Finding subdomains using subfinder

Subdomain: A subdomain concept is used to host multiple domains under single parent domain.

Eg: Parent Domain = "" Subdomains = "", "", "".. etc.

Most of the organizations host multiple applications in multiple subdomains as mentioned in the example "google". We can use subdomain finders during red team reconnaissance process. We use the below tool to find subdomains from various opensource databases(OSINT) and organize them into a single list. Later we can initiate penetration testing iterating each domain.

Tool: Subfinder


Prerequisites: This tool is based on "go" so we need go installed in the machine. To install go follow these instructions.

After installling go, clone the subfinder repository and install

$ git clone
$ cd subfinder
$ ./

The command builds the binary for subfinder and stores in build folder.

Goto build folder and unzip the zip file using "unzip" command.

$ cd build
$ unzip #version may be different


$ ./subfinder -h #shows the help message and all the options
$ ./subfinder -d -v -o filename.txt #basic command usage

The above command finds all the subdomains and stores all the output data to filename.txt file. We can change all the options to our custom names.

Sample screenshot: Screenshot from 2018-11-29 19-43-30.png If we plan for automation this tool result can be handy, with the output we can pass all the subdomains to the other tool as input. Subfinder supports multiple api's like shodan, virustotal, Cencys .. etc for better results.

Please note that running subfinder comes under passive online attack.

Last update: June 3, 2020