Ah, subdomain enumeration — the magical realm of bug bounty where, if you're lucky, hidden digital gold is just waiting for you to uncover. And while the internet is crawling with tools claiming they'll make you the subdomain overlord, there's one tool that really gets the job done: Subfinder. Forget the outdated, convoluted command-line nightmares — Subfinder is where it's at. In this blog, we'll dive into how to install Subfinder from scratch, configure it like a pro, and wield it to unearth all those juicy subdomains hiding in plain sight.
Before diving into Subfinder, let's talk requirements. Since Subfinder is written in Go, we'll need to install Golang first. Don't worry; it's not as painful as it sounds. Here's the streamlined way to set up Go, so you can get on with finding those elusive subdomains:
- Download the Go tarball: Fire up your terminal and grab the Go tarball using wget. Here's the magic spell (substitute <version> for the latest):
wget https://go.dev/dl/go1.22.4.darwin-amd64.tar.gz2.Extract: Once downloaded, unpack it into /usr/local:
sudo tar -C /usr/local -xzf go1.22.4.darwin-amd64.tar.gz3. Set PATH: Add Go to your PATH by editing your shell profile (either ~/.zshrc or ~/.bash_profile):
export PATH=$PATH:/usr/local/go/binThen reload with:
source ~/.zshrc4. Verify: Check if Go actually works by typing:
go version
Alright, let's get Subfinder up and running so you can start hunting down those hidden subdomains.
1. Install: Run the following command to download Subfinder — no drama, just type:
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest2. Verify: Now, check if the installation worked with:
subfinder -h
If Subfinder throws a tantrum (aka doesn't work), here's the manual workaround to keep the dream alive:
- Find Subfinder: Go to your Go directory by typing:
cd ~/go/binThen confirm Subfinder's existence with:
ls2. Copy to System Path: Now, move Subfinder to /usr/local/bin like so:
sudo cp subfinder /usr/local/bin3. Final Check: Run the command again:
subfinder -hCongrats, you're ready to track down subdomains like a pro! Subfinder is in your toolbox, and the subdomain treasure hunt awaits.
Let's take Subfinder for a spin! Run this to dig up subdomains from every data source known to man:
subfinder -d medium.com -v allHere's the breakdown:
• -d is for your target domain.
• -v all tells Subfinder to comb through all data sources — from Censys to Shodan to VirusTotal and more.
But wait! To access these subdomain goldmines, you'll need API keys. Time to play signup bingo: go register for every data source under the sun (BeVigil, Chaos, C99, you name it) and copy-paste those keys into the provider-config.yaml file in ~/.config/subfinder/. Open it with:
nano provider-config.yamlAfter pasting in your prized keys, try the command again:
subfinder -d medium.com -v allWant to keep your haul? Save it to a file with:
subfinder -d medium.com -v all -o medium-subdomain.txt
Now you're armed and dangerous! Pipe your results into tools like httprobe and hakcheckurl to check status codes:
cat medium-subdomain.txt | httprobe | hakcheckurl
Congrats! You're now officially a subdomain-slaying, API-wielding master of bug bounty.
And there you have it — the no-nonsense guide to unleashing Subfinder's power in your bug bounty toolkit! With a little setup and some API key juggling, Subfinder is primed to sniff out subdomains across the internet like a digital bloodhound. Now you're ready to expose those hidden assets, validate them, and target the real vulnerabilities with precision.
Remember, subdomain enumeration isn't just a recon step; it's the gateway to unearthing forgotten sites, shadow assets, and neglected servers. And with Subfinder configured for ultimate reach, you're not just scratching the surface — you're diving into the deep web of your target's digital footprint. So gear up, get those APIs rolling, and start discovering subdomains that others miss. Happy hunting!
