Information Gatheringsubdomainenumerationosintbruteforcesearch-engines

Sublist3r

Fast subdomains enumeration tool for penetration testers using OSINT. Enumerates subdomains via multiple search engines and additional sources.

Description

Sublist3r is a Python security tool designed to enumerate subdomains of websites using OSINT techniques. It helps penetration testers and bug hunters collect and gather subdomains for the targeted domain over the network. The tool supports enumeration using search engines such as Google, Yahoo, Bing, Baidu, and Ask, as well as sources like Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS.

Subbrute has been integrated with Sublist3r to increase the possibility of finding more subdomains through bruteforce with an improved wordlist. This makes it particularly useful for comprehensive reconnaissance in penetration testing workflows.

It is intended for use by security professionals to map out attack surfaces by discovering hidden subdomains that may not be immediately obvious.

How It Works

Sublist3r enumerates subdomains by querying multiple search engines including Google, Yahoo, Bing, Baidu, and Ask. It also leverages OSINT sources such as Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS. The integrated Subbrute module performs bruteforce subdomain discovery using an improved wordlist to enhance results.

Installation

bash

sudo apt install sublist3r

Flags

-d, --domain DOMAINDomain name to enumerate it's subdomains

-b, --bruteforce [BRUTEFORCE]Enable the subbrute bruteforce module

-p, --ports PORTSScan the found subdomains against specified tcp ports

-v, --verbose [VERBOSE]Enable Verbosity and display results in realtime

-t, --threads THREADSSet number of threads

-e ENGINESSpecify search engine(s) to use

-o OUTPUTOutput file for results

-nNo DNS resolution

Examples

Search for subdomains of kali.org using the Bing search engine with 3 threads

sublist3r -d kali.org -t 3 -e bing

Show help message and usage options

sublist3r -h

Enumerate subdomains for google.com using default settings

sublist3r -d google.com

Enumerate subdomains for example.com with bruteforce module enabled

sublist3r -d example.com -b

Enumerate subdomains for test.com with verbose output and 5 threads

sublist3r -d test.com -v -t 5

Enumerate subdomains for domain.com and scan them against ports 80 and 443

sublist3r -d domain.com -p 80,443

Enumerate subdomains for site.com using Google and save output to results.txt

sublist3r -d site.com -e google -o results.txt

Updated 2026-04-16kali.org ↗