Findomain – The fastest and cross-platform subdomain enumerator

Findomain

The fastest and cross-platform subdomain enumerator, do not waste your time.


Findomain Monitoring Service

If you don’t want to deal with servers and complex configurations for doing recon but also have more features in an integrated solution, Findomain offers a subdomains monitoring service that provides: directory fuzzing/ports scan/vulnerabilities discovery (with Nuclei) – and more that allow you to monitor your target domains with multiple top tools (OWASP Amass, Sublist3r, Assetfinder and Subfinder) and send alerts to Discord, Slack, Telegram, Email or Push Notifications (Android/iOS/Smart Watch/Desktop) when new subdomains are found. The only you need to do is configure a file with your email address (if applicable) or/and webhooks/Telegram chat information and put your domains in another file, once you have done that you have a full automated subdomains monitoring service that keep you up to date with new subdomains discovered, Host IP, HTTP Status, Screenshots of the HTTP websites, Open Ports, Subdomains CNAME and more. All your data is securely saved in a relational database and you can request a dump of your data whenever you want.

When you finish your payment, you will receive an email with the server credentials and documentation about how to fill the configuration file and other details.

Note: Our private version is superior to the public version and you can’t achieve the same results using the last one, plus if you use our service you help us to keep the project alive and we will release plus features to this repo every X time.

Pricing

See available plans here.

The fastest and cross-platform subdomain enumerator.

The next table offers you the comparison about what is in Plus version that is not in free version (current repo).

What Findomain can do?

It table gives you a idea why you should use findomain and what it can do for you. The domain used for the test was aol.com in the following BlackArch virtual machine:

Host: KVM/QEMU (Standard PC (i440FX + PIIX, 1996) pc-i440fx-3.1)
Kernel: 5.2.6-arch1-1-ARCH
CPU: Intel (Skylake, IBRS) (4) @ 2.904GHz
Memory: 139MiB / 3943MiB

The tool used to calculate the time, is the time command in Linux.

Enumeration ToolSearch TimeTotal Subdomains FoundCPU UsageRAM Usage
Findomainreal 0m5.515s84110Very LowVery Low

Summary: 84110 subdomains in 5.5 seconds.

Features

  • Subdomains monitoring: put data to Discord, Slack or Telegram webhooks. See Subdomains Monitoring for more information.
  • Multi-thread support for API querying, it makes that the maximun time that Findomain will take to search subdomains for any target is 15 seconds (in case of API’s timeout).
  • Parallel support for subdomains resolution, in good network conditions can resolv about 3.5k of subdomains per minute.
  • DNS over TLS support.
  • Specific IPv4 or IPv6 query support.
  • Discover subdomains without brute-force, it tool uses Certificate Transparency Logs and APIs.
  • Discover only resolved subdomains.
  • Discover subdomains IP for data analysis.
  • Read target from user argument (-t) or file (-f).
  • Write to one unique output file specified by the user all or only resolved subdomains.
  • Write results to automatically named TXT output file(s).
  • Hability to query directly the Findomain database created with Subdomains Monitoring for previous discovered subdomains.
  • Hability to import and work data discovered by other tools.
  • Quiet mode to run it silently.
  • Cross platform support: Any platform, it’s written in Rust and Rust is multiplatform. See the documentation for instructions.
  • Multiple API support.
  • Possibility to use as subdomain resolver.
  • Subdomain wildcard detection for accurate results.
  • Support for subdomain discover using bruteforce method.
  • Support for configuration file in TOML, JSON, HJSON, INI or YAML format.
  • Custom DNS IP addresses for fast subdomains resolving (more than 60 per second by default, adjustable using the --threads option.

Findomain in depth

See Subdomains Enumeration: what is, how to do it, monitoring automation using webhooks and centralizing your findings for a detailed guide including real world examples of how you get the most out of the tool.

How it works?

It tool doesn’t use the common methods for sub(domains) discover, the tool uses Certificate Transparency logs and specific well tested APIs to find subdomains. It method make it tool the most faster and reliable. The tool make use of multiple public available APIs to perform the search. If you want to know more about Certificate Transparency logs, read https://www.certificate-transparency.org/

APIs that we are using at the moment:

  • Certspotter
  • Crt.sh Database (favorite) or Crt.sh HTTP API
  • Virustotal
  • Sublist3r
  • Facebook **
  • Spyse (CertDB) *
  • Bufferover
  • Threatcrowd
  • Virustotal with apikey **
  • AnubisDB
  • Urlscan.io
  • SecurityTrails **
  • Threatminer
  • C99 **
  • Archive.org
  • CTSearch

Notes

APIs marked with **require an access token to work. Search in the Findomain documentation how to configure and use it.

APIs marked with * can optionally be used with an access token, create one if you start experiencing problems with that APIs. Search in the Findomain documentation how to configure and use it.

More APIs?

If you know other APIs that should be added, comment here.

Installation

We offer binarys ready to use for the following platforms (all are for 64 bits only):

  • Linux
  • Windows
  • MacOS
  • Aarch64 (Raspberry Pi)
  • NixOS
  • Docker

If you need to run Findomain in another platform, continue reading the documentation.

Issues and requests

If you have a problem or a feature request, open an issue.

Stargazers over time

overtime

Contributors

This project exists thanks to all the people who contribute. See the contributors list.