xsubfind3r
is a command-line utility designed to help you discover subdomains for a given domain in a simple, efficient way. It works by gathering information from a variety of passive sources, meaning it doesn't interact directly with the target but instead gathers data that is already publicly available. This makes it a powerful tool for security researchers, IT professionals, and anyone who wants to know more about the subdomains associated with a domain.
- Wide Coverage: Fetches subdomains from multiple online passive sources to provide extensive results.
- Flexible Output: Supports silent mode for only showing results and offers various output options for saving the results.
- Easy to Integrate: Supports
stdin
andstdout
for easy integration in automated workflows. - Cross-Platform: Works on Windows, Linux, and macOS.
Visit the releases page and find the appropriate archive for your operating system and architecture. Download the archive from your browser or copy its URL and retrieve it with wget
or curl
:
-
...with
wget
:wget https://github.com/hueristiq/xsubfind3r/releases/download/v<version>/xsubfind3r-<version>-linux-amd64.tar.gz
-
...or, with
curl
:curl -OL https://github.com/hueristiq/xsubfind3r/releases/download/v<version>/xsubfind3r-<version>-linux-amd64.tar.gz
...then, extract the binary:
tar xf xsubfind3r-<version>-linux-amd64.tar.gz
Tip
The above steps, download and extract, can be combined into a single step with this onliner
curl -sL https://github.com/hueristiq/xsubfind3r/releases/download/v<version>/xsubfind3r-<version>-linux-amd64.tar.gz | tar -xzv
Note
On Windows systems, you should be able to double-click the zip archive to extract the xsubfind3r
executable.
...move the xsubfind3r
binary to somewhere in your PATH
. For example, on GNU/Linux and OS X systems:
sudo mv xsubfind3r /usr/local/bin/
Note
Windows users can follow How to: Add Tool Locations to the PATH Environment Variable in order to add xsubfind3r
to their PATH
.
If you have Docker installed, you can use xsubfind3r
using it's image:
-
Pull the docker image using:
docker pull hueristiq/xsubfind3r:latest
-
Run
xsubfind3r
using the image:docker run --rm hueristiq/xsubfind3r:latest -h
Before you install from source, you need to make sure that Go is installed on your system. You can install Go by following the official instructions for your operating system. For this, we will assume that Go is already installed.
go install -v github.com/hueristiq/xsubfind3r/cmd/xsubfind3r@latest
-
Clone the repository
git clone https://github.com/hueristiq/xsubfind3r.git
-
Build the utility
cd xsubfind3r/cmd/xsubfind3r && \ go build .
-
Move the
xsubfind3r
binary to somewhere in yourPATH
. For example, on GNU/Linux and OS X systems:sudo mv xsubfind3r /usr/local/bin/
Windows users can follow How to: Add Tool Locations to the PATH Environment Variable in order to add
xsubfind3r
to theirPATH
.
Caution
While the development version is a good way to take a peek at xsubfind3r
's latest features before they get released, be aware that it may have bugs. Officially released versions will generally be more stable.
xsubfind3r
will work right after installation. However, BeVigil, BufferOver, BuiltWith, Certspotter, Chaos, Fullhunt, Github, Intelligence X, LeakIX and Shodan require API keys to work, URLScan supports API key but not required. The API keys are stored in the $HOME/.config/xsubfind3r/config.yaml
file, created upon first run, and uses the YAML format, or supplied via environment variables. Multiple API keys can be specified for each of these source from which one of them will be used.
Example config.yaml
:
Caution
The keys/tokens below are invalid and used as examples, use your own keys/tokens!
