Sublist3r Tool Usage

What is Sublist3r?

Sublist3r is an open-source Python tool designed for subdomain enumeration. It helps in discovering subdomains of a given domain, which is essential for reconnaissance during penetration testing and security assessments.

Key Features:

• Subdomain enumeration using search engines (Google, Yahoo, Bing, etc.), DNS, and other data sources.
• Multithreaded to speed up the enumeration process.
• Integration with services such as VirusTotal, passive DNS sources, and certificate transparency logs.

Sample Install:

In Kali Linu, it had already installed. To install Sublist3r on other systems, you need Python and the following dependencies:

1. Clone the repository from GitHub:

git clone https://github.com/aboul3la/Sublist3r.git

cd Sublist3r

2. Install the required Python packages:

pip install -r requirements.txt

Alternatively, you can install Sublist3r using pip:

pip install sublist3r

Sample Usage of Sublist3r

1. Basic Subdomain Enumeration

To discover subdomains of a domain:

sublist3r -d example.com

• `-d`: Specifies the domain for which you want to enumerate subdomains.

2. Using Multiple Domains from a File

If you want to enumerate subdomains for multiple domains:

sublist3r -df domains.txt

• `-df`: Specifies a file containing a list of domains (one per line) to enumerate subdomains for.

3. Saving Results to a File

To save the subdomains to a file for later analysis:

sublist3r -d example.com -o output.txt

• `-o`: Specifies the output file to save the results.

4. Using the `-t` Option for Threading (Speed Up Enumeration)

To use more threads and speed up the enumeration:

sublist3r -d example.com -t 20

• `-t`: Defines the number of threads to use. More threads lead to faster enumeration but can be more resource-intensive.

5. Using a Specific Search Engine

You can restrict the search to one search engine using the `-b` option:

sublist3r -d example.com -b google

• `-b`: Specifies the search engine (google, yahoo, or bing).

6. Using API Keys for Enhanced Enumeration

Sublist3r integrates with VirusTotal and other services for enhanced subdomain enumeration. For example, to use VirusTotal:

export VIRUSTOTAL_API_KEY="your_api_key"

sublist3r -d example.com

This will integrate VirusTotal into the enumeration process.

7. Verbose Output

If you want more detailed output, you can use the `-v` flag:

sublist3r -d example.com -v

• `-v`: Enables verbose output, showing more details about what Sublist3r is doing behind the scenes.

8. Brute Forcing Subdomains

Sublist3r allows you to use a wordlist for brute-forcing subdomains. Use the `-b` flag to enable brute-forcing:

sublist3r -d example.com -b -w /path/to/wordlist.txt

• `-b`: Enables brute-forcing.
• `-w`: Specifies the path to the wordlist.

Summary of Key Options for Sublist3r:

• `-d `: Domain to search for subdomains.
• `-df `: Domain list file to enumerate subdomains for multiple domains.
• `-o `: Output file to save results.
• `-t `: Number of threads for faster enumeration.
• `-b `: Specifies a search engine (google, bing, yahoo).
• `-v`: Enable verbose output.
• `-w `: Specify a wordlist for brute-forcing subdomains.
• `-b`: Enables brute-forcing mode.

Example of Full Command:

Here is an example of a full command combining multiple options to perform enhanced subdomain enumeration:

sublist3r -d example.com -o subdomains.txt -t 20 -b google -v

• This will enumerate subdomains of example.com using 20 threads, query Google as the search engine, and save the results to subdomains.txt, while providing verbose output for more detailed information.