sublist3r

Enumerate subdomains

$ sublist3r -d [example.com]

$ sublist3r -d [example.com] -o [subdomains.txt]

$ sublist3r -d [example.com] -e [google,bing,virustotal]

$ sublist3r -d [example.com] -t [10]

$ sublist3r -d [example.com] -b

$ sublist3r -d [example.com] -v

$ sublist3r -d [example.com] -p [80,443]

sublist3r [-d domain] [-o file] [-e engines] [options]

sublist3r is an OSINT reconnaissance tool that discovers subdomains of a target domain by querying multiple search engines and data sources. It aggregates results from Google, Bing, Yahoo, Baidu, Ask, Netcraft, VirusTotal, and other sources to build a comprehensive list of subdomains.
Beyond passive search engine enumeration, sublist3r can perform active DNS bruteforce using common subdomain wordlists. It also includes port scanning capabilities to identify which discovered subdomains have live services running on specified ports, helping prioritize targets during security assessments.
The tool is designed for authorized penetration testing and bug bounty reconnaissance. Multi-threading support allows faster enumeration, and results can be saved to files for further processing by other security tools.

-d, --domain DOMAIN

Target domain.

Output file.

Search engines.

Enable bruteforce.

Thread count.

Scan ports.

Verbose output.

For authorized testing only. Rate limiting may apply. Some engines require API keys.

Sublist3r was created by Ahmed Aboul-Ela for subdomain enumeration. It's widely used in penetration testing and bug bounty hunting.

amass(1), subfinder(1), dnsrecon(1)