SubFinder Pro is a high-performance, production-ready passive subdomain enumeration tool written in Go. It aggregates subdomain data from multiple public sources using concurrent processing, DNS verification, and advanced filtering capabilities.
- Multiple Data Sources: Aggregates data from 5+ passive reconnaissance sources
- Certificate Transparency (crt.sh)
- HackerTarget API
- ThreatCrowd
- AlienVault OTX
- URLScan.io
- Concurrent Processing: Worker pool pattern with configurable concurrency
- DNS Verification: Active DNS resolution with wildcard detection
- Smart Filtering: Regex-based pattern matching and exclusion
- Rate Limiting: Per-source configurable rate limits
- Multiple Output Formats: Plain text and JSON (JSONL)
- Flexible Configuration: YAML config files with environment variable support
- Production Ready: Comprehensive error handling and retry logic
Requires Go 1.21 or higher:
git clone https://github.com/yourusername/subfinder-pro.git
cd subfinder-pro
go mod download
go build -o subfinder-pro main.gogo install github.com/yourusername/subfinder-pro@latestDownload pre-built binaries from the Releases page.
# Enumerate subdomains for a single domain
./subfinder-pro -d example.com
# Save results to file
./subfinder-pro -d example.com -o results.txt
# Multiple domains from file
./subfinder-pro -dL domains.txt -o results.txt
# JSON output
./subfinder-pro -d example.com -json -o results.json# With DNS verification
./subfinder-pro -d example.com -active
# Use specific sources only
./subfinder-pro -d example.com -s crtsh,alienvault
# Exclude specific sources
./subfinder-pro -d example.com -es threatcrowd
# Pattern matching (find only api/dev/staging subdomains)
./subfinder-pro -d example.com -m "^(api|dev|staging)\."
# Filter out test/internal subdomains
./subfinder-pro -d example.com -f "test|internal"
# Verbose output with 20 workers
./subfinder-pro -d example.com -v -t 20
# Silent mode (only output subdomains)
./subfinder-pro -d example.com -silent
# With proxy
./subfinder-pro -d example.com -proxy http://proxy.example.com:8080SubFinder Pro uses two configuration files:
- config.yaml: Global settings (timeout, workers, DNS, output)
- provider-config.yaml: API keys and per-source configuration
timeout: 30
workers: 10
rate_limit: 5
dns:
enabled: false
servers:
- "8.8.8.8:53"
- "1.1.1.1:53"
timeout: 5
retry: 3
output:
format: text
sort: true
unique: true
http:
user_agent: "SubFinder-Pro/1.0"
timeout: 10
proxy: ""sources:
crtsh:
enabled: true
rate_limit: 5
timeout: 30
alienvault:
enabled: true
api_key: "your-api-key-here"
rate_limit: 10
timeout: 20API keys can be set via environment variables:
export ALIENVAULT_API_KEY="your-key"
export URLSCAN_API_KEY="your-key"
export HACKERTARGET_API_KEY="your-key"
# Alternative format
export SUBFINDER_ALIENVAULT_API_KEY="your-key"- Visit https://otx.alienvault.com/
- Create a free account
- Go to Settings β API Integration
- Copy your API key
- Set in
provider-config.yamlor environment variable:export ALIENVAULT_API_KEY="your-key"
- Visit https://urlscan.io/
- Create a free account
- Go to Settings & API
- Generate API key
- Set in
provider-config.yamlor:export URLSCAN_API_KEY="your-key"
- Visit https://hackertarget.com/
- Purchase API membership
- Set API key:
export HACKERTARGET_API_KEY="your-key"
| Flag | Short | Description | Default |
|---|---|---|---|
--domain |
-d |
Target domain | - |
--domain-list |
-dL |
File with domain list | - |
--output |
-o |
Output file path | stdout |
--sources |
-s |
Specific sources to use | all |
--all |
- | Use all available sources | true |
--exclude-sources |
-es |
Sources to exclude | - |
--json |
- | JSON output format | false |
--silent |
- | Silent mode | false |
--timeout |
- | Timeout per source (seconds) | 30 |
--threads |
-t |
Concurrent workers | 10 |
--config |
-c |
Config file path | config.yaml |
--active |
- | Enable DNS verification | false |
--match |
-m |
Match patterns (regex) | - |
--filter |
-f |
