Subfinder Cheat Sheet
Passive subdomain discovery tool that aggregates results from dozens of sources. Fast, configurable, and designed to integrate with the ProjectDiscovery toolchain.
Basic Usage
Enumerate subdomains for a single domain
$ subfinder -d target.comEnumerate subdomains for a list of domains from a file
$ subfinder -dL domains.txtRecursively enumerate subdomains of discovered subdomains
$ subfinder -d target.com -recursiveUse all sources including slower ones for maximum coverage
$ subfinder -d target.com -allSource Configuration
Use only specific enumeration sources
$ subfinder -d target.com -sources shodan,virustotal,censysExclude specific sources from enumeration
$ subfinder -d target.com -es github,rapiddnsList all available subdomain enumeration sources
$ subfinder -lsRemove wildcard and dead subdomains from results
$ subfinder -d target.com -nWOutput Options
Save discovered subdomains to a text file
$ subfinder -d target.com -o subdomains.txtOutput results in JSON format with source metadata
$ subfinder -d target.com -oJ -o subdomains.jsonInclude the source that found each subdomain in output
$ subfinder -d target.com -cs -o results.txtOutput only subdomains with no banner or status info
$ subfinder -d target.com -silentPipeline Integration
Pipe subdomains to httpx to find live web servers
$ subfinder -d target.com -silent | httpx -silentFull recon pipeline: subdomains to live hosts to critical vulns
$ subfinder -d target.com -silent | httpx -silent | nuclei -s criticalResolve discovered subdomains and display A records
$ subfinder -d target.com -silent | dnsx -a -respPort scan discovered subdomains for common web ports
$ subfinder -d target.com -silent | naabu -p 80,443,8080,8443 -silentProbe subdomains for titles, status codes, and technologies
$ subfinder -d target.com -silent | httpx -title -status-code -tech-detect