How To Enumerate Subdomains Quickly Using Sublist3r

by Sunny Hoi

Subdomain enumeration refers to the process of locating subdomains for one or other domains. It is an essential element of the reconnaissance stage.

What Is Sublist3r?

Sublist3r is a Python tool geared towards locating subdomains of websites utilizing open-source intelligence (OSINT) resources like search engines (Google, Yahoo, Bing, Baidu) and databases (Netcraft, VirusTotal, ThreatCrowd, DNSdumpster).

Notably, Sublist3r is a useful tool that grants professional penetration testers the ability to find numerous subdomains related to a single target site without generating a discernible attack fingerprint.

If you are a professional penetration tester who would like to enumerate domains quickly to find potential attack vectors, Sublist3r can serve as an advantageous tool in your reconnaissance toolkit.

Why Is Subdomain Enumeration Important?

Subdomain enumeration may disclose important information regarding domains and subdomains that are correlated and in scope of a vulnerability assessment which for its part augments the odds of successfully locating vulnerabilities.

Since the subdomain and primary domain share the primary domain name, the possibility exists for locating applications installed on concealed forgotten subdomains that may ultimately result in discovering critical security vulnerabilities.

Installing Sublist3r

To prevent potential misunderstanding, any obsolete versions of Sublist3r which may already be installed on your Linux system should be uninstalled utilizing the subsequent command:

apt-get autoremove sublist3r

To proceed, run the subsequent command to clone the Sublist3r GitHub repository:

git clone https://github.com/aboul3la/Sublist3r.git

The command will have downloaded the latest version of Sublist3r.

Note that if you are using Kali Linux, you may still want to install Sublist3r from the original repository since this would guarantee that the most current version is downloaded and installed. This is important since the latest version would provide the most recent features and updates.

Install Dependencies

When we are in the Sublist3r directory, we will want to install the dependencies:

root@1337pwn:~# python3 -m pip install -r requirements.txt

The -r parameter directs pip to install the Python dependencies located in the ‘requirements.txt‘ file.

If you see an error stating “No module named pip”, you should enter the following command:

root@1337pwn:~# sudo apt-get install python3-pip

Change Directory To Sublist3r’s Directory

The next step is to change the directory to the Sublist3r directory:

root@1337pwn:~# cd Sublist3r

Check To See If Sublist3r Is Functioning Correctly

Running Sublist3r with the –help (Or -h) parameter can be deployed to both check that Sublist3r is functioning correctly and the various options available.

root@1337pwn:~# python sublist3r.py --help

Enumerate Subdomains Of A Target Domain

To begin enumerating subdomains of a particular domain, employ the following command:

root@1337pwn:~# python sublist3r.py -d 1337pwn.com

The -d (Or –domain) parameter specifies the target site. Significantly, Sublist3r will try to find subdomains for the specified site.

To begin enumerating subdomains of a particular domain and display just subdomains which have open ports 80 and 443, enter the subsequent command:

root@1337pwn:~# python sublist3r.py -v -d 1337pwn.com -p 80,443

The -v (–verbose) parameter can be utilized to allow Sublist3r to display additional information related to revealed subdomains while the command is running.

Ports 80 and 443 (Specified with -p or –ports) represent TCP ports reserved for sites.

Using Specific Search Engines With Sublist3r

It is possible to solely utilize one or two search engines with Sublist3r. Hence, the –engines (Or -e) parameter may be deployed.

Ideally, the engines need to be separated using a comma (,) as depicted in the subsequent command:

root@1337pwn:~# python sublist3r.py -d 1337pwn.com --engines dnsdumpster,bing -p 80,443

As you can see, we enumerated 1337pwn subdomains utilizing merely the DNSdumpster and Bing engines.

Conclusion

As we have illustrated, the reconnaissance stage is particularly important for professional penetration testers as it is essential to gather information before proceeding further in a security assessment.

Other useful OSINT tools like Maltego can be deployed alongside Sublist3r, ultimately enhancing the reconnaissance stage.

Related Posts