Sublist3r

Sublist3r is a Python tool for enumerating subdomains using multiple online sources (Google, Yahoo, Bing, Baidu, Ask.com, Netcraft, etc.) and DNS brute-force. Combines passive and active reconnaissance techniques.

Installation

From GitHub

git clone https://github.com/aboul3la/Sublist3r.git
cd Sublist3r
pip install -r requirements.txt

# Make executable
chmod +x sublist3r.py

Via pip

pip install sublist3r

# Verify
sublist3r -h

Docker

docker pull aboul3la/sublist3r
docker run -it aboul3la/sublist3r -d example.com

Basic Usage

Command	Description
python sublist3r.py -d example.com	Enumerate subdomains
sublist3r -d example.com -o results.txt	Save to file
sublist3r -d example.com -b	Brute-force subdomains
sublist3r -d example.com -p 80,443	Scan specific ports
sublist3r -d example.com -t 10	Use 10 threads
sublist3r -l domains.txt	Multiple domains
sublist3r -d example.com -v	Verbose output

Subdomain Enumeration

Basic Enumeration

# Simple enumeration
python sublist3r.py -d example.com

# With output file
python sublist3r.py -d example.com -o subdomains.txt

# Verbose output
python sublist3r.py -d example.com -v

# Save as JSON
python sublist3r.py -d example.com -o results.json -e json

Brute Force DNS

# Enable brute force
python sublist3r.py -d example.com -b

# Brute force with custom wordlist
python sublist3r.py -d example.com -b -w /path/to/wordlist.txt

# Brute force specific threads
python sublist3r.py -d example.com -b -t 30

# Combine passive + brute force
python sublist3r.py -d example.com -b -t 50

Port Scanning

# Scan common ports
python sublist3r.py -d example.com -p 80,443

# Scan extended port range
python sublist3r.py -d example.com -p 20,21,22,23,25,53,80,443,445,3306,3389

# Don't scan ports
python sublist3r.py -d example.com -p 0

Search Engine Control

# Use specific search engines
python sublist3r.py -d example.com -e google,bing,yahoo

# List all engines
python sublist3r.py -h | grep -A 50 "search engines"

# All engines (default)
python sublist3r.py -d example.com

Multiple Domains

# Enumerate from file (one domain per line)
python sublist3r.py -l domains.txt

# With output files
python sublist3r.py -l domains.txt -o results

# Batch processing
while read domain; do
  echo "[*] Enumerating $domain..."
  python sublist3r.py -d $domain -o $domain.txt
done < domains.txt

Advanced Techniques

OSINT & Reconnaissance

Comprehensive Subdomain Enumeration

#!/bin/bash
# Complete enumeration workflow

TARGET="example.com"
OUTPUT_DIR="sublist3r_recon"
mkdir -p "$OUTPUT_DIR"

echo "[*] Running passive enumeration..."
python sublist3r.py -d $TARGET -o "$OUTPUT_DIR/passive.txt" -v

echo "[*] Running brute force DNS..."
python sublist3r.py -d $TARGET -b -t 50 -o "$OUTPUT_DIR/bruteforce.txt" -v

# Combine results
echo "[*] Combining results..."
cat "$OUTPUT_DIR/passive.txt" "$OUTPUT_DIR/bruteforce.txt" | \
  sed 's/ :\s[0-9]*$//' | \
  sort -u > "$OUTPUT_DIR/all_subdomains.txt"

# Analyze results
echo ""
echo "=== Results Summary ==="
echo "Passive only: $(wc -l < $OUTPUT_DIR/passive.txt)"
echo "Brute force only: $(wc -l < $OUTPUT_DIR/bruteforce.txt)"
echo "Combined unique: $(wc -l < $OUTPUT_DIR/all_subdomains.txt)"

# Find new subdomains (brute force discovered)
echo ""
echo "=== New from Brute Force ==="
comm -23 "$OUTPUT_DIR/bruteforce.txt" "$OUTPUT_DIR/passive.txt" | sort -u