Filter patterns (exclude) | - |
--rate-limit |
- | Rate limit (req/sec) | 5 |
--proxy |
- | HTTP proxy URL | - |
--verbose |
-v |
Verbose output | false |
--version |
- | Show version | false |
api.example.com
blog.example.com
dev.example.com
mail.example.com
www.example.com
{"host":"api.example.com","source":"crtsh","timestamp":"2025-11-30T23:09:00Z","ips":null}
{"host":"blog.example.com","source":"alienvault","timestamp":"2025-11-30T23:09:01Z","ips":null}
{"host":"dev.example.com","source":"crtsh","timestamp":"2025-11-30T23:09:00Z","ips":null}{"host":"api.example.com","source":"crtsh","timestamp":"2025-11-30T23:09:00Z","ips":["192.0.2.1"]}
{"host":"blog.example.com","source":"alienvault","timestamp":"2025-11-30T23:09:01Z","ips":["192.0.2.2","192.0.2.3"]}SubFinder Pro automatically detects wildcard DNS:
./subfinder-pro -d example.com -active -vThe tool will:
- Test 3 random subdomains
- Detect if they resolve to the same IP
- Filter out wildcard matches from results
Use regex patterns to filter results:
# Match subdomains starting with "api", "dev", or "staging"
./subfinder-pro -d example.com -m "^(api|dev|staging)\."
# Patterns from file
./subfinder-pro -d example.com -m @patterns.txtpatterns.txt:
^api\.
^dev\.
^staging\.
Exclude unwanted patterns:
# Exclude test and internal subdomains
./subfinder-pro -d example.com -f "test|internal"
# Filters from file
./subfinder-pro -d example.com -f @exclude.txtConfigure per-source rate limits in provider-config.yaml:
sources:
crtsh:
rate_limit: 5 # 5 requests per second
alienvault:
rate_limit: 10go test ./... -vgo test ./tests -v -tags=integrationgo test ./... -bench=. -benchmem- Check API keys: Ensure AlienVault API key is set
- Check internet connectivity: Test with
curl https://crt.sh - Increase timeout: Use
--timeout 60 - Try specific sources: Use
-s crtshto test individual sources
- Reduce workers: Use
-t 5 - Increase timeout: Use
--timeout 60 - Use API keys: Some sources have higher limits with API keys
- Check DNS servers: Verify servers in
config.yaml - Increase DNS timeout: Set
dns.timeout: 10in config - Disable wildcard detection: Use without
-activeflag
# Check directory permissions
ls -la output_directory/
# Use absolute path
./subfinder-pro -d example.com -o /tmp/results.txt- Throughput: 100+ subdomains/second
- Memory: < 100MB typical usage
- Concurrency: Supports 50+ concurrent workers
- Startup: < 500ms
-
Adjust workers: More workers = faster processing (up to a point)
./subfinder-pro -d example.com -t 20
-
Use specific sources: Skip slow sources
./subfinder-pro -d example.com -s crtsh,alienvault
-
Disable DNS verification: For faster passive enumeration
./subfinder-pro -d example.com
Contributions are welcome! Please follow these guidelines:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
To add a new subdomain source:
- Create a new file in
pkg/sources/(e.g.,newsource.go) - Implement the
Sourceinterface:type NewSource struct { config *SourceConfig client *http.Client } func (ns *NewSource) Run(ctx context.Context, domain string) ([]string, error) { // Implementation } func (ns *NewSource) Name() string { return "newsource" } func (ns *NewSource) NeedsKey() bool { return false }
- Add to
initializeSources()inmain.go - Update
provider-config.yamlwith source configuration - Add tests in
tests/sources_test.go
This project is licensed under the MIT License - see the LICENSE file for details.
- Cobra - CLI framework
- Certificate Transparency - crt.sh data
- AlienVault OTX - Threat intelligence
- URLScan.io - URL scanning service
- HackerTarget - Security tools
- ThreatCrowd - Threat data
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Add more data sources (VirusTotal, Censys, Shodan)
- Database output support (PostgreSQL, MongoDB)
- Web dashboard for visualization
- Continuous monitoring mode
- Diff detection between scans
- Integration with Nuclei/Nmap
- Docker container
- Distributed processing support
Made with β€οΈ for the security community