What is Sublist3r?
Sublist3r is a fast and open-source subdomain enumeration tool written in Python. It's commonly used in the reconnaissance phase of ethical hacking to discover subdomains of a target domain using OSINT (Open Source Intelligence).
🚀 Key Features
- Enumerates subdomains using multiple search engines (Google, Bing, Yahoo, Baidu, etc.)
- Integrates with
subbrutefor bruteforce enumeration - Fast, lightweight, and easy to use
- Supports saving results to a file
💻 Installation Guide
# Clone the repository
git clone https://github.com/aboul3la/Sublist3r.git
# Navigate into the directory
cd Sublist3r
# Install the required packages
pip install -r requirements.txtNote: Ensure you have Python 2.7 or Python 3+ and pip installed.
🛠️ How to Use Sublist3r
Basic syntax:
python sublist3r.py -d example.comExamples:
python sublist3r.py -d target.com -o subdomains.txt→ Saves the results to a filepython sublist3r.py -d example.com -p 80,443→ Launches port scan on discovered subdomainspython sublist3r.py -d example.com -v→ Enables verbose mode to see real-time progress
📡 Advanced Usage
Sublist3r can be combined with other tools like Amass, Assetfinder, or DNS resolvers to verify and expand subdomain results.
Example chaining with DNS resolution:
python sublist3r.py -d example.com -o domains.txt
cat domains.txt | dnsx -silent -a -resp💡 Practical Tips & Insights
- Use multiple subdomain tools for broader coverage
- Run Sublist3r regularly during engagement as DNS records may change
- Check discovered subdomains for exposed services like admin panels or dev environments
- Use
-oflag to store results and process them with automation scripts
🌐 Real-World Use Case
During a bug bounty assessment, a researcher used Sublist3r to discover dev.target.com — a forgotten development server running outdated software with default credentials, resulting in critical RCE vulnerability. Subdomain enumeration often reveals the weakest entry point.