Linux Commands

Sublist3r for Enumerate Subdomains

Sublist3r is a tool to search and list subdomains easily. Sublist3r uses search engines and databases like Google, Bing, Yahoo, Ask, Baidu, Virustotal, Netcraft. ThreatCrowd, DNSdumpster, and ReverseDNS. Brute force ability was added with the integration of subbrute to Sublist3r.

This tutorial explains:

  • How to search for subdomains using Sublist3r.
  • How to scan ports of found subdomains.
  • Specifying what search engines Sublist3r must use.
  • How to implement brute force to discover subdomains.
  • Saving Sublist3r output in a file.

How to install Sublist3r

To start, use git to download Sublist3r as shown in the example below:

git clone https://github.com/aboul3la/Sublist3r.git

To install Sublist3r and dependencies, enter into Sublist3r directory using cd (Change Directory) and run the following pip as shown below:

cd Sublist3r/
sudo pip install -r requirements.txt

IMPORTANT: Currently, there is a bug preventing Sublist3r from gathering information from Virus Total. Official support channels explain users need a key provided by Virustotal you can get at https://www.virustotal.com/gui/. I tried to set the key and document all steps to add them to this tutorial, but adding the key didn’t work. That’s why you probably will see the error “Error: Virustotal probably now is blocking our requests.” Sublist3r will continue the task using the rest of the resources.
A conversation on this bug can be followed at https://github.com/aboul3la/Sublist3r/issues/288.

In case you still want to try, you can register for free at https://www.virustotal.com/gui/ to get the key and then export it:

export VT_APIKEY=457c21dbef3d11e25b8c38838a408b59727b115ef70d554002700facfc9315e2

Getting started with Sublist3r

To start, you can display the help menu with the -h argument by running the following command:

python sublist3r.py -h

OPTIONS:

-d <DOMAIN>, –domain <Domain>: Domain name to enumerate its subdomains
-b <BRUTEFORCE>, –bruteforce <BRUTEFORCE>: Enable subbrute bruteforce module
-p <PORTS>, –ports <PORTS>:
Scan the found subdomains against specified tcp ports
-v <VERBOSE>, –verbose <VERBOSE>:
Enable Verbosity and display results in real-time  -t <THREADS>, –threads <THREADS>: Number of threads to use for subbrute Bruteforce
-e <ENGINES>, –engines <ENGINES>: Specify a comma-separated list of search engines
-o <OutputFIle>, –output <OutputFIle>: save the results to text file
-n, –no-color:  Output without color

The first example shows how to search subdomains of the website Godaddy by specifying it with the -d argument:

python sublist3r.py -d godaddy.com

Sublist3r found 4192 Godaddy subdomains.

The following example shows how to implement the -p parameter instructing Sublist3r to scan all ports 80 (http) for all found subdomains on Smartlation:

python sublist3r.py -d smartlation.com -p 80

As you can see, 17 unique subdomains were found, all of them with port 80 open.

You can specify several (TCP) ports to be scanned by using comma as shown in the following example in which ports 80 (http), 443 (https), and 22 (ssh) are scanned:

python sublist3r.py -d smartlation.com -p 80,443,22

The following example shows how to execute a new search, but this time implementing brute force too by adding the argument -b with 100 threads (-t 100). The subdomain dictionary is called names.txt and contains 101,010 subdomains. Implementing brute force takes time; for descriptive purposes, I edited the names.txt file (located under the subbrute subdirectory), leaving only a dozen words.

python sublist3r.py -d godaddy.com -b -t 20

As described in the help menu, you can define specific search engines using the argument -e. The following example shows a search for subdomains including brute force and limiting search engines to Google and Bing:

python sublist3r.py -e google,bing  -b -d smartlation.com

As you can see, only 4 subdomains were found because only Google and Bing search engines were included.
The next example shows a new search, including NetCraft, DnsDumpster, and Bing. The command also includes a port scan (-p) against port 22 for each found subdomain and brute force (-b) implementation. The argument -o instructs Sublist3r to save the results in the file Sublist3r-Tutorial.

python sublist3r.py -e netcraft,dnsdumpster,bing -p 22 -b -d smartlation.com -o Sublist3r-Tutorial

You can check the output by reading Sublist3r-Tutorial:

less Sublist3r-Tutorial

This time only 16 subdomains were found because we kept search engines limited to a few.

Conclusion

Sublist3r is a great option for searching subdomains. The program is accessible to all user levels, easy to run and implement its options. The brute force integration added interesting features comparable to DNS Brute and similar Nmap NSE scripts.
Some of the Sublist3r alternatives include Subfinder or AltDNS.
Alternatively, you can use web applications such as SHODAN or Spyse.

I hope this Sublist3r tutorial was useful; keep following LinuxHint for more Linux tips and tutorials.

About the author

David Adams

David Adams is a System Admin and writer that is focused on open source technologies, security software, and computer systems.