Spread the love

During the reconditioning phase of the target, we collect as much information about the target which includes enumerating subdomains as well. It increases the attack surface providing more opportunities for exploitation and information gathering.

We’re going to use Subfinder to enumerate for hidden subdomains on any website.

Using pre-built Subfinder binary

Before downloading binary you need to install golang on your system.

apt install golang

Now, you can grab the latest releases for your system architecture.

wget https://github.com/projectdiscovery/subfinder/releases/download/v2.4.5/subfinder_2.4.5_linux_amd64.tar.gz

After downloading extract it to your directory.

tar -xvf subfinder_2.4.5_linux_amd64.tar.gz

Now, copy the subfinder binary to Linux system binaries to run it from anywhere in the terminal.

cp subfinder /usr/local/bin/

After installation you can use –help to see usage information on subfinder.root@m4sterph0enix:~# subfinder –helpUsage of subfinder: -all Use all sources (slow)for enumeration -cd Upload results to the Chaos API (api-key required) -config string Configuration file for API Keys, etc (default “/root/.config/subfinder/config.yaml”) -d string Domain to find subdomains for -dL string File containing list of domains to enumerate -exclude-sources string List of sources to exclude from enumeration -json Write output in JSON lines Format -ls List all available sources -max-time int Minutes to wait for enumeration results (default 10) -nC Don’t Use colors in output -nW Remove Wildcard & Dead Subdomains from output -o string File to write output to (optional) -oD string Directory to write enumeration results to (optional) -oI Write output in Host,IP format -oJ Write output in JSON lines Format -r string Comma-separated list of resolvers to use -rL string Text file containing list of resolvers to use -recursive Use only recursive subdomain enumeration sources -silent Show only subdomains in output -sources string Comma separated list of sources to use -t int Number of concurrent goroutines for resolving (default 10) -timeout int Seconds to wait before timing out (default 30) -v Show Verbose output -version Show version of subfinder

Find Subdomains Using Subfinder

After the successful installation of the subfinder we can now extract subdomains of any domain.

We have to use the -d flag to enumerate for the subdomain.

root@m4sterph0enix:~# subfinder -d_ __ _ _____ _| |__ / _(_)_ _ __| |___ _ _(_-< || | ‘_ \ _| | ‘ \/ _ / -_) ‘_|/__/\_,_|_.__/_| |_|_||_\__,_\___|_| v2.4.5 projectdiscovery.io[WRN] Use with caution. You are responsible for your actions[WRN] Developers assume no liability and are not responsible for any misuse or damage.[WRN] By using subfinder, you also agree to the terms of the APIs used.[INF] Enumerating subdomains.

Usage

FLAGDESCRIPTIONEXAMPLE
-allUse all sources (slow) for enumerationsubfinder -d uber.com -all
-cdUpload results to the Chaos API (api-key required)subfinder -d uber.com -cd
-config stringConfiguration file for API Keys, etcsubfinder -config config.yaml
-dDomain to find subdomains forsubfinder -d uber.com
-dLFile containing list of domains to enumeratesubfinder -dL hackerone-hosts.txt
-exclude-sourcesList of sources to exclude from enumerationsubfinder -exclude-sources archiveis
-max-timeMinutes to wait for enumeration results (default 10)subfinder -max-time 1
-nCDon’t Use colors in outputsubfinder -nC
-nWRemove Wildcard & Dead Subdomains from outputsubfinder -nW
-lsList all available sourcessubfinder -ls
-oFile to write output to (optional)subfinder -o output.txt
-oDDirectory to write enumeration results to (optional)subfinder -oD ~/outputs
-oIWrite output in Host,IP formatsubfinder -oI
-oJWrite output in JSON lines Formatsubfinder -oJ
-rComma-separated list of resolvers to usesubfinder -r 1.1.1.1,1.0.0.1
-rLText file containing list of resolvers to usesubfinder -rL resolvers.txt
-recursiveEnumeration recursive subdomainssubfinder -d news.yahoo.com -recursive
-silentShow only subdomains in outputsubfinder -silent
-sourcesComma separated list of sources to usesubfinder -sources shodan,censys
-tNumber of concurrent goroutines for resolving (default 10)subfinder -t 100
-timeoutSeconds to wait before timing out (default 30)subfinder -timeout 30
-vShow Verbose outputsubfinder -v
-versionShow current program versionsubfinder -version