aeondave/subfinder
offensive-tools/recon/subfinder/SKILL.md
Auth/lab ref: Passive subdomain enumeration tool using 40+ OSINT sources.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill subfinderInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 8, 2026, 4:00 AM159.5s2 files scanned
SKILL.md
- name:
- subfinder
- description:
- Auth/lab ref: Passive subdomain enumeration tool using 40+ OSINT sources.
- license:
- MIT
- compatibility:
- Linux, Windows, macOS.
- author:
- AeonDave
- version:
- 1.1
Subfinder
Fast passive subdomain enumeration — part of the ProjectDiscovery toolkit.
Quick Start
# Enumerate subdomains for a domain
subfinder -d example.com
# Output to file
subfinder -d example.com -o subs.txt
# Silent mode (subdomains only, no banner)
subfinder -d example.com -silent
Core Flags
| Flag | Description |
|------|-------------|
| -d <domain> | Target domain |
| -dL <file> | List of domains from file |
| -o <file> | Output file |
| -oJ | JSON output |
| -silent | Print subdomains only |
| -t <n> | Threads (default 10) |
| -timeout <n> | Timeout per source (seconds) |
| -all | Use all sources (slower, more results) |
| -recursive | Enumerate recursively |
| -active | Active DNS verification of results |
| -v | Verbose output |
Provider Configuration
Configure API keys in ~/.config/subfinder/provider-config.yaml:
shodan:
- YOUR_SHODAN_KEY
virustotal:
- YOUR_VT_KEY
censys:
- YOUR_CENSYS_ID:YOUR_SECRET
binaryedge:
- YOUR_KEY
Without API keys, subfinder still uses free sources (crt.sh, hackertarget, etc.).
Common Workflows
# Enumerate + pipe to httpx for live host check
subfinder -d example.com -silent | httpx -silent
# Recursive enumeration
subfinder -d example.com -recursive -silent -o all_subs.txt
# Multiple domains from file
subfinder -dL domains.txt -silent -o subs.txt
# Use all sources for maximum coverage
subfinder -d example.com -all -silent
# JSON output for automation
subfinder -d example.com -oJ -o subs.json
Full Recon Pipeline
# Subdomain → live hosts → web fingerprint → screenshot
subfinder -d target.com -silent -all | \
dnsx -silent -a -resp | \
awk '{print $1}' | \
httpx -silent -status-code -title -tech-detect | \
tee web_services.txt
# Find admin/login panels in results
grep -iE "admin|login|portal|dashboard|manage" web_services.txt
Resources
| File | When to load |
|------|--------------|
| references/providers.md | Full passive source list, API key setup for all 40+ providers |
Related Skills
aeondave/vibe-audit-technique
development
VerifiedTrustedCommunity
White-box auditing methodology for AI-generated ('vibe-coded') applications. Focuses on modern stack misconfigurations (Supabase, Next.js, Vercel).
4SKILL.mdUpdated Jun 12, 2026
aeondave/source-review-technique
development
VerifiedTrustedCommunity
Hybrid AI/Deterministic SAST methodology for discovering zero-day vulnerabilities in source code. Orchestrates structural search with AI-driven data flow and sink validation.
4SKILL.mdUpdated Jun 12, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 12, 2026
aeondave/container-technique
devops
VerifiedTrustedCommunity
Container methodology: Identifying containerization limits, Docker/K8s misconfigurations, and executing escapes to the host node.
4SKILL.mdUpdated Jun 12, 2026