Subfinder Cheat Sheet
Fast passive subdomain discovery using curated OSINT sources and API integrations.
Overview
Subfinder aggregates passive subdomain data from certificate transparency, search engines, and API providers. It is the standard first step in external recon pipelines before httpx and nuclei.
Authorized testing only. Passive lookups still expose your queries to third-party services. Use provider API keys only within program rules.
Install
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latestsubfinder -versionEssential commands
Single domain
subfinder -d target.example.comSilent output for pipes
subfinder -d target.example.com -silentAll sources, JSON
subfinder -d target.example.com -all -oJ -o subs.jsonCommon workflows
Pipeline to httpx / nuclei —
subfinder -d target.example.com -silent | httpx -silent | tee live.txtsubfinder -dL domains.txt -silent | nuclei -l - -severity high,criticalProvider config (~/.config/subfinder/provider-config.yaml) —
subfinder -d target.example.com -pc ~/.config/subfinder/provider-config.yamlRecursive / multiple domains —
subfinder -d target.example.com -recursivesubfinder -dL domains.txt -o all_subs.txtExclude sources —
subfinder -d target.example.com -es alienvault,zoomeyeFlags reference
-d | Domain |
|---|---|
-dL | Domain list file |
-silent | Subdomains only |
-all | Use all sources (slower) |
-recursive | Recursive subdomain enum |
-o | Output file |
-oJ | JSON lines |
-pc | Provider config |
-es | Exclude sources |
-t | Threads |
-timeout | Per-source timeout |
-proxy | HTTP proxy |
Tips
- Configure API keys in provider config for best coverage.
- Combine with amass and assetfinder, then sort -u for union.
- -recursive can explode scope—align with program boundaries.
- Update regularly: subfinder -update