Search Tools
EASM Tools
Data Access
Compare: Netlas and ...
Security Analysis
Security Research
Featured Reads
Learn
Misc
Connect

Newest CVE, Featured Searches, Updates & Announcements

1-2 posts per week

Important Updates, Sales & Promos

Email newsletter

Once a month
Please, sign in to manage newsletter subscription

  1. Home
  2. Blog

Using Subfinder with Netlas Module

February 7, 2025

3 min read

Instructions for using the Netlas module integrated into Subfinder from ProjectDiscovery.
Jump to comments
LinkedIn
Telegram
Reddit

Subfinder is a utility from ProjectDiscovery designed for passively list subdomains. It is distinguished by its speed, abundance of available sources, ease of setup, and its popularity. Moreover, relatively recently, the ProjectDiscovery team integrated Netlas into their tool, adding a new search module.

This article will tell you exactly how to connect Netlas when using Subfinder, what settings you need to make in the configuration file, and what restrictions you may encounter.

Installing

Installing the utility is quite simple. There are three options in total:

  1. Build from sources using the go command. This method will be described in more detail.

  2. Download the archive of the required release and unpack it.

  3. Clone the repository from GitHub and use the build command.

Let’s focus on the first method. First, you need to check if the Go language is installed on your device and if its version meets the requirements of the tool. To do this, enter the following command in the terminal:

go version

The result should be something like this:

Go Version Go Version

If you do not have the language or the required version (min. 1.21), you can install it via snap using the following command:

snap install go

Once you download the language pack, you can proceed directly to installing Subfinder. To do this, ProjectDiscovery recommends the command:

go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

Installing complete!

Configuration

In general, you can already use Subfinder. However, the purpose of this article is to connect the Netlas module to it. Therefore, the next step will be setting up the configuration file.

Here we need to make changes to two files at once: config.yaml and provider-config.yaml. Go to the subfinder directory and check for their presence.

  • on the Debian-based systems
    $HOME/.config/subfinder
  • on the MacOS
    /Users/user/Library/Application Support/subfinder

If the directory is empty or missing, run Subfinder using the command:

subfinder -h

This will give you a short list of settings and options for the utility. It should look like the following image:

Subfinder Settings Subfinder Settings

After this, return to the $HOME/.config/subfinder directory.

So what do we need to configure? Let’s start by entering the API key. Open provider-config.yaml, find the line dedicated to Netlas, and add your API key in square brackets. It is simple.

Insert API Key Insert API Key

The next step is to configure the frequency of calls to the API. The fact is that Netlas does not return results more than once per second. The developers at ProjectDiscovery considered this by setting a wait in the code, but in my testing, it turned out that this limitation does not always work. Therefore, it is better to configure the delay separately in the configuration file.

To do this, open config.yaml. There you need to find the rate-limits line, uncomment it, and add the line “netlas=1/s” in square brackets. It will look like this:

Netlas API Rate Netlas API Rate

This completes the basic setup required to use the Netlas module inside Subfinder. You can also read the configuration files yourself in case you need to connect other tools, such as Shodan or Censys. I will move on to examples of use.

Usage

Let’s start with Subfinder flags.

The -d or -dL flags are used to specify the target domain. The first implies that you are looking for subdomains for only one domain name (I will use this one in the examples), and the second is for a number of names.

Next, you need to specify the data source. The flags used here are -s (one source, will be used in the examples), -recursive (only sources that support recursive search of subdomains are launched), -all (all sources, slowest mode), and -es (excluding some sources from the list).

Thus, to search for subdomains using the Netlas module, we can use the following command:

subfinder -d target.com -s netlas

This command should return all subdomains of the target.com site. Let’s launch it.

target.com exploration target.com exploration

A total of 1982 subdomains were found. By opening netlas.io, you can verify that this is exactly how much is stored in the Netlas database.

Subdomains in Netlas Subdomains in Netlas

Conclusion

Many information security professionals prefer a powerful tool such as Subfinder. In turn, Netlas is one of the best IoT search engines. Their combination can give you truly high-quality reconnaissance, and the connection of some other sources, such as Shodan and Censys, will leave no chance for the surface being explored to hide something.

LinkedIn
Telegram
Reddit

Related Posts

All posts →
Let’s stay in touch.