See: https://securitytrails.com/blog/subdomain-finder
And: https://github.com/secops4thewin/securitytrails-python/blob/master/securitytrails.py

• Example
  https://api.securitytrails.com/v1/domain/github.com/subdomains?apikey=YOUR.API.KEY.HERE

I've just updated findomain to 3.0 and noticed the output txt file is no more one subdomain per line, the output is continuous now.

This is happening when using file as input, single target domain and for both output methods, -o and -u.

Look like the new line code is missing.

Hi,

I got error when try cargo build --release

error: enum variants on type aliases are experimental
   --> /home/wayc0de/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-rustls-0.10.2/src/lib.rs:260:9
    |
260 |         Self::Client(s)
    |         ^^^^^^^^^^^^

error: enum variants on type aliases are experimental
   --> /home/wayc0de/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-rustls-0.10.2/src/lib.rs:266:9
    |
266 |         Self::Server(s)
    |         ^^^^^^^^^^^^

error: aborting due to 2 previous errors

error: Could not compile `tokio-rustls`.
warning: build failed, waiting for other jobs to finish...
error: build failed

Hope you can help me

Thank you

I get a lot of An error occurred while parsing the JSON obtained from the {} API. Error description: {}. errors and I'd love to see the "JSON" (I suspect findomain is receiving some sort of rate-limiting error page...) that caused the error.

Thanks for the great tool!

Hi,
Findomain is a very verbose tool. It outputs a lot of things to stdout that make automation/piping hard. For example, I can't do something like findomain -t example.com -r | httprobe.

It would be really nice if you can add a quiet mode with a --quiet/-q flag that will make the tool output subdomains only without any of the extra text such as Searching in the * API and A total of * subdomains were found etc. Just subdomains!

Estaria bueno agregar un status response y tecnologia usada (un fingerprint rapido), como lo hace la herramienta knockpy, esta herramienta te brinda codigos de estado (400,200,etc) tipo (host,alias) ip, dominio y servidor (apache, iis, etc).
Gracias por tu herramienta, se convirtio en mi favorita, saludos desde Argentina

Hello,

Would it be possible to save new domains found in a text file also when using the monitor mode?
So just the new ones, after the first iteration. That would be helpful when automating the flow between multiple tools.
Many thanks!

Some users only want to see IPv4 or IPv6 addresses in the results.
So I suggest that the normal IP switch shows all IPs and two additional switches show only IPv6 or IPv4 addresses in the results.

Hi @Edu4rdSHL,
Thanks for the last update, it looks good, but unfortunately there is an error.

git clone https://github.com/Edu4rdSHL/findomain.git -b develop # Only the develop branch is needed
cd '/home/user/findomain'
git pull
cargo build --release
sudo cp target/release/findomain /usr/bin/
cd

1. $ findomain -f "/URLsToScan.txt" -u '/URLsToScanDONE.txt'

2. Error: Target is invalid, please try again.

ExampleURLs in the file:

0769.it
1337pool.net
1dig.pro
1isolution.com
1stminingpool.com

When the error occurs, the program stops working.

See:

https://urlscan.io/api/v1/search/?q=domain:example.com

I just looked at the WaybackMachine API, that should work with the following URLs...
http://web.archive.org/cdx/search/cdx?url=example.com*&output=txt
http://web.archive.org/cdx/search/cdx?url=example.com*&output=json
http://web.archive.org/cdx/search/cdx?url=example.com*&output=txt&limit=999999
https://github.com/internetarchive/wayback/tree/master/wayback-cdx-server#filtering
http://web.archive.org/cdx/search/cdx?url=*.google.com&output=json&collapse=urlkey

You're currently using clap directly, in case you aren't aware of it you can give structopt a try, it makes it easier to access the parsed arguments. Real life example can be found here.

If you're interested I can prepare a PR for this.

hello , i already try a lot but i have a lot of issue on monitoring , can someone give the process
some probleme i got :
1* i already export but i got this message
1- You need to set at least one webhook variable. For Discord set the findomain_discord_webhook system variable and for Slack set the findomain_slack_webhook variable. Exiting.

2- psql: FATAL: Peer authentication failed for user "postgres"

I prefer the easy way like CURL
Example:
curl --doh-url https://dns.nextdns.io/[Your_ID] domain.url.com/download.example
With DNS over TLS, searching for subdomains is safer.

Thanks for the big update to allow monitoring using the tool.

When trying to monitor single domain or a file using -f and publish the result to slack, getting the below error:

An error occurred when Findomain tried to publish the data to the following webhook https://hooks.slack.com/services/XXXXXXXXXX.
Error description: 400 Bad Request

The same webhook is working with other message or manually pushing a test message.

I downloaded the binary, but how do I dock the api?

Hi, findomain is really awesome tool. But I didn't any options to specify the filename of the output. Can you add an option for it?

It's default append _<number> to the target and that makes a little bit inconvenience for some automation workflow. Currently, I'm grepping >> from the stdout for that purpose :).

Best regards.

Hi

First of all awesome tool but I think it lacks one of the main purposes of the subdomain tools of alerting the user if some asset is pushed in the wild and instead user have to run the tool in some time and manually review which domain had been in the past and which one is new. Quite a hectic task but it would be cool if you integrate it in your new releases.

Cheers!

Hi.

Thanks for your work.

I have some problem on Windows Server, Windows 7, Kali Linux.

Pic related.

White IP, no firewall, stable connection, admin rights.

Thanks.

Hi! This tools is really handy but right now it is hard to consume the output in some programmatic way. It would be really cool if we could specify some sort of output file that would be created with results, it could be a JSON or CSV file, probably a txt file with list of subdomain would be also useful.

What do you think?

Hi,

Would be great to have the option of storing the output in a single file, for better handling in automation. Currently when scanning a massive list of domains it outputs hundreds/thousands .txt files.

Thanks!

A configuration file would be very useful to store tokens and other settings (E.g. DNS settings).

Dear users, please put in comments APIs that you think should be added to findomain, it will help me a lot to improve the tool.

Note: what make findomain unique is that it only use APIs and doesn't do searchs in Google, etc. that's the secret why it's so faster. I haven't plans to add that to findomain then put only APIs (post or get) here still if they're not directly relationed with Certificate Transparency logs but can be used to discover subdomains.

Please, the following APIs are already implemented, make sure that the API that you want is not in that list:

• Certspotter
• Crt.sh
• Virustotal
• Sublit3r
• Facebook
• Spyce

Pull requests are more than welcome

I get this error when running the tool

An error occurred while parsing the JSON obtained from the Facebook API. Error description: JSON error.

CRT API will timeout when attempting to return very large results, a solution could be to use the CRT DB like what was done here https://github.com/yassineaboukir/sublert/blob/master/sublert.py#L158
official announcement of the CRT DB was done here https://groups.google.com/d/msg/crtsh/sUmV0mBz8bQ/K-6Vymd_AAAJ

Good job men !

I don't know the language which it used to build it to help you but can you add a column with the timestamp of the execution, could be like the date with hours like YYYY-MM-DD-hh-mm.

It could be useful.

Thanks !

Can you add support for ARM devices? Will be good to have the tool running there.

If you cannot use a specific source, it is very useful to exclude these sources directly to save time when scanning for subdomains.

• Example:
  findomain --threads 100 -ex facebook virustotal -q -f "/URLsToScan.txt" -u '/URLsToScanDONE.txt'

• Note: -ex for excluding sources.

Really appreciate your work @Edu4rdSHL , Many thanks for your works. Please find below as the optional request for findomain

Can we please have -i as the optional feature as it has been removed/ replaced by -r since 0.3.0 .

Sometimes it is very useful to identify the content behind the ip patterns , example : by observing one ip we can guess all the similar ips will have the firewall enables or etc etc. which really saves a lots of time.

Thanks Again @Edu4rdSHL , this is a great tool :) 👍

Hello!

I have so many subdomains that discord gets flooded with no new subdomains found for ...

Also, would be cool if we could add the IP addresses that they resolve to!

Hi,

Would be great to have the option to save a list of subdomains which are live (resolved).
That would be useful in automation, as the output can be fed into other tools without cutting/grepping first.

Thanks!

Could we get an option to add what a discovered subdomain is resolving to in the notification that is send to discord?

Actually we don't have a option to query directly the Findomain database and search subdomains for a target that have already been monitored.

The emoticons can not be displayed correctly in many consoles even if the correct font is installed. So I recommend to remove the emoticons.

Screenshot:

why I'm getting this error? I use mac.

MBP:Security xxp$ ./findomain-osx -h
findomain 0.8.0
Eduard Tolosa [email protected]
The fastest and cross-platform subdomain enumerator, don't waste your time.

MBP:Security xxp$ findomain_spyse_token="TsKL5..." findomain-osx -(options)
-bash: syntax error near unexpected token ('
MBP:Security xxp$
MBP:Security xxp$
MBP:Security xxp$ findomain_spyse_token="TsKL5..." findomain -(options)
-bash: syntax error near unexpected token ('
MBP:Security xxp$

• Example:
  https://api.threatminer.org/v2/domain.php?q=github.com&api=True&rt=5

Hi,

In order to speed the DNS resolving, you can look into using using public resolvers (massdns like).
However the resolvers list must be kept fresh, possibly by using something like this https://github.com/Abss0x7tbh/bass

Thanks!

Now that Findomain allows monitoring and fetching subdomains from the postgresql database, it'll be great to have a feature to import subdomains enumerated from other tools.

The feature inclusion will allow users to use findomain to manage subdomains collated from various tools (since no-one uses a single tool for recon).

A quick check after the 0.4.1 update, there is no option/message to check if the domain is already monitored. A tag -ml (monitored list) or just -l (list) to get the list of monitored domains would be really handy in the long run.

Additionally, how frequently does findomain check for new domains and passes to the webhook?

An error occurred while parsing the JSON obtained from the Sublist3r API. Error description: JSON error.

Currently Findomain is using synchronous HTTP request method that means, every request wait for the previous request to end. But as Findomain is growing, more API's need to be added and synchronous requests aren't the way to go if Findomain want to continue being the most faster subdomain enumerator.

I'm working on a asynchronous HTTP request implementation (means that all requests can be done at the same time), that will make Findomain at least 5x more faster than actual. Until I finished it I will not add more API's. When it implementation is finished then I will add many API's (commented in #7) to sources as I want at the same price in terms of time.

exec format error: findomain

Hi! Thanks for creating this tool. I was reading your article in Medium, as you suggested I am opening an issue to request a new webhook if possible: Telegram.

Thanks Again!

Hi, I noticed that using the precompiled binary I am able to specify a filename to put the results in like, ./findomain --output subdomains.txt --target example.com but I cant if I install it using the source code. I did make a hacky way of this on the code locally but I guess it would be nice if you could add this functionality.

1. In src/cli.yml
   output:
   [...]
   takes_value: true

2. In src/main.rs
   if matches.is_present("target") && matches.is_present("output") {
   let target = matches.value_of("target").unwrap().to_string();
   let output = matches.value_of("output").unwrap().to_string();
   let with_output = "y";
   let file_name = [&output, ""].concat();

So, I am using the output variable to specify the filename.

Thanks!

Hi,

Wanted to test your tool and got these errors:

root@2d9bdeceecc7:/opt# ./findomain-linux -V
findomain 0.2.1
root@2d9bdeceecc7:/opt# ./findomain-linux -a -t microsoft.com

Target ==> microsoft.com

Searching in the CertSpotter API... 🔍
An error ❌ as occured while procesing the request in the CertSpotter API. Error description: error trying to connect

Searching in the Crtsh API... 🔍
An error ❌ as occured while procesing the request in the Crtsh API. Error description: error trying to connect

Searching in the Virustotal API... 🔍
An error ❌ as occured while procesing the request in the Virustotal API. Error description: error trying to connect

Searching in the Sublist3r API... 🔍
An error ❌ as occured while procesing the request in the Sublist3r API. Error description: error trying to connect

Searching in the Facebook API... 🔍
An error ❌ as occured while procesing the request in the Facebook API. Error description: error trying to connect

Actually you can't choose what DNS resolver use, Findomain uses system configuration by default, if it fails to read the configuration then try to use Cloudflare, if it fails then Quad9 and finally Google.

The implementation will make possible a user's choice to select what DNS to use. The option will be --dns cloudflare/quad9/google and if not option is specified then use system's configuration. It will also works for #37.

A total of 113 subdomains were found for ==> xxx.target.com 👽

thread 'main' panicked at 'Failed to create file.: Os { code: 13, kind: PermissionDenied, message: "Permission denied" }', src/libcore/result.rs:999:5
note: Run with RUST_BACKTRACE=1 environment variable to display a backtrace.

Hi,
I've recently noticed quite a bit of timeout for the slack webhook. This is both when using high number of threads like 200 and also while running it in default mode.

• Example:
  https://www.entrust.com/ct-search/?domain=github.com&includeExpired=true&exactMatch=false