If you want to support the tool development and make it better, support us :) You will appear here.
The fastest and cross-platform subdomain enumerator.
It comparision gives you a idea why you should use findomain instead of another tools. The domain used for the test was microsoft.com in the following BlackArch virtual machine:
Host: KVM/QEMU (Standard PC (i440FX + PIIX, 1996) pc-i440fx-3.1)
Kernel: 5.2.6-arch1-1-ARCH
CPU: Intel (Skylake, IBRS) (4) @ 2.904GHz
Memory: 139MiB / 3943MiB
The tool used to calculate the time, is the time
command in Linux. You can see all the details of the tests in it link.
Enumeration Tool | Serch Time | Total Subdomains Found | CPU Usage | RAM Usage |
---|---|---|---|---|
Findomain | real 0m20.148s | 20627 | Very Low | Very Low |
assetfinder | real 6m1.117s | 4630 | Very Low | Very Low |
Subl1st3r | real 7m14.996s | 996 | Low | Low |
Amass* | real 29m20.301s | 332 | Very High | Very High |
- I can't wait to the amass test for finish, looks like it will never ends and aditionally the resources usage is very hight.
Note: The benchmark was updated the 05/09/2019, since it point other tools can improve things and you will got different results.
- Multi-thread support, it makes that the maximun time that Findomain will take to search subdomains for any target is 20 seconds.
- Discover subdomains without brute-force, it tool uses Certificate Transparency Logs and APIs.
- Discover subdomains with or without IP address according to user arguments.
- Read target from user argument (-t) or file (-f).
- Discover subdomains with or without IP and also write to output files per-domain if specified by the user, recursively.
- Write output to TXT file.
- Write output to CSV file.
- Write output to JSON file.
- Cross platform support: Any platform, it's written in Rust and Rust is multiplatform. See the documentation for instructions.
- Multiple API support.
Note: the proxy support is just to proxify APIs requests, the actual implementation to discover IP address of subdomains doesn't support proxyfing and it's made using the host network still if you use the -p option.
It tool doesn't use the common methods for sub(domains) discover, the tool uses Certificate Transparency logs and specific well tested APIs to find subdomains. It method make it tool the most faster and reliable. The tool make use of multiple public available APIs to perform the search. If you want to know more about Certificate Transparency logs, read https://www.certificate-transparency.org/
APIs that we are using at the moment:
- Certspotter
- Crt.sh
- Virustotal
- Sublit3r
- Facebook
**
- Spyse (CertDB)
*
- Bufferover
- Threadcrow
- Virustotal with apikey
**
Notes
APIs marked with **
, require an access token to work. Search in the Findomain documentation how to configure and use it.
APIs marked with *
can optionally be used with an access token, create one if you start experiencing problems with that APIs. Search in the Findomain documentation how to configure and use it.
More APIs?
If you know other APIs that should be added, comment here.
All supported platforms in the binarys that we give are 64 bits only and we don't have plans to add support for 32 bits binary releases, if you want to have support for 32 bits follow the documentation.
If you want to build the tool for your 32 bits system or another platform, follow it steps:
Note: You need to have rust, make and perl installed in your system first.
Using the crate:
cargo install findomain
- Execute the tool from
$HOME/.cargo/bin
. See the cargo-install documentation.
Using the Github source code:
- Clone the repository or download the release source code.
- Extract the release source code (only needed if you downloaded the compressed file).
- Go to the folder where the source code is.
- Execute
cargo build --release
- Now your binary is in
target/release/findomain
and you can use it.
Install the Termux package, open it and follow it commands:
$ pkg install rust make perl
$ cargo install findomain
$ cd $HOME/.cargo/bin
$ ./findomain
If you want to install it, you can do that manually compiling the source or using the precompiled binary.
Manually: You need to have rust, make and perl installed in your system first.
$ git clone https://github.com/Edu4rdSHL/findomain.git
$ cd findomain
$ cargo build --release
$ sudo cp target/release/findomain /usr/bin/
$ findomain
$ wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-linux
$ chmod +x findomain-linux
$ ./findomain-linux
If you are using the BlackArch Linux distribution, you just need to use:
$ sudo pacman -S findomain
$ wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-aarch64
$ chmod +x findomain-aarch64
$ ./findomain-aarch64
Download the binary from https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-windows.exe
Open a CMD shell and go to the dir where findomain-windows.exe was downloaded.
Exec: findomain-windows
in the CMD shell.
$ wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-osx
$ chmod +x findomain-osx.dms
$ ./findomain-osx.dms
In in section you can found the steps about how to configure APIs that need or can be used with access tokens.
History
When I added the Facebook CT API in the beginning I was providing a Webhook token to search in the API, as consequence when a lot of users were using the same token the limit was reached and user can't search in the Facebook API anymore until Facebook unlocked it again. Since Findomain version 0.2.2, users can set their own Facebook Access Token for the webook and pass it to findomain setting the findomain_fb_token
system variable. The change was introduced here. Also since 23/08/2019 I have removed the webhook that was providing that API token and it will not work anymore, if you're using findomain < 0.2.2 you are affected, please use a version >= 0.2.2.
