How To: Quickly Look Up the Valid Subdomains for Any Website

Quickly Look Up the Valid Subdomains for Any Website

Traditional subdomain enumeration techniques create a lot of noise on the target server and may alert intrusion detection systems to an attacker's intentions. For a stealthier approach, there's a tool with the capability of finding hundreds of subdomains related to the target website without alarming the server administrators.

What Are Subdomains?

Subdomains, sometimes referred to as "third-level" domains, have many different purposes. They're often used to create niche websites for a specific subset of users. For example, Null Byte ( is one of many subdomains in the WonderHowTo network of websites.

Subdomains are also commonly used to create separate mobile websites, such as and Other examples of subdomains include,, and

Why Subdomains Are Important to Hackers

These subdomains are interesting because while the subdomain and main domain share the main domain name, the two websites may actually reside on completely different servers, in different parts of the world, and may not exercise the same server-side security measures.

This exposes the website administrator(s) to a variety of attacks such as subdomain takeover attacks, like those that affected Donald Trump's fundraising website (which was defaced) and Uber's website (where a white hat was able to get at least $5,000 for reporting the bug) in 2017. There have also been incidents of banks falling victim to subdomain related attacks.

What Is Sublist3r?

Sublist3r, created by Ahmed Aboul-Ela, is a Python tool designed to find website subdomains using publicly available sources such as search engines and databases like Netcraft, VirusTotal, ThreatCrowd, DNSdumpster, Google, Bing, Baidu, and more. Sublist3r is a powerful tool capable of locating hundreds of subdomains belonging to a single target website without creating a noticeable attack fingerprint.

Step 1: Install Sublist3r

An older version of Sublist3r can be found in the Kali repositories. To avoid potential confusion, any version of Sublist3r which may already be installed should be removed using the below command.

apt-get autoremove sublist3r

Next, clone the Sublist3r GitHub repository. This will ensure the latest version is downloaded and all of Sublist3r's newest features and engines are available.

git clone

Step 2: Install Sublist3r's Dependencies

Then, cd into the "Sublist3r" directory and use pip, a tool for installing and managing Python packages, to install the Sublist3r dependencies. This command is required to run Sublist3r. The -r argument instructs pip to install the dependencies found in the "requirements.txt" file.

cd Sublist3r/
pip install -r requirements.txt

Step 3: Verify It's Working

The --help (or -h) argument can be used to verify Sublist3r is working properly and view the available options. As you'll see, each option has a long and short form argument available.

./ --help

That's it for cloning Sublist3r and installing dependencies — there are no modifications or configurations required.

Step 4: Find Subdomains with Sublist3r

To start enumerating subdomains, use the below command.

./ --domain --ports 80,443 --verbose --threads 50 --output /path/to/filename.txt

  • The --domain (or -d) argument defines the target website. This is the target website which Sublist3r will attempt to find subdomains for.
  • Ports 80 and 443 (defined using --ports or -p) are the official TCP ports reserved for websites. Sublist3r can attempt to enumerate subdomains on additional ports, but as these are the most common ports used by websites on the entire internet, it's safe to restrict the command to just these ports.
  • Sublist3r can print additional information related to discovered subdomains as the command is running. This is an optional setting and enabled using the --verbose (or -v) argument.
  • Websites (e.g., Google) may blacklist or rate-limit requests originating from a users IP address, which would cause Sublist3r to produce fewer results. By default, Sublist3r locates subdomains within seconds. Modifying the --thread (or -t) count is another optional argument, but some readers may wish to increase (or decrease) the speed of the enumeration.
  • Where the list of discovered subdomains are saved to is defined by the --output (or -o) argument. If this argument is not included in the command, Sublist3r will simply print the subdomains in the terminal.

For example, I chose the following for my query, and as seen in the image below, Sublist3r will use every search engine and database at its disposal, then print the results it finds to the .txt file we indicated. If there is no path indicated before the filename you select, the file will be created and saved in the current directory.

./ --domain --ports 80,443 --verbose --threads 50 --output filename.txt

If only one or two search engines are desired, the --engines (or -e) argument can be used. The engines should be separated by a single comma (,) as shown in the below command.

./ -d --engines engine,engine,engine -p 80,443

Below is an example command where I enumerated WonderHowTo subdomains using only the DNSdumpster and Yahoo engines and omitted the --output argument.

./ -d --engines dnsdumpster,yahoo -p 80,443

That's it for downloading and using Sublist3r to enumerate subdomains via open-source intelligence gathering. Leave questions and comments below or message me on Twitter @tokyoneon_ if you have any further thoughts.

Cover image by Soumil Kumar/PEXELS and Screenshots by tokyoneon/Null Byte

1 Comment

So please tell us how many subdomains for WonderHowTo do you have found with ALL engines enabled?

Share Your Thoughts

  • Hot
  • Latest