LinuxCommandLibrary

sublist3r

Discover subdomains for a given domain

TLDR

Find subdomains for a domain

$ sublist3r --domain [domain_name]
copy

Find subdomains for a domain, also enabling brute force search
$ sublist3r --domain [domain_name] --bruteforce
copy

Save the found subdomains to a text file
$ sublist3r --domain [domain_name] --output [path/to/output_file]
copy

Display help
$ sublist3r --help
copy

SYNOPSIS

sublist3r [-d domain] [-b] [-v] [-t threads] [-o outputfile] [-e engines] [-p ports]

PARAMETERS

-d domain
    The target domain you want to enumerate subdomains for.

-b
    Enable brute force mode to try to guess subdomains using a wordlist.

-v
    Enable verbose mode to show more detailed output.

-t threads
    Set the number of threads to use for brute-forcing subdomains. Higher thread counts can improve speed but also increase resource usage.

-o outputfile
    Specify the file to save the results to.

-e engines
    Specify a comma-separated list of search engines and services to use (e.g., Google,Bing,Virustotal).

-p ports
    Test specified ports on discovered subdomains.

DESCRIPTION

Sublist3r is a Python tool designed to enumerate subdomains of websites using various open-source intelligence (OSINT) sources. It helps penetration testers and security researchers identify potential attack surfaces by discovering subdomains that may not be immediately obvious. It utilizes search engines, DNS records, certificate transparency logs, and other sources to comprehensively map a target domain's infrastructure. Sublist3r is valuable for asset discovery, reconnaissance, and identifying potential vulnerabilities in subdomains. Its ability to gather information from multiple sources makes it a powerful tool for uncovering hidden or forgotten subdomains that could be exploited by attackers. The tool also provides options to brute-force subdomains, further expanding the potential attack surface discovery.
It is capable of using different search engines and external sources like Netcraft, DNSdumpster, Virustotal, ThreatCrowd, PassiveTotal, SecurityTrails, CRT.sh, and more, to gather subdomain information. The accuracy and completeness of the results depend on the availability and accessibility of these external services.

CAVEATS

The accuracy and completeness of Sublist3r's results depend heavily on the availability and accuracy of the external sources it utilizes. Some sources might require API keys or have rate limits, which can impact performance. Using brute-force mode can be resource-intensive and may be less effective against domains with strong subdomain naming conventions.

INSTALLATION

Sublist3r is typically installed using pip, the Python package installer. You might need to install Python and pip first. The basic installation command is: pip install sublist3r. Consider using a virtual environment to manage dependencies.

USAGE EXAMPLES

  • Basic subdomain enumeration: sublist3r -d example.com
  • Saving results to a file: sublist3r -d example.com -o output.txt
  • Using specific search engines: sublist3r -d example.com -e Google,Bing
  • Brute-forcing subdomains: sublist3r -d example.com -b

SEE ALSO

dig(1), host(1), nmap(1)

Copied to clipboard