How To Use Sublist3r

Hey! Welcome to leetngo, the new InfoSec blog, it’s great to have you πŸ™‚
in these series we will be covering some useful tools any InfoSec guy should at least know about.

How to use the Sublist3r

Hi InfoSec enthusists! As you all know information gathering is a essential to know better your target, its activities…This step will make you save a lot of time while doing your penetration testing, vulnerabilty assessment or even just spying :p ( Don’t do that πŸ˜€ ). In this little guide, we are going to explore a tool that I found very useful in my first pentesting mission, it’s called Sublist3r.

So as we already said knowing the target is very important. By knowing the target we mean collecting as much informations as possible.

Sublist3r will help you enumerating subdomains for a given domain:
– using many search engines such as Google, Bing, Netcraft, ThreatCrowd, DNSdumpster, and many others.
– using a brute force technique by implementing a well known subdomains bruteforcer Subbrute

Let’s start our tutorial from installation to usage.
PS: For this tutorial We will be using Kali Linux.

First, we need to download our tool from this github repo. Thank you for this amazing tool Ahmed Aboul-Ela. You can do this either by downloading a zip version, decompress it. Or, ‘my prefered way’, cloning it directly from github:

# git clone https://github.com/aboul3la/Sublist3r

PS: As you can see, Sublist3r is writen in python, so of course you will need a python installation.

After your download goes successful, install all required python packages. You can do it either by opening requirements.txt and try to install every package seperatly by issuing this command:

# pip install <Package-Name>

Or installing all the dependencies with the same command:

# pip install -r requirements.txt

Now that our tool’s dependencies are satisfied, we can begin its usage.
First let’s explore our tool options ( it is a very good reflex, knowing your tool ). Here are some flags we’ll be using:

Flag Description
-d/–domain Domain name
-v/–verbose Enable the verbose mode and display results in realtime
-h/–help show the help message and exit

You can always type:

# ./sublist3r -h

and get the full help containing all possible options.

For the purpose of our tutorial ( which is fully educational, huh! yes we mean that we are not responsible of any misuse ) we will be using scanme.nmap.org domain ( We love nmap :’D and will be covering you in a very cool tutorial :p )

afterwards, we type the command below in our terminal:

# ./sublist3r -d scanme.nmap.org

… and we got 3 subdomains:

  • ascanme.nmap.org
  • nmap-v-ascanme.nmap.org
  • www.ascanme.nmap.org

It will be very helpful if we enable the verbose option:

# ./sublist3r -v -d nmap.org

It will show you the engines being queried:

Now that we have covered the first method, we will talk about the second method ( subdomains bruteforce ) in a seperate tutorial because it uses a very good tool subbrute.

But here is the command to bruteforce subdomains:

# ./sublist3r -b -d nmap.org

PS: The name list used for bruteforce is located in the subbrute directory of your too. It points to it directly, so no need to specify it explicitly.

Meet you in the next tutorial πŸ˜€

Links:

  • https://github.com/aboul3la/Sublist3r
  • https://github.com/aboul3la/Sublist3r/tree/master/subbrute