version: 0.8.0
sources:
- alienvault
- anubis
- bevigil
- bufferover
- builtwith
- certspotter
- chaos
- commoncrawl
- crtsh
- fullhunt
- github
- hackertarget
- intelx
- leakix
- shodan
- urlscan
- wayback
keys:
bevigil:
- awA5nvpKU3N8ygkZ
bufferover:
- COx9GBnhz63hcF1hlBtLb4KAdlzJly1d8xeovTjK
builtwith:
- 7fcbaec4-dc49-472c-b837-3896cb255823
chaos:
- d23a554bbc1aabb208c9acfbd2dd41ce7fc9db39asdsd54bbc1aabb208c9acfb
fullhunt:
- 0d9652ce-516c-4315-b589-9b241ee6dc24
github:
- d23a554bbc1aabb208c9acfbd2dd41ce7fc9db39
- asdsd54bbc1aabb208c9acfbd2dd41ce7fc9db39
intelx:
- 2.intelx.io:00000000-0000-0000-0000-000000000000
leakix:
- xhDsgKejYTUWVNLn9R6f8afhsG6h6KM69lqEBoMJbfcvDk1v
shodan:
- AAAAClP1bJJSRMEYJazgwhJKrggRwKA
urlscan:
- d4c85d34-e425-446e-d4ab-f5a3412acbe8
Note
To run xsubfind3r
using docker with a local config file:
docker run --rm -v $HOME/.config/xsubfind3r:/root/.config/xsubfind3r hueristiq/xsubfind3r:latest -h
Example environmet variables:
XURLFIND3R_KEYS_BEVIGIL=awA5nvpKU3N8ygkZ
XURLFIND3R_KEYS_BUFFEROVER=COx9GBnhz63hcF1hlBtLb4KAdlzJly1d8xeovTjK
XURLFIND3R_KEYS_BUILTWITH=7fcbaec4-dc49-472c-b837-3896cb255823
XURLFIND3R_KEYS_CHAOS=d23a554bbc1aabb208c9acfbd2dd41ce7fc9db39asdsd54bbc1aabb208c9acfb
XURLFIND3R_KEYS_FULLHUNT=0d9652ce-516c-4315-b589-9b241ee6dc24
XURLFIND3R_KEYS_GITHUB=asdsd54bbc1aabb208c9acfbd2dd41ce7fc9db39,d23a554bbc1aabb208c9acfbd2dd41ce7fc9db39
XURLFIND3R_KEYS_INTELX=2.intelx.io:00000000-0000-0000-0000-000000000000
XURLFIND3R_KEYS_LEAKIX=xhDsgKejYTUWVNLn9R6f8afhsG6h6KM69lqEBoMJbfcvDk1v
XURLFIND3R_KEYS_SHODAN=AAAAClP1bJJSRMEYJazgwhJKrggRwKA
XURLFIND3R_KEYS_URLSCAN=d4c85d34-e425-446e-d4ab-f5a3412acbe8
To start using xsubfind3r
, open your terminal and run the following command for a list of options:
xsubfind3r -h
Here's what the help message looks like:
_ __ _ _ _____
__ _____ _ _| |__ / _(_)_ __ __| |___ / _ __
\ \/ / __| | | | '_ \| |_| | '_ \ / _` | |_ \| '__|
> <\__ \ |_| | |_) | _| | | | | (_| |___) | |
/_/\_\___/\__,_|_.__/|_| |_|_| |_|\__,_|____/|_|
v0.8.0
USAGE:
xsubfind3r [OPTIONS]
CONFIGURATION:
-c, --configuration string configuration file (default: $HOME/.config/xsubfind3r/config.yaml)
INPUT:
-d, --domain string[] target domain
-l, --list string target domains list file path
TIP: For multiple input domains use comma(,) separated value with `-d`,
specify multiple `-d`, load from file with `-l` or load from stdin.
SOURCES:
--sources bool list supported sources
-u, --sources-to-use string[] comma(,) separated sources to use
-e, --sources-to-exclude string[] comma(,) separated sources to exclude
OUTPUT:
--monochrome bool display no color output
-o, --output string output subdomains file path
-O, --output-directory string output subdomains directory path
-s, --silent bool display output subdomains only
-v, --verbose bool display verbose output
For example, to discover subdomains for example.com
:
xsubfind3r -d example.com
You can also use multiple domains by separating them with commas or providing a list from a file.
We welcome contributions! Feel free to submit Pull Requests or report Issues. For more details, check out the contribution guidelines.
This utility is licensed under the MIT license. You are free to use, modify, and distribute it, as long as you follow the terms of the license. You can find the full license text in the repository - Full MIT license text.
A huge thanks to all the contributors who have helped make xsubfind3r
what it is today!
If you're interested in more utilities like this, check out: