LinuxCommandLibrary

sublist3r

Discover subdomains for a given domain

TLDR

Find subdomains for a domain

$ sublist3r --domain [domain_name]
copy

Find subdomains for a domain, also enabling brute force search
$ sublist3r --domain [domain_name] --bruteforce
copy

Save the found subdomains to a text file
$ sublist3r --domain [domain_name] --output [path/to/output_file]
copy

Display help
$ sublist3r --help
copy

SYNOPSIS

sublist3r -d DOMAIN [options]

PARAMETERS

-d DOMAIN, --domain DOMAIN
    Target domain name to enumerate subdomains for

-b, --bing
    Use Bing search engine

-g, --google
    Use Google search engine

-B, --baidu
    Use Baidu search engine

-D, --dnsdumpster
    Use DNSdumpster for enumeration

-Y, --yahoo
    Use Yahoo search engine

-A, --all
    Use all available search engines

-V, --virustotal
    Use VirusTotal for subdomain data

-o SUBDOMAINS, --output SUBDOMAINS
    Save results to specified output file

-t THREADS, --threads THREADS
    Set number of threads (default: 10)

-e ENGINES, --engines ENGINES
    Comma-separated list of search engines

-v, --verbose
    Enable verbose output

-p PORTS, --ports PORTS
    Comma-separated ports to scan on subdomains

-n, --no-bruteforce
    Disable bruteforce subdomain enumeration

-i INPUT, --input INPUT
    Input file with list of domains to enumerate

DESCRIPTION

Sublist3r is a fast and powerful open-source Python tool designed for subdomain enumeration during reconnaissance phases of penetration testing and bug bounty hunting.

It leverages various search engines such as Google, Bing, Yahoo, Baidu, and others, along with sources like VirusTotal and DNSdumpster, to discover subdomains associated with a target domain. By querying these engines with specialized search operators (dorks), Sublist3r extracts and deduplicates subdomains efficiently.

Key features include multi-threaded operation for speed, optional port scanning on discovered subdomains, bruteforce enumeration (which can be disabled), and output to files. It supports verbose mode for detailed logging and custom engine selection.

Installation typically involves cloning the GitHub repository and installing Python dependencies like requests and dnspython. While effective for passive reconnaissance, results depend on search engine indexing and may require proxies to avoid rate limits. Sublist3r is widely used in cybersecurity for mapping attack surfaces without direct interaction with the target.

CAVEATS

Not a standard Linux command; requires Python installation via GitHub clone and pip install -r requirements.txt. Search engines may block or rate-limit requests; use proxies/VPNs. Bruteforce can be noisy and slow. No API keys needed but results vary by engine availability and indexing.

INSTALLATION

git clone https://github.com/aboul3la/Sublist3r.git
cd Sublist3r/
pip3 install -r requirements.txt
python3 sublist3r.py -h

EXAMPLE USAGE

sublist3r -d example.com -o results.txt -v -A
Enumerates subdomains using all engines, verbose, saves to file.

HISTORY

Developed by Ahmed Aboul-Ela and first released on GitHub in 2014. It gained popularity in the infosec community for its simplicity and effectiveness in OSINT-based subdomain discovery. Regular updates added engines like VirusTotal and improved threading/port scanning. Over 10k stars on GitHub, actively forked for modern Python versions.

SEE ALSO

amass(1), dnsrecon(1), fierce(1)

Copied to clipboard