Port Scanning Integration

#!/bin/bash
# Enumerate and scan for open ports

TARGET="example.com"

echo "[*] Enumerating subdomains..."
python sublist3r.py -d $TARGET -p 80,443,22,3306,5432 -o results.txt

# Parse and analyze
echo ""
echo "=== Subdomains with Open Ports ==="
grep -E ":\s(80|443|22|3306|5432)" results.txt

# Group by port
echo ""
for port in 80 443 22 3306; do
  echo "Port $port:"
  grep ": $port$" results.txt | sed "s/\s:.*$//"
done

Subdomain Categorization

#!/bin/bash
# Classify discovered subdomains

python sublist3r.py -d example.com -o subdomains.txt

# Extract subdomain patterns
echo "=== API/Service Subdomains ==="
grep -iE "(api|service|gateway|backend)" subdomains.txt

echo ""
echo "=== Development/Test ==="
grep -iE "(dev|test|staging|qa|sandbox)" subdomains.txt

echo ""
echo "=== User-related ==="
grep -iE "(account|user|profile|member)" subdomains.txt

echo ""
echo "=== Infrastructure ==="
grep -iE "(cdn|mail|smtp|dns|ns)" subdomains.txt

echo ""
echo "=== Web Properties ==="
grep -iE "(blog|www|web|site)" subdomains.txt

Brute Force with Custom Wordlist

#!/bin/bash
# Custom wordlist brute force

TARGET="example.com"

# Create common subdomains list
cat > common_subs.txt << 'EOF'
admin
api
app
backup
blog
cdn
dashboard
db
dev
docs
ftp
git
internal
mail
master
media
ns1
ns2
old
payment
portal
prod
production
proxy
qa
secure
server
staging
static
test
tmp
upload
vpn
web
www
EOF

echo "[*] Brute forcing with custom wordlist..."
python sublist3r.py -d $TARGET -b -w common_subs.txt -o custom_bruteforce.txt

echo "[+] Found: $(wc -l < custom_bruteforce.txt) subdomains"

Large-Scale Enumeration

#!/bin/bash
# Enumerate many domains

DOMAINS_FILE="target_companies.txt"
OUTPUT_DIR="all_subdomains"
mkdir -p "$OUTPUT_DIR"

total_subs=0

while IFS= read -r domain; do
  echo "[*] Processing $domain..."

  # Enumerate with timeout
  timeout 60 python sublist3r.py -d $domain -t 30 \
    -o "$OUTPUT_DIR/$domain.txt" 2>/dev/null

  count=$(wc -l < "$OUTPUT_DIR/$domain.txt" 2>/dev/null || echo 0)
  echo "  Found: $count subdomains"
  total_subs=$((total_subs + count))

done < "$DOMAINS_FILE"

echo ""
echo "[+] Total subdomains discovered: $total_subs"

Integration with Other Tools

Chain with DNS Resolution

#!/bin/bash
# Enumerate and resolve subdomains

TARGET="example.com"

echo "[*] Enumerating subdomains..."
python sublist3r.py -d $TARGET -o subs.txt

echo "[*] Resolving DNS..."
while IFS= read -r sub; do
  # Extract hostname (remove port)
  host=$(echo "$sub" | sed 's/:\s[0-9]*$//')

  # Resolve
  ip=$(dig +short $host @8.8.8.8 A | head -1)

  if [ ! -z "$ip" ]; then
    echo "$host -> $ip"
  fi
done < subs.txt | tee resolved_subs.txt

echo ""
echo "[+] Resolved: $(wc -l < resolved_subs.txt)"

Chain with Port Scanning

#!/bin/bash
# Advanced port enumeration

TARGET="example.com"

echo "[*] Enumerating with port scan..."
python sublist3r.py -d $TARGET -p 80,443,22,8080,8443 -o ports.txt

# Extract and analyze
echo ""
echo "=== Hosts by Port ==="
for port in 80 443 22 8080 8443; do
  echo -n "Port $port: "
  grep -c ": $port$" ports.txt
done

# Get high-value targets (multiple open ports)
echo ""
echo "=== Multi-port Hosts ==="
cut -d: -f1 ports.txt | sort | uniq -c | awk '$1 > 1 {print $3}'

