 140.82.112.4
Connecting to github.com (github.com)|140.82.112.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/127519518/40182b80-ff6f-11ea-88c9-501330b47615?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200928%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200928T192028Z&X-Amz-Expires=300&X-Amz-Signature=840414749207876b50c712ca386d8bfd3594a60419a4ff379684652065d9fc0a&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=127519518&response-content-disposition=attachment%3B%20filename%3Dsubfinder_2.4.5_linux_amd64.tar.gz&response-content-type=application%2Foctet-stream [following]
--2020-09-28 14:20:28--  https://github-production-release-asset-2e65be.s3.amazonaws.com/127519518/40182b80-ff6f-11ea-88c9-501330b47615?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200928%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200928T192028Z&X-Amz-Expires=300&X-Amz-Signature=840414749207876b50c712ca386d8bfd3594a60419a4ff379684652065d9fc0a&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=127519518&response-content-disposition=attachment%3B%20filename%3Dsubfinder_2.4.5_linux_amd64.tar.gz&response-content-type=application%2Foctet-stream
Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.216.26.20
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.216.26.20|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3892616 (3.7M) [application/octet-stream]
Saving to: ‘subfinder_2.4.5_linux_amd64.tar.gz’

subfinder_2.4.5_linux_amd64.tar.gz        100%[=====================================================================================>]   3.71M  6.80MB/s    in 0.5s

2020-09-28 14:20:29 (6.80 MB/s) - ‘subfinder_2.4.5_linux_amd64.tar.gz’ saved [3892616/3892616]

And extract it in our current working directory:

~# tar xzf subfinder_2.4.5_linux_amd64.tar.gz

Then, we can move the binary file to a directory in our path so we can run it from anywhere:

~# cp subfinder /usr/local/bin/

Now we can easily run Subfinder from anywhere on our system:

~# subfinder

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_ \  _| | ' \/ _  / -_) '_|
/__/\_,_|_.__/_| |_|_||_\__,_\___|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Configuration file saved to /root/.config/subfinder/config.yaml
[FTL] Program exiting: no input list provided

Use the -h flag to see usage and help information:

~# subfinder -h

Usage of subfinder:
  -all
        Use all sources (slow) for enumeration
  -cd
        Upload results to the Chaos API (api-key required)
  -config string
        Configuration file for API Keys, etc (default "/root/.config/subfinder/config.yaml")
  -d string
        Domain to find subdomains for
  -dL string
        File containing list of domains to enumerate
  -exclude-sources string
        List of sources to exclude from enumeration
  -json
        Write output in JSON lines Format
  -ls
        List all available sources
  -max-time int
        Minutes to wait for enumeration results (default 10)
  -nC
        Don't Use colors in output
  -nW
        Remove Wildcard & Dead Subdomains from output
  -o string
        File to write output to (optional)
  -oD string
        Directory to write enumeration results to (optional)
  -oI
        Write output in Host,IP format
  -oJ
        Write output in JSON lines Format
  -r string
        Comma-separated list of resolvers to use
  -rL string
        Text file containing list of resolvers to use
  -recursive
        Use only recursive subdomain enumeration sources
  -silent
        Show only subdomains in output
  -sources string
        Comma separated list of sources to use
  -t int
        Number of concurrent goroutines for resolving (default 10)
  -timeout int
        Seconds to wait before timing out (default 30)
  -v    Show Verbose output
  -version
        Show version of subfinder

A useful feature of Subfinder is that it can utilize API keys from a multitude of services for more thorough enumeration. The configuration file is automatically created when Subfinder first runs, and it usually resides under the home directory:

~# nano ~/.config/subfinder/config.yaml

Scrolling down toward the bottom, there is a section where API keys can be entered:

binaryedge: example-api-key-goes-here-1a2b3c4d
censys: []
certspotter: []
chaos: []
dnsdb: []
github: []
intelx: []
passivetotal: []
recon: []
robtex: []
securitytrails: []
shodan: []
spyse: []
threatbook: []
urlscan: []
virustotal: []
zoomeye: []
subfinder-version: ""

Now that everything is configured, let's enumerate some subdomains.

Finding Subdomains with Subfinder

The most basic way to use Subfinder is to provide it with a domain to enumerate — use the -d flag to do so:

~# subfinder -d wonderhowto.com

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_ \  _| | ' \/ _  / -_) '_|
/__/\_,_|_.__/_| |_|_||_\__,_\___|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for wonderhowto.com
piano.wonderhowto.com
hobbies-toys.wonderhowto.com
actionscript.wonderhowto.com
potato-gun.wonderhowto.com
techhutus.wonderhowto.com
wealth.wonderhowto.com
oldrepublic.wonderhowto.com

...

zines.wonderhowto.com
pilates.wonderhowto.com
lifestylewebtv.wonderhowto.com
canning.wonderhowto.com
magic-the-gathering.wonderhowto.com
ls1www.wonderhowto.com
[INF] Found 1018 subdomains for wonderhowto.com in 5 seconds 901 milliseconds

