This fork differs from the original Sublist3r project in the following ways:
- Allows multiple domains to be searched at once (comma separated list)
- Outputs to plain text or json format
- Some bugfixes provided by the community that were added to this version:
Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS.
subbrute was integrated with Sublist3r to increase the possibility of finding more subdomains using bruteforce with an improved wordlist. The credit goes to TheRook who is the author of subbrute.
git clone https://github.com/zatarra/Sublist3r.git
Sublist3r currently supports Python 2 and Python 3.
- The recommended version for Python 2 is 2.7.x
- The recommened version for Python 3 is 3.4.x
Sublist3r depends on the requests, dnspython, and argparse python modules.
These dependencies can be installed using the requirements file:
- Installation on Windows:
c:\python27\python.exe -m pip install -r requirements.txt
- Installation on Linux
sudo pip install -r requirements.txt
Alternatively, each module can be installed independently as shown below.
Requests Module (http://docs.python-requests.org/en/latest/)
- Install for Windows:
c:\python27\python.exe -m pip install requests
- Install for Ubuntu/Debian:
sudo apt-get install python-requests
- Install for Centos/Redhat:
sudo yum install python-requests
- Install using pip on Linux:
sudo pip install requests
dnspython Module (http://www.dnspython.org/)
- Install for Windows:
c:\python27\python.exe -m pip install dnspython
- Install for Ubuntu/Debian:
sudo apt-get install python-dnspython
- Install using pip:
sudo pip install dnspython
- Install for Ubuntu/Debian:
sudo apt-get install python-argparse
- Install for Centos/Redhat:
sudo yum install python-argparse
- Install using pip:
sudo pip install argparse
for coloring in windows install the following libraries
c:\python27\python.exe -m pip install win_unicode_console colorama
| Short Form | Long Form | Description |
|---|---|---|
| -d | --domain | Domain name to enumerate subdomains of (comma separated list of domains works too) |
| -b | --bruteforce | Enable the subbrute bruteforce module |
| -p | --ports | Scan the found subdomains against specific tcp ports |
| -v | --verbose | Enable the verbose mode and display results in realtime |
| -t | --threads | Number of threads to use for subbrute bruteforce |
| -e | --engines | Specify a comma-separated list of search engines |
| -o | --output | Save the results to text file |
| -f | --format | File format to save the results ("text" or "json") |
| -h | --help | Show the help message and exit |
| -i | --findip | Find IP address of each subdomain |
| -l | --plugin | Pass the results to a plugin for further processing |
- To list all the basic options and switches use -h switch:
python sublist3r.py -h
- To enumerate subdomains of specific domain:
python sublist3r.py -d example.com
- To enumerate subdomains of specific domain and check for ports 80 and 443:
python sublist3r.py -d example.com -p 80,443
- To enumerate subdomains and enable IP address resolution:
python sublist3r.py -v -i -d example.com
- To enumerate subdomains of specific domain and show the results in realtime:
python sublist3r.py -v -d example.com
- To enumerate subdomains and enable the bruteforce module:
python sublist3r.py -b -d example.com
- To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines
python sublist3r.py -e google,yahoo,virustotal -d example.com
- To enumerate multiple domains at once
python sublist3r.py -d foo.com,bar.com
- To pass the results to plugin demo for further processing
python sublist3r.py -d foo.com,bar.com -l demo
Example
import sublist3r
subdomains = sublist3r.main(domain, threads, savefile, ports, silent, verbose, enable_bruteforce, engines, find_ip, fileformat, json_subdomains)The main function will return a set of unique subdomains found by Sublist3r
Function Usage:
- domain: The domain you want to enumerate subdomains of.
- savefile: save the output into text file.
- ports: specify a comma-sperated list of the tcp ports to scan.
- silent: set sublist3r to work in silent mode during the execution (helpful when you don't need a lot of noise).
- verbose: display the found subdomains in real time.
- enable_bruteforce: enable the bruteforce module.
- engines: (Optional) to choose specific engines.
Example to enumerate subdomains of Yahoo.com:
import sublist3r
subdomains = sublist3r.main('yahoo.com', 40, 'yahoo_subdomains.txt', ports=None, silent=False, verbose=False, enable_bruteforce=False, engines=None)Very basic support for plugins is now enabled. This is the structure for a plugin:
import json
import requests
class SubPlugin():
def __init__(self, subdomains_list):
self.subdomains = subdomains_list
def run(self):
''' Do stuff here '''
return self.subdomains
It might be interesting for targeted actions (e.g. banner grabbing, specific security tests, etc). The example provided with this repo retrieves the HTTP response and attaches it to the results. the HTTP response and attaches it to the results.
Currently there are a few plugins that can be invoked:
- s3 - Search for potential S3 Buckets
- networkid - Get ASN information regarding the IP
- shodan - Grab information regarding open ports straight from shodan.io
- demo - store the http contents for a given request to each IP
Sublist3r is licensed under the GNU GPL license. take a look at the LICENSE for more information.
- TheRook - The bruteforce module was based on his script subbrute.
- Bitquark - The Subbrute's wordlist was based on his research dnspop.
- Special Thanks to Ibrahim Mosaad for his great contributions that helped in improving the tool and to Ahmed Aboul-Ela for the original codebase.
Current version is 1.0