Fast passive subdomain enumeration tool.
Alternatives To Subfinder
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
Subfinder8,27385 days ago65July 23, 202316mitGo
Fast passive subdomain enumeration tool.
2 days ago25mitHTML
reconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities
20 hours ago140August 17, 202316gpl-3.0Python
OSINT automation for hackers.
Pentest Tools2,652
9 months ago1Python
A collection of custom security tools for quick needs.
Puredns1,29413 months ago9April 11, 20236gpl-3.0Go
Puredns is a fast domain resolver and subdomain bruteforcing tool that can accurately filter out wildcard subdomains and DNS poisoned entries.
4 years ago5mitPython
K8Ladon大型内网渗透自定义插件化扫描神器,包含信息收集、网络资产、漏洞扫描、密码爆破、漏洞利用,程序采用多线程批量扫描大型内网多个IP段C段主机,目前插件包含: C段旁注扫描、子域名扫描、Ftp密码爆破、Mysql密码爆破、Oracle密码爆破、MSSQL密码爆破、Windows/Linux系统密码爆破、存活主机扫描、端口扫描、Web信息探测、操作系统版本探测、Cisco思科设备扫描等,支持调用任意外部程序或脚本,支持Cobalt Strike联动
a month ago5mitPython
Making Favicon.ico based Recon Great again !
5 months agogpl-3.0Shell
GooFuzz is a tool to perform fuzzing with an OSINT approach, managing to enumerate directories, files, subdomains or parameters without leaving evidence on the target's server and by means of advanced Google searches (Google Dorking).
7 months ago
Handbook of information collection for penetration testing and src
3 years ago12mitPython
Sublert is a security and reconnaissance tool which leverages certificate transparency to automatically monitor new subdomains deployed by specific organizations and issued TLS/SSL certificate.
Alternatives To Subfinder
Select To Compare

Alternative Project Comparisons


Fast passive subdomain enumeration tool.

Features Install Usage API Setup Library Join Discord

subfinder is a subdomain discovery tool that returns valid subdomains for websites, using passive online sources. It has a simple, modular architecture and is optimized for speed. subfinder is built for doing one thing only - passive subdomain enumeration, and it does that very well.

We have made it to comply with all the used passive source licenses and usage restrictions. The passive model guarantees speed and stealthiness that can be leveraged by both penetration testers and bug bounty hunters alike.



  • Fast and powerful resolution and wildcard elimination modules
  • Curated passive sources to maximize results
  • Multiple output formats supported (JSON, file, stdout)
  • Optimized for speed and lightweight on resources
  • STDIN/OUT support enables easy integration into workflows


subfinder -h

This will display help for the tool. Here are all the switches it supports.

  ./subfinder [flags]

  -d, -domain string[]  domains to find subdomains for
  -dL, -list string     file containing list of domains for subdomain discovery

  -s, -sources string[]           specific sources to use for discovery (-s crtsh,github). Use -ls to display all available sources.
  -recursive                      use only sources that can handle subdomains recursively (e.g. subdomain.domain.tld vs domain.tld)
  -all                            use all sources for enumeration (slow)
  -es, -exclude-sources string[]  sources to exclude from enumeration (-es alienvault,zoomeyeapi)

  -m, -match string[]   subdomain or list of subdomain to match (file or comma separated)
  -f, -filter string[]   subdomain or list of subdomain to filter (file or comma separated)

  -rl, -rate-limit int  maximum number of http requests to send per second
  -rls value            maximum number of http requests to send per second four providers in key=value format (-rls "hackertarget=10/s,shodan=15/s")
  -t int                number of concurrent goroutines for resolving (-active only) (default 10)

   -up, -update                 update subfinder to latest version
   -duc, -disable-update-check  disable automatic subfinder update check

  -o, -output string       file to write output to
  -oJ, -json               write output in JSONL(ines) format
  -oD, -output-dir string  directory to write output (-dL only)
  -cs, -collect-sources    include all sources in the output (-json only)
  -oI, -ip                 include host IP in output (-active only)

