sublist3r

Find subdomains for a domain

$ sublist3r --domain [domain_name]

$ sublist3r --domain [domain_name] --bruteforce

$ sublist3r --domain [domain_name] --output [path/to/output_file]

$ sublist3r --help

sublist3r -d <domain> [options]

-d
    Specifies the target domain for subdomain enumeration. This is a mandatory parameter.

-p
    Sets the port for HTTP/HTTPS connectivity checks. Default is 80, 443.

-v
    Enables verbose output, showing more details during the scan.

-b
    Activates the brute-force module, requiring a wordlist to be specified or using a default one.

-f
    Forces the use of all enumeration modules, including potentially slower ones.

-e
    Selects specific search engines or services to query. Example: google,yahoo,bing.

-o
    Saves the discovered subdomains to the specified output file.

-t
    Defines the number of threads for DNS resolution and brute-force tasks.

--no-bruteforce
    Explicitly disables the brute-force module (default behavior).

--no-file
    Prevents saving results to a file, even if -o is used (useful for piping output).

--help
    Displays the help message and available options.

sublist3r is a Python-based tool designed to enumerate subdomains of websites using various search engines and services, as well as an optional brute-force approach. It's widely used by penetration testers, bug bounty hunters, and security researchers to discover potential attack surface extensions.

The tool leverages passive sources like Google, Yahoo, Bing, Baidu, Ask, Netcraft, DNSdumpster, Virustotal, ThreatCrowd, and Crt.sh to gather subdomains without sending direct requests to the target domain's DNS servers, making it stealthier. Additionally, it offers a brute-force module that can be used with a custom wordlist to identify subdomains that might not be publicly indexed. Its multi-threaded nature allows for efficient and fast scanning. The results can be displayed in real-time or saved to a file for further analysis.

sublist3r's reliance on public search engines means it can be subject to rate limiting, CAPTCHAs, or IP blocking by these services, especially during intensive or repeated use. The effectiveness of passive enumeration depends heavily on the indexing quality of the search engines. Brute-forcing, while effective, can be noisy and time-consuming, and its success depends entirely on the quality of the provided wordlist. Users should be aware of ethical hacking guidelines and obtain proper authorization before scanning any domain.

sublist3r is a Python-based tool and can typically be installed by cloning its repository and installing dependencies:

`git clone https://github.com/aboul3la/Sublist3r.git`
`cd Sublist3r`
`pip install -r requirements.txt`
`python sublist3r.py -d example.com`

Some distributions might offer it through their package managers as well.

By default, sublist3r outputs the discovered subdomains to standard output, one subdomain per line. When the -o option is used, the output file will contain the subdomains in a similar newline-separated format.

sublist3r was developed by Ahmed Aboul-Ela as a fast and simple tool to enumerate subdomains. It gained popularity in the security community due to its efficiency and ability to combine various passive reconnaissance techniques with an optional active brute-force approach. Its open-source nature and Python implementation made it easy to integrate into broader security workflows and contribute to its ongoing development and maintenance by the community.

fierce(1), dnsenum(1), theharvester(1), amass(1), assetfinder(1)