02-28-2025, 02:08 PM
(This post was last modified: 02-28-2025, 02:11 PM by rumprump111.)
If you are participating in BugBounty programs, then searching for subdomains (subdomains) should be a priority. Today I will show you how to properly use Subfinder to search for subdomains. There are already articles on this topic on the web, but we will go further and try to use Subfinder to the maximum, adding a bunch of APIs for better output.
Using Subfinder to search for subdomains
Subfinder is an open source subdomain search framework created by the ProjectDiscovery team. The tool is fast and efficient and should be in every BugHunter's arsenal.
Installing Golang
First of all, you need to install Golang. For the lazy, here's how to do it quickly:
Installing Subfinder
Checking the installation:
Using Subfinder
For this example, we will use a relic site - Yahoo.com - as a test subject
The basic command to search for subdomains is as follows:
You'll see something like this
![[Image: subfinder-3.png]](https://external-content.duckduckgo.com/iu/?u=https://spy-soft.net/wp-content/uploads/subfinder-3.png)
Subfinder can dig up 17643 subdomains in 30 seconds. This is a good, but not perfect result.
Using the -all directive
Many people forget to use the -all parameter when using subfinder. The -all directive allows you to use all sources (crtsh, Common Crawl, Wayback Archive, etc.) when listing subdomains
![[Image: subfinder-4.png]](https://external-content.duckduckgo.com/iu/?u=https://spy-soft.net/wp-content/uploads/subfinder-4.png)
As you can see, the framework was now able to find 115266 Yahoo subdomains in about 56 seconds and that's not the limit.
Obtaining API keys for Subfinder
Now re-run the command:
![[Image: subfinder-24.png]](https://external-content.duckduckgo.com/iu/?u=https://spy-soft.net/wp-content/uploads/subfinder-24.png)
As you can see, there is a huge difference between not using the -all parameter, using -all and using -all with API keys.
So, if you want to get a better result with Subfinder, don't forget to add the API.
Using Subfinder to search for subdomains
Subfinder is an open source subdomain search framework created by the ProjectDiscovery team. The tool is fast and efficient and should be in every BugHunter's arsenal.
Installing Golang
First of all, you need to install Golang. For the lazy, here's how to do it quickly:
wget -c https://go.dev/dl/go1.18.4.linux-amd64.tar.gz
tar -C /usr/local -xzf go1.18.4.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/binInstalling Subfinder
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
cd go/bin
mv subfinder /usr/local/binChecking the installation:
subfinder -versionUsing Subfinder
For this example, we will use a relic site - Yahoo.com - as a test subject
The basic command to search for subdomains is as follows:
subfinder -d yahoo.comSubfinder can dig up 17643 subdomains in 30 seconds. This is a good, but not perfect result.
Using the -all directive
Many people forget to use the -all parameter when using subfinder. The -all directive allows you to use all sources (crtsh, Common Crawl, Wayback Archive, etc.) when listing subdomains
subfinder -d yahoo.com -allAs you can see, the framework was now able to find 115266 Yahoo subdomains in about 56 seconds and that's not the limit.
Obtaining API keys for Subfinder
Now re-run the command:
nano .config/subfinder/provider-config.yamlAs you can see, there is a huge difference between not using the -all parameter, using -all and using -all with API keys.
So, if you want to get a better result with Subfinder, don't forget to add the API.
