Skip to content

06. Subdomain Enumeration with Sublist3r and Subfinder

Overview

Sublist3r is a Python-based tool used to enumerate subdomains by querying various search engines and other sources. It is commonly used for reconnaissance during penetration testing or security assessments.

Key Features of Sublist3r

  1. Uses multiple search engines and sources (Google, Bing, Yahoo, Baidu, etc.).
  2. Supports saving results to a file.
  3. Simple command-line interface.

Basic Commands

1. Enumerate Subdomains

sublist3r -d <domainname>
  • Enumerates all subdomains of the target domain.

2. Specify Search Engines

sublist3r -d <domainname> -e <engine1,engine2>
  • Focuses on specified search engines (e.g., Google, Bing).

3. Save Results

sublist3r -d <domainname> -o <filename>
  • Saves the results to a file.

Subfinder Overview

Subfinder is a fast and reliable subdomain discovery tool written in Go. It uses passive enumeration techniques, leveraging APIs and online sources to find subdomains.

Key Features of Subfinder

  1. Leverages APIs from sources like VirusTotal, Shodan, Censys, etc., for passive enumeration.
  2. Supports configuration files for API keys.
  3. Outputs results in various formats (JSON, text, etc.).
  4. Highly efficient and fast compared to Sublist3r.

Basic Commands

1. Enumerate Subdomains

subfinder -d <domainname>
  • Retrieves subdomains of the target domain.

2. Save Results

subfinder -d <domainname> -o <filename>
  • Saves results to a specified file.

3. Increase Verbosity

subfinder -d <domainname> -v
  • Displays detailed output during execution.

4. Use Passive Sources

subfinder -d <domainname> -nW
  • Strictly uses passive enumeration (no wildcard filtering).

Example Workflows

Using Sublist3r

sublist3r -d example.com

Output:

[+] Enumerating subdomains for example.com
[+] Discovered Subdomains:
    - www.example.com
    - mail.example.com
    - api.example.com
[+] Total Subdomains Found: 3

Using Subfinder

subfinder -d example.com

Output:

[INF] Enumerating subdomains for example.com
[INF] Found subdomain: www.example.com
[INF] Found subdomain: dev.example.com
[INF] Found subdomain: mail.example.com

Comparison of Sublist3r and Subfinder

Feature Sublist3r Subfinder
Speed Slower due to reliance on search engines. Faster with API-based passive enumeration.
Sources Search engines like Google, Bing, Yahoo. APIs like VirusTotal, Shodan, Censys, etc.
Ease of Use Simple CLI but less configurable. More customizable and robust configuration.
Output Basic text output. Multiple formats (JSON, text, etc.).

Notes Summary

Command Tool Description Output Example
sublist3r -d <domainname> Sublist3r Enumerates subdomains using search engines. "Discovered Subdomains: www.example.com, mail.example.com"
sublist3r -d <domainname> -e google,bing Sublist3r Focuses on specific search engines. "Using Google and Bing: shop.example.com, dev.example.com"
subfinder -d <domainname> Subfinder Enumerates subdomains using passive sources. "Found subdomain: api.example.com"
subfinder -d <domainname> -o results.txt Subfinder Saves results to a file. Results saved to results.txt

Best Practices

  1. Combine Tools: Use Sublist3r and Subfinder together for comprehensive subdomain discovery.
  2. Authorization: Ensure you have permission to test the domain.
  3. Rate Limiting: Be cautious of rate limits imposed by search engines to avoid being blocked.
  4. Follow-Up Testing: Use discovered subdomains with tools like nmap or httpx for further analysis.
  5. Cross-Validation: Verify results using other tools like dnsrecon or amass for comprehensive subdomain discovery.