___________ __________ _____ ________ ________ .____ ___________ \_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/ | __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_ | \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \ \___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ / \/ \/ \/ \/ \/ \/ \/

subfinder Cheatsheet

← Back to cheatsheets

← Home

Subfinder is a fast passive subdomain enumeration tool by ProjectDiscovery. It uses passive sources to discover subdomains without sending any traffic to the target.

Basic Usage

  • subfinder -d <domain> - Basic subdomain enumeration
  • subfinder -dL domains.txt - Enumerate from domain list

Input Options

  • -d, -domain - Target domain
  • -dL, -list - File containing list of domains

Output Options

  • -o, -output - Output file
  • -oJ, -json - JSON output
  • -oD, -output-dir - Directory for output files
  • -cs, -collect-sources - Include source info in output
  • -oI, -ip - Include IP addresses in output

Configuration

  • -config - Config file path
  • -pc, -provider-config - Provider config file
  • -r, -resolver - Comma separated resolvers
  • -rL, -resolver-list - File containing resolvers
  • -active - Verify subdomains via DNS resolution

Source Options

  • -s, -sources - Specific sources to use (comma separated)
  • -recursive - Use recursive sources only
  • -all - Use all sources
  • -es, -exclude-sources - Exclude specific sources
  • -ls, -list-sources - List all available sources

Rate Limiting

  • -t, -threads - Concurrent threads (default 10)
  • -rl, -rate-limit - Max requests per second
  • -timeout - Timeout in seconds (default 30)

Other Options

  • -silent - Only show subdomains in output
  • -v, -verbose - Verbose output
  • -version - Show version
  • -nc, -no-color - Disable color output

Configuration File

Location

  • ~/.config/subfinder/provider-config.yaml - API keys config

Example Config

securitytrails:
  - your_api_key_here
shodan:
  - your_api_key_here
virustotal:
  - your_api_key_here
chaos:
  - your_api_key_here
github:
  - your_github_token

Common Examples

Basic Scan

subfinder -d example.com

Quick passive subdomain enumeration.

Save to File

subfinder -d example.com -o subdomains.txt

Save results to file.

JSON Output with Sources

subfinder -d example.com -oJ -cs -o results.json

JSON output with source information.

Silent Mode for Piping

subfinder -d example.com -silent | httpx

Pipe to httpx for live domain checking.

Multiple Domains

subfinder -dL domains.txt -o all_subs.txt

Enumerate multiple domains from file.

With IP Resolution

subfinder -d example.com -oI -o subs_with_ips.txt

Include IP addresses in output.

Specific Sources

subfinder -d example.com -s shodan,virustotal,securitytrails

Use only specific sources.

Active Verification

subfinder -d example.com -active

Verify subdomains via DNS resolution.

Tips

  • Configure API keys for significantly better results
  • Use -silent for clean output suitable for piping
  • Combine with httpx for live domain verification
  • Use -all to enable all sources (slower but thorough)
  • Fast and lightweight compared to amass
  • Great for quick reconnaissance before deeper scanning
  • Passive only - won't trigger IDS/IPS
  • Part of ProjectDiscovery toolkit - integrates well with nuclei, httpx

← Back to cheatsheets

← Home