You can see how fast this is, discovering just over a thousand subdomains in five seconds. To increase verbosity and list the source of enumeration, we can add the -v flag:

~# subfinder -d wonderhowto.com -v

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_ \  _| | ' \/ _  / -_) '_|
/__/\_,_|_.__/_| |_|_||_\__,_\___|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for wonderhowto.com
[hackertarget] djbyron200.wonderhowto.com
[hackertarget] rat-pack-election-10.wonderhowto.com
[hackertarget] xbox-360.wonderhowto.com
[hackertarget] wizard101.wonderhowto.com
[hackertarget] fifa-11.wonderhowto.com
[hackertarget] tech911.wonderhowto.com

...

Sometimes it is also useful to be able to hide everything except the results — this can be especially useful for scripting and automation. Simply use the -silent flag to only output found subdomains:

~# subfinder -d wonderhowto.com -silent

embird.wonderhowto.com
php.wonderhowto.com
adobe-fireworks.wonderhowto.com
medical-diagonosis.wonderhowto.com
paralympic.wonderhowto.com
lifeschool.wonderhowto.com

...

We can also save the results to an output file for later use with the -o flag:

~# subfinder -d wonderhowto.com -o results.txt

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_ \  _| | ' \/ _  / -_) '_|
/__/\_,_|_.__/_| |_|_||_\__,_\___|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for wonderhowto.com
ceramics.wonderhowto.com
motocross.wonderhowto.com
cricket.wonderhowto.com
3ds-max.wonderhowto.com

...

Subfinder can take a list of domains to enumerate as well. Use the -dL flag followed by the list of domains:

~# subfinder -dL subs.txt

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_ \  _| | ' \/ _  / -_) '_|
/__/\_,_|_.__/_| |_|_||_\__,_\___|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for wonderhowto.com
australia.wonderhowto.com
bridge.wonderhowto.com
scavenger-hunt.wonderhowto.com

...

Alternatively, we can pipe the list as input to Subfinder:

~# cat subs.txt | subfinder

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_ \  _| | ' \/ _  / -_) '_|
/__/\_,_|_.__/_| |_|_||_\__,_\___|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for wonderhowto.com
ediblesinjars.wonderhowto.com
www.googleplus.wonderhowto.com

...

By default, Subfinder only uses some of the sources to discover hidden subdomains, opting for speed instead of thoroughness. But we can enable the tool to use all sources with the -all option:

~# subfinder -d wonderhowto.com -all

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_ \  _| | ' \/ _  / -_) '_|
/__/\_,_|_.__/_| |_|_||_\__,_\___|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for wonderhowto.com
canon5d.wonderhowto.com
teaching.wonderhowto.com
sailing.wonderhowto.com

...

odd.wonderhowto.com
oneplus.wonderhowto.com
fw3.www.wonderhowto.com
[INF] Found 1040 subdomains for wonderhowto.com in 1 minute 400 milliseconds

As you can see, it takes a little longer, but slightly more results were returned. To conveniently view all the sources this tool utilizes, use the -ls flag:

~# subfinder -ls

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_ \  _| | ' \/ _  / -_) '_|
/__/\_,_|_.__/_| |_|_||_\__,_\___|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Current list of available sources. [35]
[INF] Sources marked with an * needs key or token in order to work.
[INF] You can modify /root/.config/subfinder/config.yaml to configure your keys / tokens.

alienvault
anubis
archiveis
binaryedge *
bufferover
cebaidu
censys
certspotter *
certspotterold
chaos *
commoncrawl
crtsh
dnsdumpster
dnsdb *
github *
hackertarget
ipv4info
intelx
passivetotal
rapiddns
riddler
recon *
robtex *
securitytrails *
shodan *
sitedossier
spyse *
sublist3r
threatbook *
threatcrowd
threatminer
virustotal *
waybackarchive
ximcx
zoomeye

As indicated by the information on the screen, sources marked with an asterisk need an API key or token to work properly. To pick and choose which sources to use during a scan, the -sources switch can be used:

~# subfinder -d wonderhowto.com -v -sources alienvault,censys,zoomeye

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_ \  _| | ' \/ _  / -_) '_|
/__/\_,_|_.__/_| |_|_||_\__,_\___|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for wonderhowto.com
[alienvault] i.wonderhowto.com
[alienvault] img.wonderhowto.com
[alienvault] about-technology.wonderhowto.com
[alienvault] computer-pranks.wonderhowto.com

...

Wrapping Up

In this tutorial, we learned a bit about subdomain enumeration and how it can be useful for penetration testers and hackers to increase the overall attack surface. First, we installed Subfinder and got it configured on our system. Then, we ran through some of the options this tool has to offer, including enumerating multiple domains, customizing results, and using API keys to enhance recon. Pretty simple, right?