Skills subfinder
install
source · Clone the upstream repo
git clone https://github.com/TerminalSkills/skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/TerminalSkills/skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/subfinder" ~/.claude/skills/terminalskills-skills-subfinder && rm -rf "$T"
manifest:
skills/subfinder/SKILL.mdsafety · automated scan (low risk)
This is a pattern-based risk scan, not a security review. Our crawler flagged:
- references API keys
Always read a skill's source content before installing. Patterns alone don't mean the skill is malicious — but they warrant attention.
source content
Subfinder
Overview
Discover subdomains of a target domain using passive sources. Subfinder queries certificate transparency logs, DNS datasets, search engines, and other OSINT sources to enumerate subdomains without directly touching the target infrastructure.
Instructions
Installation
# Go install (requires Go 1.21+) go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest # Or download binary # https://github.com/projectdiscovery/subfinder/releases # Or Docker docker pull projectdiscovery/subfinder:latest
Basic Usage
# Enumerate subdomains for a single domain subfinder -d example.com # Multiple domains subfinder -d example.com,example.org # From a file of domains subfinder -dL domains.txt # Output to file subfinder -d example.com -o subdomains.txt # JSON output (includes source information) subfinder -d example.com -oJ -o subdomains.json
Configuration
API keys for better results
Subfinder works without API keys but returns significantly more results with them. Configure in
~/.config/subfinder/provider-config.yaml# ~/.config/subfinder/provider-config.yaml # Add API keys for passive sources to dramatically increase results binaryedge: - your-binaryedge-api-key # https://app.binaryedge.io censys: - your-censys-api-id:api-secret # https://search.censys.io/account/api chaos: - your-chaos-api-key # https://chaos.projectdiscovery.io github: - your-github-token # Personal access token (public repos scope) shodan: - your-shodan-api-key # https://account.shodan.io securitytrails: - your-securitytrails-key # https://securitytrails.com/app/account virustotal: - your-virustotal-api-key # https://www.virustotal.com/gui/my-apikey # Free sources that don't need keys: # Certificate Transparency (crtsh), DNSdumpster, HackerTarget, # Wayback Machine, AlienVault OTX, RapidDNS
Source selection
# Use all sources (default) subfinder -d example.com -all # Use only specific sources subfinder -d example.com -s crtsh,dnsdumpster,hackertarget # Exclude noisy sources subfinder -d example.com -es github # List available sources subfinder -ls
Advanced Usage
Recursive enumeration
Find subdomains of subdomains (e.g., dev.api.example.com):
# Enable recursive mode — finds deeper subdomains subfinder -d example.com -recursive # Limit recursion depth subfinder -d example.com -recursive -max-depth 3
Filtering and processing
# Show only results from specific sources subfinder -d example.com -cs # Show source for each subdomain # Pipe to other tools for validation subfinder -d example.com -silent | httpx -silent # Check which are live subfinder -d example.com -silent | dnsx -silent # Resolve DNS subfinder -d example.com -silent | naabu -silent # Port scan # Rate limiting (respect API limits) subfinder -d example.com -rate-limit 5 # 5 requests/second max subfinder -d example.com -t 10 # 10 concurrent threads
Integration with other recon tools
# Full recon pipeline: # 1. Find subdomains subfinder -d target.com -o subs.txt # 2. Check which are live (httpx) cat subs.txt | httpx -silent -status-code -title -o live.txt # 3. Screenshot live hosts (gowitness) cat live.txt | gowitness file -f - # 4. Port scan discovered hosts (naabu) cat subs.txt | naabu -silent -top-ports 1000 -o ports.txt # 5. Run vulnerability scan (nuclei) cat live.txt | nuclei -t cves/ -severity critical,high -o vulns.txt
Passive vs Active Enumeration
Subfinder is passive by default — it queries third-party data sources, NOT the target:
PASSIVE (subfinder default) — safe, stealthy ├── Certificate Transparency logs (crt.sh, Google CT) ├── DNS aggregation (SecurityTrails, DNSdumpster) ├── Search engines (Google, Bing dorking) ├── Threat intelligence (Shodan, Censys, BinaryEdge) └── Internet archives (Wayback Machine) ACTIVE (use additional tools) — touches the target ├── DNS brute-forcing (shuffledns, puredns) ├── DNS zone transfers (dig axfr) ├── Virtual host discovery (ffuf -H "Host: FUZZ.target.com") └── TLS/SSL cert inspection (direct connection)
For authorized pentests, combine both: subfinder for passive discovery, then active brute-forcing for what passive sources missed.
Interpreting Results
Common subdomain patterns and what they reveal:
admin.example.com → Admin panel (high-value target) staging.example.com → Staging environment (often less secured) dev.example.com → Development server (may have debug enabled) api.example.com → API endpoint (test for auth bypass) old.example.com → Legacy application (likely unpatched) vpn.example.com → VPN gateway (credential attacks) mail.example.com → Mail server (phishing target) jenkins.example.com → CI/CD (code execution potential) grafana.example.com → Monitoring (information disclosure) *.s3.amazonaws.com → S3 buckets (check for public access)
Prioritize targets: admin panels, staging environments, and legacy hosts are the highest-value findings because they're often less secured than production.
Examples
Map the attack surface of a target domain
Run subdomain enumeration on our domain example.com using subfinder. Find all subdomains, check which ones are live with httpx, identify the web technologies with whatweb, and produce a prioritized target list. Flag any staging, development, or admin subdomains as high-priority. Include the source for each subdomain so we know which passive sources are most valuable for this target.
Find forgotten or shadow IT subdomains
Our company has 5 registered domains. Enumerate all subdomains across all of them, cross-reference with our known asset inventory (list provided), and identify any subdomains we don't recognize — potential shadow IT or forgotten services. For each unknown subdomain, check if it's live, what it's running, and whether it has a valid TLS certificate.
Set up continuous subdomain monitoring
Build a subdomain monitoring pipeline that runs weekly on our 3 primary domains. It should compare results against the previous week's baseline, alert on new subdomains (potential new attack surface or subdomain takeover), and generate a diff report. Store historical data for trend analysis. Use subfinder for enumeration and httpx for liveness checks.
Guidelines
- Only run against domains you have explicit written authorization to test
- Passive enumeration (subfinder default) does not touch the target, but active tools like httpx and naabu do — ensure they are in scope
- Configure API keys for better coverage — free sources alone miss many subdomains
- Use rate limiting (
) to avoid overwhelming third-party data sources-rate-limit - Validate findings before reporting — some passive sources return stale or incorrect data
- Combine with active DNS brute-forcing (puredns, shuffledns) for comprehensive coverage on authorized engagements