Ultimate Subfinder Cheat Sheet
Ultimate Subfinder Cheat Sheet
A fast, passive subdomain discovery tool that scours the internet.
1. Basic Usage
The core command to find subdomains passively.
Single Target
Find subdomains for one domain.
Multiple Targets
Use a list of domains from a file.
Silent Mode (Pipeline Ready)
Only output the subdomains (no banners or logs). Perfect for piping into other tools.
2. Configuration & API Keys
Subfinder works best when you provide API keys for services like Shodan, Censys, GitHub, etc.
Locate Config File
The config file is usually generated after the first run.
Listing Providers
See which sources are available and configured.
shodan: [YOUR_KEY]
3. Piping & Chaining
Subfinder is designed to work with other ProjectDiscovery tools.
Subfinder -> HTTPX
Find subdomains, then check which ones have live web servers.
Subfinder -> Nuclei
Find subdomains, then scan them for vulnerabilities.
Subfinder -> Naabu
Find subdomains, then port scan them.
4. Filtering Sources
Control where Subfinder gets its data from.
Use Specific Sources
Only use specific providers (e.g., only Archive.org and Crt.sh).
Exclude Sources
Exclude slow or noisy providers.
All Sources (Active)
Use every available source (might be slower).
5. Output Formats
Save to File
JSON Output
Useful for parsing with jq or other scripts. Contains source info.
Verbose Mode
See exactly which source found which subdomain.
Post a Comment