Subfinder

Subfinder is considered as a successor to sublist3r. It is amazingly fast and finds valid subdomains using passive online sources such as Ask, Archive.is, Baidu, Bing, Censys, CertDB, CertSpotter, Commoncrawl, CrtSH, DnsDB and so on.

1. Install subfinder. It needs Go to be installed, which we can install by using the following command:

apt install golang

The following screenshot shows the output of the preceding command:

1. Next, we clone subfinder by using the following command:

git clone https://github.com/subfinder/subfinder.git

The following screenshot shows the output of the preceding command:

Or you can download and save it from https://github.com/subfinder/subfinder.

1. To install subfinder, we go to the cloned directory and run the go build command.
2. Once the installation is complete, we will need a wordlist for it to run, so we can download dnspop's list. This list can be used in the previous recipe too: https://github.com/bitquark/dnspop/tree/master/results.
3. Now that both are set up, we browse into subfinder's directory and run it using the ./subfinder -h command.

The following screenshot shows the output of the preceding command:

1. To run it against a domain with our wordlist, we use the following command:

./subfinder -w /path/to/wordlist -d hostname.com

If we do not specify a wordlist the tool will run with a default wordlist as shown in the following screenshot:

Once the enumeration is complete, the output will be shown onscreen as follows:

1. Subfinder is also designed to work with services such as shodan, censys, and virustotal, but they need to be configured in the config.json file shown here: