Packages and Binaries:

findomain

Findomain is fastest and most complete solution for domain recognition. It supports screenshoting, port scanning, HTTP checks, data imports from other tools, subdomain monitoring, alerts via Discord, Slack & Telegram, multiple API Keys for sourcing and much more.

Installed size: 18.61 MB
How to install: sudo apt install findomain

findomain

root@kali:~# findomain -h
The fastest and cross-platform subdomain enumerator, do not waste your time.

Usage: findomain [OPTIONS]

Options:
  -t, --target <TARGET>
          Target host
  -r, --resolved
          Show/write only resolved subdomains
  -i, --ip
          Show/write the ip address of resolved subdomains
  -f, --file <FILES>
          Use a list of subdomains writen in a file as input
  -o, --output
          Write to an automatically generated output file. The name of the output file is generated using the format: target.txt. If you want a custom output file name, use the -u/--unique-output option
  -u, --unique-output <UNIQUE_OUTPUT>
          Write all the results for a target or a list of targets to a specified filename
  -m, --monitoring-flag
          Activate Findomain monitoring mode
      --postgres-user <POSTGRES_USER>
          Postgresql username
      --postgres-password <POSTGRES_PASSWORD>
          Postgresql password
      --postgres-host <POSTGRES_HOST>
          Postgresql host
      --postgres-port <POSTGRES_PORT>
          Postgresql port
      --postgres-database <POSTGRES_DATABASE>
          Postgresql database
  -q, --quiet
          Remove informative messages but show fatal errors or subdomains not found message
      --query-database
          Query the findomain database to search subdomains that have already been discovered
      --import-subdomains <IMPORT_SUBDOMAINS>
          Import subdomains from one or multiple files. Subdomains need to be one per line in the file to import
      --enable-dot
          Enable DNS over TLS for resolving subdomains IPs
      --ipv6-only
          Perform a IPv6 lookup only
      --threads <THREADS>
          Number of threads to use for lightweight tasks such as IP discovery and HTTP checks. Deprecated option, use --lighweight-threads instead. This would be removed in the future
      --lightweight-threads <LIGHTWEIGHT_THREADS>
          Number of threads to use for lightweight tasks such as IP discovery and HTTP checks. Default is 50
      --screenshots-threads <SCREENSHOTS_THREADS>
          Number of threads to use to use for taking screenshots. Default is 10
      --parallel-ip-ports-scan <PARALLEL_IP_PORTS_SCAN>
          Number of IPs that will be port-scanned at the same time. Default is 10
      --tcp-connect-threads <TCP_CONNECT_THREADS>
          Number of threads to use for TCP connections - It's the equivalent of Nmap's --min-rate. Default is 500
      --resolvers <CUSTOM_RESOLVERS>
          Path to a file (or files) containing a list of DNS IP address. If no specified then Google, Cloudflare and Quad9 DNS servers are used
      --aempty
          Send alert to webhooks still when no new subdomains have been found
  -x, --as-resolver
          Use Findomain as resolver for a list of domains in a file
  -w, --wordlist <WORDLISTS>
          Wordlist file to use in the bruteforce process. Using it option automatically enables bruteforce mode
      --no-wildcards
          Disable wilcard detection when resolving subdomains
      --filter <STRING_FILTER>
          Filter subdomains containing specifics strings
      --exclude <STRING_EXCLUDE>
          Exclude subdomains containing specifics strings
      --exclude-sources <EXCLUDE_SOURCES>
          Exclude sources from searching subdomains in [possible values: certspotter, crtsh, sublist3r, facebook, spyse, threatcrowd, virustotalapikey, anubis, urlscan, securitytrails, threatminer, c99, bufferover_free, bufferover_paid]
      --http-status
          Check the HTTP status of subdomains
  -c, --config <CONFIG_FILE>
          Use a configuration file. The default configuration file is findomain and the format can be toml, json, hjson, ini or yml
      --rate-limit <RATE_LIMIT>
          Set the rate limit in seconds for each target during enumeration
      --pscan
          Enable port scanner
      --iport <INITIAL_PORT>
          Initial port to scan. Default 0
      --lport <LAST_PORT>
          Last port to scan. Default 1000
  -v, --verbose
          Enable verbose mode (useful to debug problems)
      --mtimeout
          Allow Findomain to insert data in the database when the webhook returns a timeout error
      --no-monitor
          Disable monitoring mode while saving data to database
  -s, --screenshots <SCREENSHOTS_PATH>
          Path to save the screenshots of the HTTP(S) website for subdomains with active ones
      --sandbox
          Enable Chrome/Chromium sandbox. It is disabled by default because a big number of users run the tool using the root user by default. Make sure you are not running the program as root user before using this option
  -j, --jobname <JOBNAME>
          Use an database identifier for jobs. It is useful when you want to relate different targets into a same job name. To extract the data by job name identifier, use the query-jobname option
      --query-jobname
          Extract all the subdomains from the database where the job name is the specified using the jobname option
      --http-timeout <HTTP_TIMEOUT>
          Value in seconds for the HTTP Status check of subdomains. Default 5
      --tcp-connect-timeout <TCP_CONNECT_TIMEOUT>
          Value in milliseconds to wait for the TCP connection (ip:port) in the ports scanning function. Default 2000
      --stdin
          Read from stdin instead of files or aguments
      --ua <USER_AGENTS_FILE>
          Path to file containing user agents strings
      --randomize
          Enable randomization when reading targets from files
      --no-resolve
          Disable pre-screenshotting jobs (http check and ip discover) when used as resolver to take screenshots
      --external-subdomains
          Get external subdomains with amass and subfinder
      --validate
          Validate all the subdomains from the specified file
      --resolver-timeout <RESOLVER_TIMEOUT>
          Timeout in seconds for the resolver. Default 1
      --http-retries <HTTP_RETRIES>
          Number of retries for the HTTP Status check of subdomains. Default 1
      --double-dns-check
          Enable double DNS check. This means that the subdomains that report an IP address are checked again using a list of trustable resolvers to avoid false-positives. Only applies when using custom resolvers
  -n, --no-discover
          Prevent findomain from searching subdomains itself. Useful when you are importing subdomains from other tools
      --max-http-redirects <MAX_HTTP_REDIRECTS>
          Maximum number of HTTP redirects to follow. Default 0
      --reset-database
          Reset the database. It will delete all the data from the database
  -h, --help
          Print help
  -V, --version
          Print version