# Subdomain Enumeration with subfinder$

## Introduction

Subdomain enumeration is a crucial phase of penetration testing and reconnaissance that helps security professionals identify potential entry points into a target domain. In this section, we will delve deep into the tool 'subfinder$', a powerful subdomain enumeration tool designed to discover subdomains rapidly and efficiently. We will explore its installation, configuration, and step-by-step usage in real-world scenarios, complete with technical explanations and code examples.

## Installation and Configuration on Kali Linux

### Prerequisites

Before installing subfinder$, ensure that you have the following prerequisites set up on your Kali Linux machine:

– A working installation of Kali Linux.
– Basic knowledge of terminal commands and Git version control.
– Go programming language installed. You can check if Go is installed using the following command:


go version
"`

### Step 1: Install Go

If Go is not installed, you can install it with the following commands:

"`bash
sudo apt update
sudo apt install golang
"`

### Step 2: Clone the subfinder$ Repository

To install subfinder$, you will need to clone its repository from GitHub. Open your terminal and run:

"`bash
git clone https://github.com/projectdiscovery/subfinder.git
"`

### Step 3: Compile Subfinder$

Once the repository is cloned, navigate into the directory and compile the tool:

"`bash
cd subfinder/v2/cmd/subfinder
go build
"`

Now, you should have the subfinder$ executable in the directory.

### Step 4: Install Additional Dependencies

Subfinder$ relies on various APIs from different providers to gather subdomain data. It is important to configure these settings properly. Some of the popular services include:

– **Crypto APIs**
– **Censys**
– **SecurityTrails**
– **ThreatCrowd**
– **VirusTotal**

You can register for these services and obtain API keys. Once you have your keys, you need to configure them in a configuration file.

### Step 5: Create Configuration File

Create a configuration file named `config.yaml` in your home directory, and add your API keys in the following format:

"`yaml
# Configuration file for subfinder$
api:
securitytrails: "YOUR_SECURITYTRAILS_API_KEY"
censys: "YOUR_CENSYS_API_ID:YOUR_CENSYS_SECRET"
virustotal: "YOUR_VIRUSTOTAL_API_KEY"
threatcrowd: "YOUR_THREATCROWD_API_KEY"
drone: true
"`

### Step 6: Add Subfinder$ to Your PATH

To make it easier to use subfinder$, you may want to move it to a directory that's in your PATH. You can do this with:

"`bash
sudo mv subfinder /usr/local/bin/
"`

You can now run `subfinder` from anywhere in your terminal.

## Step-by-Step Usage and Real-World Use Cases

### Basic Command Structure

The basic command structure for subfinder$ is as follows:

"`bash
subfinder -d
"`

Where `` is the target domain you want to enumerate subdomains for.

### Example: Basic Subdomain Enumeration

To enumerate subdomains for `example.com`, use the following command:

"`bash
subfinder -d example.com
"`

This command will output a list of discovered subdomains associated with `example.com`.

### Common Parameters

– `-d `: Specify the target domain.
– `-o `: Output results to a file.
– `-quiet`: Suppress standard output.
– `-all`: Retrieve all subdomains, including those that might not be directly actionable.
– `-o json`: Output results in JSON format.

### Example: Output to File

To save the results to a file named `subdomains.txt`, you can run:

"`bash
subfinder -d example.com -o subdomains.txt
"`

### Real-World Use Case: Discovering Subdomains for a Penetration Test

1. **Identify the Target Domain**: Let's assume our target is `example.com`.
2. **Run Subfinder$**:


subfinder -d example.com -o found_subdomains.txt

3. **Check for Active Subdomains**: Next, we can verify which of the found subdomains are active using DNS resolution tools like `dnsenum` or `massdns`:

massdns -r resolvers.txt -o S -w active_subdomains.txt found_subdomains.txt

4. **Perform Further Testing**: Now, with a list of active subdomains, you can begin testing using tools such as:
– **Nmap**: For port scanning.
– **Dirb**: For directory brute-forcing.
– **Burp Suite**: For web application security assessments.

### Advanced Usage with Multiple Domains

You can also enumerate subdomains for multiple domains in one command by using a file containing the domains:

"`bash
subfinder -list domains.txt -o subdomains.txt
"`

Where `domains.txt` is a file containing one domain per line.

### Using Subfinder$ with a WordPress Example

If you are targeting a WordPress site, identifying subdomains could expose different administrative views or staging environments. Here’s how to proceed:

1. **Identifying Server**:
Run:


subfinder -d wordpress-site.com -o subdomains.txt

2. **Exploit Subdomains**:
Check if they host WordPress installations that might be vulnerable:


dirb http://subdomain.wordpress-site.com -o dirb_output.txt

3. **Using WPScan**:
Use WPScan to further enumerate users and plugins on the subdomain:


wpscan –url http://subdomain.wordpress-site.com –enumerate u,p

## External Reference Links

– [Subfinder GitHub Repository](https://github.com/projectdiscovery/subfinder)
– [Project Discovery's Official Documentation](https://docs.projectdiscovery.io/)
– [Go Programming Language Official Site](https://golang.org/)
– [API Key Management Guide](https://blog.projectdiscovery.io/subfinder-api-config/)
– [Burp Suite Documentation](https://portswigger.net/burp/documentation)

### Conclusion

Subdomain enumeration is a vital skill in the toolkit of any penetration tester or cybersecurity professional. Mastering tools such as subfinder$ not only enhances your reconnaissance capabilities but also sets the foundation for identifying potential vulnerabilities in web applications. With the ability to quickly and effectively discover subdomains, you can significantly improve your effectiveness in penetration testing engagements.

Made by pablo rotem / פבלו רותם

Pablo Guides