sublist3r – finding subdomains

What does it do?

sublist3r helps you finding subdomains for a given domain.

It uses a bunch of openly available sources to do that and is therefore a passive tool.

You can find it on github or if you are using Kali you can just install it through apt.

Why is that useful?

Generally it gives you an overview of what the company put out there. Maybe there is a webmail subdomain, somthing that seems like cloud storage and so forth.

Also more often than not there are servers that should not be out in the open.

Maybe this FTP Server that was ment as a workaround to exchange data with a content agency and that became a permanent solution over time.

Or a Webserver that was just used for this one presentation and then nobody shut it down after.

So – subdomains like or etc are always worth to look at,

Usually these servers are not well maintained and with a bit of luck expose information that should not be there.

How does it work?

Let’s have a look at the –help output;

Most of the time you will probably just use the  -d switch together with a domain name and go for it.

sublist3r -d


you can see what sources sublist3r uses to find subdomains. (Never mind the error message – it just means that one source didn’t work out)

At the end you can see what it found. so assets and docs for example are subdomains of

If you are only interested in subdomains that run a HTTP Server you can add the -p switch

sublist3r -p80,443 -d

or you can add the -o switch to write the results to a file

sublist3r -p80,443 -d -o tryhackme.txt 




Sublist3r is a easy-to-use tool that you will probably use quite early in the process. It is quick, does what it is supposed to and produces valuable information.

Leave a Reply

Your email address will not be published. Required fields are marked *