Screenshot Web Services

#!/bin/bash
# Enumerate and screenshot (requires aquatone/similar)

TARGET="example.com"

echo "[*] Enumerating subdomains..."
python sublist3r.py -d $TARGET -p 80,443 -o urls.txt

# Extract just hostnames
cut -d: -f1 urls.txt | sort -u > hostnames.txt

# Take screenshots with aquatone (if installed)
if command -v aquatone &> /dev/null; then
  echo "[*] Taking screenshots..."
  cat hostnames.txt | aquatone -out screenshots
fi

Filtering & Analysis

Parse Output

#!/bin/bash
# Extract and analyze subdomain data

RESULTS="subdomains.txt"

# Extract hostnames (remove port info)
sed 's/\s:\s[0-9]*$//' $RESULTS | sort -u > hostnames.txt

# Filter by pattern
echo "=== Contains 'api' ==="
grep -i "api" hostnames.txt

# Count by TLD
echo ""
echo "=== By TLD ==="
sed 's/.*\.\([a-z]*\)$/\1/' hostnames.txt | sort | uniq -c | sort -rn

# Find outliers (different patterns)
echo ""
echo "=== Potential parent domains ==="
sed 's/^[^.]*\.//' hostnames.txt | sort -u

Comparison & Deduplication

#!/bin/bash
# Find differences between runs

PREVIOUS="old_results.txt"
CURRENT="new_results.txt"

# Find new subdomains
echo "=== NEW SUBDOMAINS ==="
comm -23 <(sort $CURRENT) <(sort $PREVIOUS)

# Find removed subdomains
echo ""
echo "=== REMOVED SUBDOMAINS ==="
comm -13 <(sort $CURRENT) <(sort $PREVIOUS)

# Find common
echo ""
echo "=== UNCHANGED ==="
comm -12 <(sort $CURRENT) <(sort $PREVIOUS) | wc -l

Customization

Custom Wordlist

# Use your own subdomain wordlist
python sublist3r.py -d example.com -b -w /path/to/wordlist.txt

# Create effective wordlist
cat > my_wordlist.txt << 'EOF'
admin
api
app
auth
backup
blog
cache
cdn
config
data
db
debug
dev
devops
docs
download
email
export
ftp
git
gitlab
grafana
health
images
import
jenkins
kibana
lab
logs
mail
manage
master
media
metrics
mobile
monitor
ns1
office
old
panel
payment
proxy
qa
redis
registry
repo
report
rest
s3
secure
server
service
site
sitemap
source
sql
ssh
staging
static
storage
studio
support
sync
system
test
tools
track
training
upload
v1
v2
vault
web
webmail
wiki
EOF

python sublist3r.py -d example.com -b -w my_wordlist.txt

Reporting

Generate Report

#!/bin/bash
# Create summary report

DOMAIN="example.com"
REPORT="sublist3r_report_${DOMAIN}.txt"

cat > $REPORT << EOF
=== SUBLIST3R ENUMERATION REPORT ===
Domain: $DOMAIN
Date: $(date)

=== RESULTS ===
EOF

python sublist3r.py -d $DOMAIN | tail -n +2 >> $REPORT

echo "[+] Report saved to $REPORT"
cat $REPORT

Best Practices

• Combine passive and brute-force for comprehensive coverage
• Use multiple threads to speed up brute force
• Run regularly to catch newly registered subdomains
• Analyze port data for service identification
• Cross-reference with other tools (Findomain, Assetfinder)
• Filter results by organizational relevance
• Document all findings with timestamps

Troubleshooting

Slow Performance

# Increase threads for brute force
python sublist3r.py -d example.com -b -t 100

# Disable port scanning (slow)
python sublist3r.py -d example.com -p 0

# Use passive only
python sublist3r.py -d example.com

No Results from Brute Force

# Verify DNS resolvers working
nslookup test.example.com

# Check wordlist
wc -l wordlist.txt

# Try with built-in wordlist
python sublist3r.py -d example.com -b

Resources

• Sublist3r GitHub
• Subdomain Enumeration

---

Last updated: 2026-03-30