FINDOMAIN(1) User Commands FINDOMAIN(1) NAME Findomain - manual page for Findomain 9.0.1 DESCRIPTION Findomain 9.0.1 Eduard Tolosa The fastest and cross-platform subdomain enumerator, do not waste your time. USAGE: findomain [FLAGS] [OPTIONS] FLAGS: -x, --as-resolver Use Findomain as resolver for a list of domains in a file. --mtimeout Allow Findomain to insert data in the database when the webhook returns a timeout error. --enable-dot Enable DNS over TLS for resolving subdomains IPs. --aempty Send alert to webhooks still when no new subdomains have been found. --external-subdomains Get external subdomains with amass and subfinder. -h, --help Prints help information --http-status Check the HTTP status of subdomains. -i, --ip Show/write the ip address of resolved subdomains. --ipv6-only Perform a IPv6 lookup only. -m, --monitoring-flag Activate Findomain monitoring mode. -n, --no-discover Prevent findomain from searching subdomains itself. Useful when you are importing subdomains from other tools. --no-double-dns-check Disable double DNS check. Currently the subdomains that report an IP address are checked again using a list of trustable resolvers to avoid false-positives. Only applies when using custom resolvers. --no-monitor Disable monitoring mode while saving data to database. --no-resolve Disable pre-screenshotting jobs (http check and ip discover) when used as resolver to take screenshots. --no-wildcards Disable wilcard detection when resolving subdomains. -o, --output Write to an automatically generated output file. The name of the output file is generated using the format: target.txt. If you want a custom output file name, use the -u/--unique-output option. --pscan Enable port scanner. --query-database Query the findomain database to search subdomains that have already been discovered. --query-jobname Extract all the subdomains from the database where the job name is the specified using the jobname option. -q, --quiet Remove informative messages but show fatal errors or subdomains not found message. --randomize Enable randomization when reading targets from files. --reset-database Reset the database. It will delete all the data from the database. -r, --resolved Show/write only resolved subdomains. --sandbox Enable Chrome/Chromium sandbox. It is disabled by default because a big number of users run the tool using the root user by default. Make sure you are not running the program as root user before using this option. --stdin Read from stdin instead of files or aguments. --validate Validate all the subdomains from the specified file. -V, --version Prints version information -v, --verbose Enable verbose mode (useful to debug problems). OPTIONS: -c, --config Use a configuration file. The default configuration file is findomain and the format can be toml, json, hjson, ini or yml. --resolvers ... Path to a file (or files) containing a list of DNS IP address. If no specified then Google, Cloudflare and Quad9 DNS servers are used. --exclude-sources ... Exclude sources from searching subdomains in. [possible values: certspotter, crtsh, sublist3r, facebook, spyse, threatcrowd, virustotalapikey, anubis, urlscan, securitytrails, threatminer, archiveorg, c99, bufferover_free, bufferover_paid] -f, --file ... Use a list of subdomains writen in a file as input. --http-retries Number of retries for the HTTP Status check of subdomains. Default 1. --http-timeout Value in seconds for the HTTP Status check of subdomains. Default 5. --import-subdomains ... Import subdomains from one or multiple files. Subdomains need to be one per line in the file to import. --iport Initial port to scan. Default 0. -j, --jobname Use an database identifier for jobs. It is useful when you want to relate different targets into a same job name. To extract the data by job name identifier, use the query-jobname option. --lport Last port to scan. Default 1000. --lightweight-threads Number of threads to use for lightweight tasks such as IP discovery and HTTP checks. Default is 50. --max-http-redirects Maximum number of HTTP redirects to follow. Default 0. --parallel-ip-ports-scan Number of IPs that will be port-scanned at the same time. Default is 10. --postgres-database Postgresql database. --postgres-host Postgresql host. --postgres-password Postgresql password. --postgres-port Postgresql port. --postgres-user Postgresql username. --rate-limit Set the rate limit in seconds for each target during enumeration. --resolver-timeout Timeout in seconds for the resolver. Default 1. -s, --screenshots Path to save the screenshots of the HTTP(S) website for subdomains with active ones. --screenshots-threads Number of threads to use to use for taking screenshots. Default is 10. --exclude ... Exclude subdomains containing specifics strings. --filter ... Filter subdomains containing specifics strings. -t, --target Target host. --tcp-connect-threads Number of threads to use for TCP connections - It's the equivalent of Nmap's --min-rate. Default is 500. --tcp-connect-timeout Value in milliseconds to wait for the TCP connection (ip:port) in the ports scanning function. Default 2000. --threads Number of threads to use for lightweight tasks such as IP discovery and HTTP checks. Deprecated option, use --lighweight-threads instead. This would be removed in the future. -u, --unique-output Write all the results for a target or a list of targets to a specified filename. --ua Path to file containing user agents strings. -w, --wordlist Wordlist file to use in the bruteforce process. Using it option automatically enables bruteforce mode. SEE ALSO The full documentation for Findomain is maintained as a Texinfo manual. If the info and Findomain programs are properly installed at your site, the command info Findomain should give you access to the complete manual. Findomain 9.0.1 September 2023 FINDOMAIN(1)