Traditional subdomain enumeration techniques create a lot of noise on the target server and may alert intrusion detection systems to an attacker's intentions. For a stealthier approach, there's a tool with the capability of finding hundreds of subdomains related to the target website without alarming the server administrators.
Subdomains, sometimes referred to as "third-level" domains, have many different purposes. They're often used to create niche websites for a specific subset of users. For example, Null Byte (null-byte.wonderhowto.com) is one of many subdomains in the WonderHowTo network of websites.
Subdomains are also commonly used to create separate mobile websites, such as m.facebook.com and mobile.twitter.com. Other examples of subdomains include shop.protonmail.com, support.hackerone.com, and developer.github.com.
These subdomains are interesting because while the subdomain and main domain share the main domain name, the two websites may actually reside on completely different servers, in different parts of the world, and may not exercise the same server-side security measures.
This exposes the website administrator(s) to a variety of attacks such as subdomain takeover attacks, like those that affected Donald Trump's fundraising website (which was defaced) and Uber's website (where a white hat was able to get at least $5,000 for reporting the bug) in 2017. There have also been incidents of banks falling victim to subdomain related attacks.
Sublist3r, created by Ahmed Aboul-Ela, is a Python tool designed to find website subdomains using publicly available sources such as search engines and databases like Netcraft, VirusTotal, ThreatCrowd, DNSdumpster, Google, Bing, Baidu, and more. Sublist3r is a powerful tool capable of locating hundreds of subdomains belonging to a single target website without creating a noticeable attack fingerprint.
apt-get autoremove sublist3r
Next, clone the Sublist3r GitHub repository. This will ensure the latest version is downloaded and all of Sublist3r's newest features and engines are available.
git clone https://github.com/aboul3la/Sublist3r
Then, cd into the "Sublist3r" directory and use pip, a tool for installing and managing Python packages, to install the Sublist3r dependencies. This command is required to run Sublist3r. The -r argument instructs pip to install the dependencies found in the "requirements.txt" file.
pip install -r requirements.txt
The --help (or -h) argument can be used to verify Sublist3r is working properly and view the available options. As you'll see, each option has a long and short form argument available.
That's it for cloning Sublist3r and installing dependencies — there are no modifications or configurations required.
To start enumerating subdomains, use the below command.
./sublist3r.py --domain target_website.com --ports 80,443 --verbose --threads 50 --output /path/to/filename.txt
- The --domain (or -d) argument defines the target website. This is the target website which Sublist3r will attempt to find subdomains for.
- Ports 80 and 443 (defined using --ports or -p) are the official TCP ports reserved for websites. Sublist3r can attempt to enumerate subdomains on additional ports, but as these are the most common ports used by websites on the entire internet, it's safe to restrict the command to just these ports.
- Sublist3r can print additional information related to discovered subdomains as the command is running. This is an optional setting and enabled using the --verbose (or -v) argument.
- Websites (e.g., Google) may blacklist or rate-limit requests originating from a users IP address, which would cause Sublist3r to produce fewer results. By default, Sublist3r locates subdomains within seconds. Modifying the --thread (or -t) count is another optional argument, but some readers may wish to increase (or decrease) the speed of the enumeration.
- Where the list of discovered subdomains are saved to is defined by the --output (or -o) argument. If this argument is not included in the command, Sublist3r will simply print the subdomains in the terminal.
For example, I chose the following for my query, and as seen in the image below, Sublist3r will use every search engine and database at its disposal, then print the results it finds to the .txt file we indicated. If there is no path indicated before the filename you select, the file will be created and saved in the current directory.
./sublist3r.py --domain target_website.com --ports 80,443 --verbose --threads 50 --output filename.txt
If only one or two search engines are desired, the --engines (or -e) argument can be used. The engines should be separated by a single comma (,) as shown in the below command.
./sublist3r.py -d target_website.com --engines engine,engine,engine -p 80,443
Below is an example command where I enumerated WonderHowTo subdomains using only the DNSdumpster and Yahoo engines and omitted the --output argument.
./sublist3r.py -d wonderhowto.com --engines dnsdumpster,yahoo -p 80,443
That's it for downloading and using Sublist3r to enumerate subdomains via open-source intelligence gathering. Leave questions and comments below or message me on Twitter @tokyoneon_ if you have any further thoughts.