Since Findomain 0.2.4 you don't need to explicity set the findomain_fb_token
variable in your system, if you don't set that variable then Findomain will use one of our five provided access tokens for the Facebook CT API, otherwise, if you set the environment variable then Findomain will use your token. See it commit. Please, if you can create your own token, do it. The usage limit of access tokens is reached when a lot of people use it and then the tool will fail.
Getting the Webhook token
The first step is get your Facebook application token. You need to create a Webhook, follow the next steps:
- Open https://developers.facebook.com/apps/
- Clic in "Create App", put the name that you want and send the information.
- In the next screen, select "Configure" in the Webhooks option.
- Go to "Configuration" -> "Basic" and clic on "Show" in the "App secret key" option.
- Now open in your browser the following URL: https://graph.facebook.com/oauth/access_token?client_id=your-app-id&client_secret=your-secret-key&grant_type=client_credentials
Note: replace your-app-id
by the number of your webhook identifier and your-secret-key
for the key that you got in the 4th step.
- You should have a JSON like:
{
"access_token": "xxxxxxxxxx|yyyyyyyyyyyyyyyyyyyyyyy",
"token_type": "bearer"
}
- Save the
access_token
value.
Now you can use that value to set the access token as following:
Unix based systems (Linux, BSD, MacOS, Android with Termux, etc):
Put in your terminal:
$ findomain_fb_token="YourAccessToken" findomain -(options)
Windows systems:
Put in the CMD command prompt:
> set findomain_fb_token=YourAccessToken && findomain -(options)
Note: In Windows you need to scape special characters like |
, add ^
before the special character to scape it and don't quote the token. Example: set findomain_fb_token=xxxxxxx^|yyyyyyyy && findomain -(options)
Tip: If you don't want to write the access token everytime that you run findomain, export the findomain_fb_token
in Unix based systems like putting export findomain_fb_token="YourAccessToken"
into your .bashrc
and set the findomain_fb_token
variable in your Windows system as described here.
- Open https://account.spyse.com/register and make the registration process (include email verification).
- Log in into your spyse account and go to https://account.spyse.com/user
- Search for the "API token" section and clic in "Show".
- Save that access token.
Now you can use that value to set the access token as following:
Unix based systems (Linux, BSD, MacOS, Android with Termux, etc):
Put in your terminal:
$ findomain_spyse_token="YourAccessToken" findomain -(options)
Windows systems:
Put in the CMD command prompt:
> set findomain_spyse_token=YourAccessToken && findomain -(options)
Note: In Windows you need to scape special characters like |
, add ^
before the special character to scape it and don't quote the token. Example: set findomain_spyse_token=xxxxxxx^|yyyyyyyy && findomain -(options)
Tip: If you don't want to write the access token everytime that you run findomain, export the findomain_spyse_token
in Unix based systems like putting export findomain_spyse_token="YourAccessToken"
into your .bashrc
and set the findomain_spyse_token
variable in your Windows system as described here.
- Open https://www.virustotal.com/gui/join-us and make the registration process (include email verification).
- Log in into your spyse account and go to https://www.virustotal.com/gui/user/YourUsername/apikey
- Search for the "API key" section.
- Save that API key.
Now you can use that value to set the access token as following:
Unix based systems (Linux, BSD, MacOS, Android with Termux, etc):
Put in your terminal:
$ findomain_virustotal_token="YourAccessToken" findomain -(options)
Windows systems:
Put in the CMD command prompt:
> set findomain_virustotal_token=YourAccessToken && findomain -(options)
Note: In Windows you need to scape special characters like |
, add ^
before the special character to scape it and don't quote the token. Example: set findomain_virustotal_token=xxxxxxx^|yyyyyyyy && findomain -(options)
Tip: If you don't want to write the access token everytime that you run findomain, export the findomain_virustotal_token
in Unix based systems like putting export findomain_virustotal_token="YourAccessToken"
into your .bashrc
and set the findomain_virustotal_token
variable in your Windows system as described here.
You can use the tool in two ways, only discovering the domain name or discovering the domain + the IP address.
findomain 0.2.5
Eduard Tolosa <[email protected]>
The fastest and cross-platform subdomain enumerator, don't waste your time.
USAGE:
findomain [FLAGS] [OPTIONS]
FLAGS:
-h, --help Prints help information
-i, --get-ip Return the subdomain list with IP address if resolved.
-V, --version Prints version information
OPTIONS:
-f, --file <file> Sets the input file to use.
-o, --output <output> Write data to output file in the specified format. [possible values: txt, csv, json]
-t, --target <target> Target host
- Make a simple search of subdomains and print the info in the screen:
findomain -t example.com
- Make a search of subdomains and print the info in the screen:
findomain -t example.com
- Make a search of subdomains and export the data to a CSV file:
findomain -t example.com -o csv
- Make a search of subdomains and resolve the IP address of subdomains (if possible):
findomain -t example.com -i
- Make a search of subdomains and resolve the IP address of subdomains (if possible), exporting the data to a CSV file:
findomain -t example.com -i -o csv
- Search subdomains from a list of domains passed using a file (you need to put a domain in every line into the file):
findomain -f file_with_domains.txt
- Improve JSON output.
- Add more APIs (It's longterm because I depend of new requests, at the moment I have not more APIs in the mind).
If you have a problem or a feature request, open an issue.