🔒SecurityRepoIndex

Subfinder

Fast passive subdomain enumeration across dozens of OSINT sources — the quick way to expand a target\'s scope

4.5/ 513,987 GitHub starsGoMIT

⚡ TL;DR

What
Fast passive subdomain enumeration across dozens of OSINT sources — the quick way to expand a target\'s scope
Who
Bug bounty hunters, Recon engineers, Red teams, Attack-surface management
Catch
Passive only — it won't confirm hosts are alive (that's httpx's job)
Verdict
⭐⭐⭐⭐⭐ Essential

🎯 The Problem It Solves

You have a root domain; you need every subdomain it owns before you test. Subfinder hits a fleet of passive sources (cert transparency, DNS aggregators, APIs) and returns subdomains without sending a single packet to the target — fast, quiet, and great as the first step in any recon pipeline.

🔧 How It Works

Subfinder queries its configured passive sources concurrently and deduplicates the results. With API keys set (in a config file), it pulls from数十 of providers; without keys it still uses the keyless ones. Output is clean and pipe-friendly, so it chains naturally into httpx (probe alive), then nuclei (scan). It\'s the \'passive first\' half of the projectdiscovery recon stack.

🚀 Installation & Quick Start

Installation

go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

Quick Start

  1. Install: go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
  2. Basic: subfinder -d example.com
  3. With API keys (set in $HOME/.config/subfinder/config.yaml): subfinder -d example.com -silent
  4. Pipe to a probe: subfinder -d example.com -silent | httpx -silent
  5. Output to file: subfinder -d example.com -o subs.txt

✅ Pros

  • Extremely fast and completely passive (no packets to the target)
  • Pairs perfectly with httpx + nuclei into one pipeline
  • Easy API-key config for big coverage boosts
  • Free and part of a trusted, maintained ecosystem

❌ Cons

  • Passive only — it won't confirm hosts are alive (that's httpx's job)
  • Coverage is only as good as your configured API keys
  • Some sources rate-limit or need paid accounts for depth
  • Results can include dead/takeover-prone subdomains you must verify

💬 Practitioner Verdict

"Subfinder is the quiet, fast first move in any external recon: passive, thorough, and built to pipe straight into httpx and nuclei. It won\'t validate liveness — that\'s the next tool — but as the subdomain generator it\'s the one I default to."
Emmanuel, Security Reviewer

📊 Specifications

Language
Go
License
MIT
Platform
Linux, macOS, Windows
Kill Chain
Reconnaissance
MITRE ATT&CK
T1590, T1595

💰 Pricing Reality

Free and open source (MIT). No paid tier for subfinder itself; third-party sources may have their own free/paid API tiers you plug in.

👥 Community Health

Stars13,987
Forks1,573
Contributors80
Health Score9/10

🏷️ Tags

Open SourceFreeNetwork Analysis

🔗 Similar Tools