Question 1

how to set up API keys for subfinder

Accepted Answer

After installation, configure API keys in the provider-config.yaml file as per the post-installation instructions. This allows access to premium sources like Shodan for better results, though some sources may require paid subscriptions.

Question 2

subfinder vs amass which is better for reconnaissance

Accepted Answer

Subfinder is faster and more lightweight for passive enumeration, while Amass offers active scanning and more features but can be slower. Choose Subfinder for stealthy, quick passive discovery, or Amass for comprehensive, active reconnaissance.

Question 3

what sources does subfinder use to find subdomains

Accepted Answer

Subfinder uses curated passive sources such as crt.sh, GitHub, and others, with a full list available via the -ls flag. It respects source licenses and usage limits to ensure ethical and legal compliance.

Question 4

can subfinder find subdomains without API keys

Accepted Answer

Yes, Subfinder works with free sources without API keys, but many premium sources require keys for full functionality. Performance may be limited if relying only on free sources, as noted in the documentation.

Question 5

how to output subfinder results to a JSON file

Accepted Answer

Use the -oJ flag for JSON output and -o flag to specify a file, e.g., 'subfinder -d example.com -oJ -o results.json'. This formats data for easy integration with other tools or analysis scripts.

Question 6

is subfinder good for bug bounty hunting

Accepted Answer

Yes, Subfinder is ideal for bug bounty hunters due to its passive, stealthy approach that avoids alerting targets. Its speed and integration capabilities help in quickly enumerating subdomains during reconnaissance phases.

SubFinder

What is SubFinder?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions