Subdomain discovery is very essential for information gathering during penetration testing on web applications. There are lots of tools available for it. We need to use them and find our subdomains because it is possible to find subdomains with some valuable information or some bugs which may lead our penetration testing or bug hunting process.
In today's article we are going to discuss about how we can find subdomains using sublist3r on our Kali Linux system. Sublist3r is a Python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug bounty hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS.
Subbrute is integrated with Sublist3r to increase the possibility of finding more subdomains using bruteforce technology with an improved password list.
Install & Use Sublist3r on Kali Linux
Enough discussion, let's install Sublist3r on our Kali Linux system. Sublist3r comes with Kali Linux repository and we can easily install it by applying following command:
This command will install sublist3r on our system, as we can see in the following screenshot:
After the task is finished, we can use sublist3r on our system. First of all let's check it's help options by using following command:
In the following screenshot we can see the options of sublist3r tool.
Simply we can put a target domain to find it's subdomains by using -d flag. Lets check for subdomains of Google by using following command:
In the following screenshot we can see that sublist3r discovered subdomains of Google.com.
In the above screenshot we can see that we got almost 38k unique subdomains for google.com.
If we want to save all the subdomains in a text file then we can use -o flag. Then our command will be like following:
By using above command we can save the subdomains list on a txt file with any name.
We also can search for subdomains of specific domain and show only subdomains which have open ports. We can specify our required open ports by using -p flag.
For an example if we want to check subdomains on facebook.com domain which have port 80 and 443 is opened and save the output on a file named fbsubdomains.txt then we need to use following command:
We can see in the following screenshot that we have discovered the subdomains of facebook.com which have port 80 and port 443 opened and we saved the output on a text file.
This is how we can perform subdomain enumeration using Sublist3r on our Kali Linux system. This is very useful for cybersecurity experts, during the recon process.
Love our articles? Make sure to follow us on Twitter and GitHub, we post article updates there. To join our KaliLinuxIn family, join our Telegram Group. We are trying to build a community for Linux and Cybersecurity. For anything we always happy to help everyone on the comment section. As we know our comment section is always open to everyone. We read each and every comment and we always reply.