Convert Figma logo to code with AI

aboul3la logoSublist3r

Fast subdomains enumeration tool for penetration testers

9,778
2,105
9,778
222
View on GitHub

Top Related Projects

projectdiscovery's avatar

subfinder

10,098

Fast passive subdomain enumeration tool.

tomnomnom's avatar

assetfinder

3,001

Find domains and subdomains related to a given domain

owasp-amass's avatar

amass

11,936

In-depth attack surface mapping and asset discovery

shmilylty's avatar

OneForAll

8,263

OneForAll是一款功能强大的子域收集工具

infosec-au's avatar

altdns

2,314

Generates permutations, alterations and mutations of subdomains and then resolves them

Findomain's avatar

Findomain

3,295

The fastest and complete solution for domain recognition. Supports screenshoting, port scan, HTTP check, data import from other tools, subdomain monitoring, alerts via Discord, Slack and Telegram, multiple API Keys for sources and much more.

Quick Overview

Sublist3r is a Python-based tool designed for enumerating subdomains of websites using OSINT (Open Source Intelligence). It utilizes search engines, DNS records, and other sources to discover and list subdomains of a given domain, making it a valuable asset for security researchers and penetration testers.

Pros

  • Utilizes multiple search engines and sources for comprehensive subdomain discovery
  • Fast and efficient, capable of enumerating subdomains quickly
  • Supports both passive and active enumeration techniques
  • Offers output in multiple formats for easy integration with other tools

Cons

  • May trigger rate limiting or blocking from search engines during intensive scans
  • Requires Python 2, which is no longer actively maintained
  • Limited customization options for advanced users
  • Might miss some subdomains that are not publicly listed or indexed

Code Examples

  1. Basic usage to enumerate subdomains:
import sublist3r

domain = "example.com"
subdomains = sublist3r.main(domain, 40, savefile=None, ports=None, silent=False, verbose=False, enable_bruteforce=False, engines=None)
print(subdomains)
  1. Enumerating subdomains with specific search engines:
import sublist3r

domain = "example.com"
engines = ["google", "yahoo", "bing"]
subdomains = sublist3r.main(domain, 40, savefile=None, ports=None, silent=False, verbose=False, enable_bruteforce=False, engines=engines)
print(subdomains)
  1. Saving results to a file:
import sublist3r

domain = "example.com"
output_file = "subdomains.txt"
sublist3r.main(domain, 40, savefile=output_file, ports=None, silent=False, verbose=False, enable_bruteforce=False, engines=None)

Getting Started

  1. Install Sublist3r:

    git clone https://github.com/aboul3la/Sublist3r.git
cd Sublist3r
pip install -r requirements.txt

  2. Run Sublist3r:

    python sublist3r.py -d example.com

  3. For more options, use the help command:

    python sublist3r.py -h

Competitor Comparisons

projectdiscovery logo

subfinder

10,098

Fast passive subdomain enumeration tool.

Pros of subfinder

  • Faster performance due to Go implementation and concurrent processing
  • More extensive subdomain enumeration sources, including APIs and DNS resolvers
  • Active development with frequent updates and new features

Cons of subfinder

  • Requires Go installation, which may be less convenient for some users
  • More complex configuration and usage compared to Sublist3r's simplicity
  • Potentially higher resource consumption due to concurrent processing

Code comparison

Sublist3r (Python):

def main(domain, threads, savefile, ports, silent, verbose, enable_bruteforce, engines):
    bruteforce_list = []
    subdomains = []
    search_list = []
    
    # ... (rest of the code)

subfinder (Go):

func (r *Runner) Run() error {
    var err error
    if r.options.Stdin {
        r.options.Domains, err = r.readStdin()
    }
    // ... (rest of the code)

The code snippets show the main entry points for both tools. Sublist3r uses a Python function with multiple parameters, while subfinder employs a Go method with a Runner struct. This reflects the different language paradigms and overall architecture of each tool.

tomnomnom logo

assetfinder

3,001

Find domains and subdomains related to a given domain

Pros of assetfinder

  • Written in Go, offering faster execution and easier cross-platform compatibility
  • Simpler to use with minimal dependencies
  • Provides a more focused approach to subdomain enumeration

Cons of assetfinder

  • Limited features compared to Sublist3r's comprehensive toolset
  • Lacks built-in multi-threading capabilities
  • Does not include a graphical user interface option

Code Comparison

Sublist3r (Python):

def main(domain, threads, savefile, ports, silent, verbose, enable_bruteforce, engines):
    bruteforce_list = []
    search_list = set()

    if is_windows():
        subdomains_queue = list()
    else:
        subdomains_queue = multiprocessing.Manager().list()

assetfinder (Go):

func main() {
    var domain string
    flag.StringVar(&domain, "d", "", "The domain to find assets for")
    flag.Parse()

    if domain == "" {
        fmt.Println("Please provide a domain to find assets for")
        os.Exit(1)
    }

Both tools aim to perform subdomain enumeration, but assetfinder focuses on simplicity and speed, while Sublist3r offers a more comprehensive feature set. assetfinder's Go implementation provides better performance, while Sublist3r's Python codebase offers more flexibility and easier customization for users familiar with Python.

owasp-amass logo

amass

11,936

In-depth attack surface mapping and asset discovery

Pros of Amass

  • More comprehensive subdomain enumeration with multiple data sources and techniques
  • Active scanning capabilities for network mapping and infrastructure analysis
  • Regularly updated and maintained with a larger community

Cons of Amass

  • Steeper learning curve due to more complex features and options
  • Higher resource consumption, especially for large-scale scans
  • Potentially slower for quick, basic subdomain enumeration tasks

Code Comparison

Sublist3r (Python):

def main():
    # Parse command line arguments
    parser = argparse.ArgumentParser()
    parser.add_argument('-d', '--domain', help='Domain name to enumerate subdomains of')
    args = parser.parse_args()
    domain = args.domain
    # ... (rest of the code)

Amass (Go):

func main() {
    // Parse the command-line flags
    flag.Parse()
    // ... (rest of the code)
    e := enum.NewEnumeration()
    if err := e.Start(); err != nil {
        r.Fprintf(color.Error, "%v\n", err)
        os.Exit(1)
    }
}

Both tools focus on subdomain enumeration, but Amass offers a more feature-rich and extensible approach, while Sublist3r provides a simpler, more straightforward solution for basic enumeration tasks.

shmilylty logo

OneForAll

8,263

OneForAll是一款功能强大的子域收集工具

Pros of OneForAll

  • More comprehensive subdomain enumeration with a wider range of sources and techniques
  • Actively maintained with regular updates and improvements
  • Supports multiple output formats for better integration with other tools

Cons of OneForAll

  • More complex setup and configuration compared to Sublist3r
  • Requires additional dependencies and API keys for full functionality
  • May be slower due to its extensive enumeration process

Code Comparison

Sublist3r:

def main():
    # Parse command line arguments
    parser = argparse.ArgumentParser()
    parser.add_argument('-d', '--domain', help='Domain name to enumerate subdomains of')
    args = parser.parse_args()
    domain = args.domain
    subdomains = sublist3r.main(domain, 40, savefile=None, ports=None, silent=False, verbose=False, enable_bruteforce=False, engines=None)

OneForAll:

def main():
    # Parse command line arguments
    parser = argparse.ArgumentParser(description='OneForAll is a powerful subdomain integration tool')
    parser.add_argument('-t', '--target', help='Target domain', required=True)
    args = parser.parse_args()
    domain = args.target
    run.run_all(domain)

Both tools use argparse for command-line argument parsing, but OneForAll offers more customization options and a modular approach to subdomain enumeration.

infosec-au logo

altdns

2,314

Generates permutations, alterations and mutations of subdomains and then resolves them

Pros of altdns

  • Generates permutations and alterations of subdomains, potentially discovering hidden or non-obvious subdomains
  • Supports custom word lists for more targeted subdomain discovery
  • Can be easily integrated into existing workflows and scripts

Cons of altdns

  • May generate a large number of false positives, requiring additional verification
  • Limited built-in enumeration capabilities compared to Sublist3r
  • Requires more manual configuration and input to achieve optimal results

Code Comparison

Sublist3r:

def main(domain, threads, savefile, ports, silent, verbose, enable_bruteforce, engines):
    bruteforce_list = []
    subdomains = []
    search_list = []

altdns:

def generate_altered_domains(domain):
    with open(args.input, "r") as fp:
        for line in fp:
            subdomain = line.strip()

Both tools are written in Python and focus on subdomain discovery, but their approaches differ. Sublist3r uses multiple search engines and techniques for enumeration, while altdns focuses on generating alterations of known subdomains. Sublist3r's code snippet shows its main function with various options, whereas altdns' snippet demonstrates its core functionality of generating altered domains from an input file.

Findomain logo

Findomain

3,295

The fastest and complete solution for domain recognition. Supports screenshoting, port scan, HTTP check, data import from other tools, subdomain monitoring, alerts via Discord, Slack and Telegram, multiple API Keys for sources and much more.

Pros of Findomain

  • Faster subdomain enumeration due to its Rust implementation
  • Supports more data sources for subdomain discovery
  • Actively maintained with regular updates

Cons of Findomain

  • Requires Rust installation, which may be less familiar to some users
  • More complex setup process compared to Sublist3r's Python-based approach

Code Comparison

Sublist3r (Python):

def main(domain, threads, savefile, ports, silent, verbose, enable_bruteforce, engines):
    bruteforce_list = []
    subdomains = []
    search_list = []
    
    # ... (rest of the code)

Findomain (Rust):

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let args = Cli::parse();
    let config = Config::new(&args)?;
    let mut subdomains = HashSet::new();
    
    // ... (rest of the code)

Both tools aim to discover subdomains, but Findomain's Rust implementation offers potential performance benefits. Sublist3r's Python code may be more accessible to beginners, while Findomain's Rust code could provide better speed and memory efficiency for larger-scale enumeration tasks.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

About Sublist3r

Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS.

subbrute was integrated with Sublist3r to increase the possibility of finding more subdomains using bruteforce with an improved wordlist. The credit goes to TheRook who is the author of subbrute.

Screenshots

Sublist3r

Installation

git clone https://github.com/aboul3la/Sublist3r.git

Recommended Python Version:

Sublist3r currently supports Python 2 and Python 3.

  • The recommended version for Python 2 is 2.7.x
  • The recommended version for Python 3 is 3.4.x

Dependencies:

Sublist3r depends on the requests, dnspython and argparse python modules.

These dependencies can be installed using the requirements file:

  • Installation on Windows:
c:\python27\python.exe -m pip install -r requirements.txt
  • Installation on Linux
sudo pip install -r requirements.txt

Alternatively, each module can be installed independently as shown below.

Requests Module (http://docs.python-requests.org/en/latest/)

  • Install for Windows:
c:\python27\python.exe -m pip install requests
  • Install for Ubuntu/Debian:
sudo apt-get install python-requests
  • Install for Centos/Redhat:
sudo yum install python-requests
  • Install using pip on Linux:
sudo pip install requests

dnspython Module (http://www.dnspython.org/)

  • Install for Windows:
c:\python27\python.exe -m pip install dnspython
  • Install for Ubuntu/Debian:
sudo apt-get install python-dnspython
  • Install using pip:
sudo pip install dnspython

argparse Module

  • Install for Ubuntu/Debian:
sudo apt-get install python-argparse
  • Install for Centos/Redhat:
sudo yum install python-argparse
  • Install using pip:
sudo pip install argparse

for coloring in windows install the following libraries

c:\python27\python.exe -m pip install win_unicode_console colorama

Usage

Short FormLong FormDescription
-d--domainDomain name to enumerate subdomains of
-b--bruteforceEnable the subbrute bruteforce module
-p--portsScan the found subdomains against specific tcp ports
-v--verboseEnable the verbose mode and display results in realtime
-t--threadsNumber of threads to use for subbrute bruteforce
-e--enginesSpecify a comma-separated list of search engines
-o--outputSave the results to text file
-h--helpshow the help message and exit

Examples

  • To list all the basic options and switches use -h switch:

python sublist3r.py -h

  • To enumerate subdomains of specific domain:

python sublist3r.py -d example.com

  • To enumerate subdomains of specific domain and show only subdomains which have open ports 80 and 443 :

python sublist3r.py -d example.com -p 80,443

  • To enumerate subdomains of specific domain and show the results in realtime:

python sublist3r.py -v -d example.com

  • To enumerate subdomains and enable the bruteforce module:

python sublist3r.py -b -d example.com

  • To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines

python sublist3r.py -e google,yahoo,virustotal -d example.com

Using Sublist3r as a module in your python scripts

Example

import sublist3r 
subdomains = sublist3r.main(domain, no_threads, savefile, ports, silent, verbose, enable_bruteforce, engines)

The main function will return a set of unique subdomains found by Sublist3r

Function Usage:

  • domain: The domain you want to enumerate subdomains of.
  • savefile: save the output into text file.
  • ports: specify a comma-sperated list of the tcp ports to scan.
  • silent: set sublist3r to work in silent mode during the execution (helpful when you don't need a lot of noise).
  • verbose: display the found subdomains in real time.
  • enable_bruteforce: enable the bruteforce module.
  • engines: (Optional) to choose specific engines.

Example to enumerate subdomains of Yahoo.com:

import sublist3r 
subdomains = sublist3r.main('yahoo.com', 40, 'yahoo_subdomains.txt', ports= None, silent=False, verbose= False, enable_bruteforce= False, engines=None)

License

Sublist3r is licensed under the GNU GPL license. take a look at the LICENSE for more information.

Credits

  • TheRook - The bruteforce module was based on his script subbrute.
  • Bitquark - The Subbrute's wordlist was based on his research dnspop.

Thanks

  • Special Thanks to Ibrahim Mosaad for his great contributions that helped in improving the tool.

Version

Current version is 1.0