// THECYBERARYAN — Research

Subfinder — Zero to Hero (Ultimate Recon Guide)

Author: Aryan Pareek • Date: 2025-11-17 • Category: Recon / OSINT

Subfinder is one of the most powerful passive subdomain enumeration tools. It discovers hidden assets, forgotten hosts, shadow applications, and attack surfaces — all without triggering rate limits or IDS alerts. This guide takes you from zero to expert using real-world examples, API usage, automation, and recon workflows.

🔥 What is Subfinder?

Subfinder is a fast, passive subdomain enumeration tool by ProjectDiscovery. It gathers subdomains from search engines, public datasets, certificate logs, security APIs, DNS archives, OSINT sources and dozens of intelligence providers.

example.com
│
├── api.example.com
├── login.example.com
├── dev.example.com
└── staging.example.com

⚙️ Installation

sudo apt install subfinder
# or
curl -s https://api.projectdiscovery.io/tools/install | sh

🔰 Basic Usage

Find subdomains of a domain

subfinder -d example.com

Save output

subfinder -d example.com -o subs.txt

Use a domain list

subfinder -dL domains.txt -o results.txt

🟣 Intermediate Usage

Increase threads for speed

subfinder -d example.com -t 50

Use specific data sources

subfinder -d example.com -sources crtsh,alienvault

JSON output

subfinder -d example.com -json -o out.json

🧪 API Key Boosting (Hero Level)

Put API keys here:

~/.config/subfinder/provider-config.yaml

Example:

virustotal:
  - key: "YOUR_API_KEY"
securitytrails:
  - key: "YOUR_API_KEY"
censys:
  - id: "API_ID"
    secret: "API_SECRET"

Tip: Adding API keys increases discovery by 5×–10×.

🚀 Advanced Recon Workflow

1. Passive subdomain enumeration

subfinder -d example.com -o subs.txt

2. Probe which hosts are alive

httpx -l subs.txt -o alive.txt

3. Run directory discovery

while read url; do
  python3 dirsearch.py -u $url -e php,txt,js -r -t 50 -o results/$url.txt
done < alive.txt

4. Scan alive hosts with Nmap

nmap -p- -sV -iL alive.txt -oN nmap_services.txt

📚 Quick Cheat Sheet

Basic scan:           subfinder -d domain.com
Output to file:       -o subs.txt
Domains list:         -dL domains.txt
Thread speed:         -t 50
Select sources:       -sources crtsh,alienvault
All sources:          -all
JSON output:          -json -o out.json
Passive-only:         (default)

Conclusion

Subfinder is the foundation of reconnaissance. It reveals hidden assets, forgotten subdomains, shadow infrastructures, and potential entry points. When paired with Httpx, Dirsearch, Naabu, and Nmap, it becomes a complete recon powerhouse.

Contact securely (email) View tools & scripts