  -config string                flag config file (default "$HOME/.config/subfinder/config.yaml")
  -pc, -provider-config string  provider config file (default "$HOME/.config/subfinder/provider-config.yaml")
  -r string[]                   comma separated list of resolvers to use
  -rL, -rlist string            file containing list of resolvers to use
  -nW, -active                  display active subdomains only
  -proxy string                 http proxy to use with subfinder
  -ei, -exclude-ip              exclude IPs from the list of domains

  -silent             show only subdomains in output
  -version            show version of subfinder
  -v                  show verbose output
  -nc, -no-color      disable color in output
  -ls, -list-sources  list all available sources

  -timeout int   seconds to wait before timing out (default 30)
  -max-time int  minutes to wait for enumeration results (default 10)


subfinder requires go1.20 to install successfully. Run the following command to install the latest version:

go install -v

Post Installation Instructions

subfinder can be used right after the installation, however the following services require configuring API keys to work:

BeVigil, BinaryEdge, BufferOver, C99, Censys, CertSpotter, Chaos, Chinaz, DnsDB, Fofa, FullHunt, GitHub, Intelx, PassiveTotal, quake, Robtex, SecurityTrails, Shodan, ThreatBook, VirusTotal, WhoisXML API, ZoomEye, ZoomEye API, dnsrepo, Hunter, Facebook, BuiltWith

You can also use the subfinder -ls command to display all the available sources.

These values are stored in the $HOME/.config/subfinder/provider-config.yaml file which will be created when you run the tool for the first time. The configuration file uses the YAML format. Multiple API keys can be specified for each of these services from which one of them will be used for enumeration.

Composite keys for sources like, Censys, PassiveTotal, Fofa, Intellix and 360quake, need to be separated with a colon (:).

An example provider config file:

  - 0bf8919b-aab9-42e4-9574-d3b639324597
  - ac244e2f-b635-4581-878a-33f4e79a2c13
  - ac244e2f-b635-4581-878a-33f4e79a2c13:dd510d6e-1b6e-4655-83f6-f347b363def9
certspotter: []
  - [email protected]:sample_password
securitytrails: []
  - ghp_lkyJGU3jv1xmwk4SDXavrLDJ4dl2pSJMzj4X
  - ghp_gkUuhkIYdQPj13ifH4KA3cXRn8JD2lqir2d4
  - 4f73021d-ff95-4f53-937f-83d6db719eec
  - 0cb9030c-0a40-48a3-b8c4-fca28e466ba3

Note: RedHunt Labs's Attack Surface Recon API has different API endpoints depending on the user's subscription. Make sure to add the appropriate endpoint before running any scans.

Running Subfinder

To run the tool on a target, just use the following command.

subfinder -d

               __    _____           __         
   _______  __/ /_  / __(_)___  ____/ /__  _____
  / ___/ / / / __ \/ /_/ / __ \/ __  / _ \/ ___/
 (__  ) /_/ / /_/ / __/ / / / / /_/ /  __/ /    
/____/\__,_/_.___/_/ /_/_/ /_/\__,_/\___/_/ v2.4.9

Use with caution. You are responsible for your actions
Developers assume no liability and are not responsible for any misuse or damage.
By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for

[INF] Found 18 subdomains for in 3 seconds 672 milliseconds

The subdomains discovered can be piped to other tools too. For example, you can pipe the discovered subdomains to httpx which will then find running HTTP servers on the host.

echo | subfinder -silent | httpx -silent

Subfinder with docker

Pull the latest tagged subfinder docker image:

docker pull projectdiscovery/subfinder:latest

Running subfinder using the docker image:

docker run projectdiscovery/subfinder:latest -d

Running subfinder using the docker image, with a local config file:

docker run -v $HOME/.config/subfinder:/root/.config/subfinder -t projectdiscovery/subfinder -d

Subfinder Go library

Subfinder can also be used as library and a minimal examples of using subfinder SDK is available here



subfinder is made with by the projectdiscovery team. Community contributions have made the project what it is. See the file for more details.

Read the usage disclaimer at and contact us for any API removal.

Popular Subdomain Projects
Popular Hackers Projects
Popular Networking Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.