Sublist3r

Sublist3r is a Python tool that finds subdomains of a given website domain. A subdomain is a prefix attached to a domain name, like "mail.example.com" or "api.example.com". Organizations often run separate services or systems on different subdomains, and finding them all is a common first step in security testing and bug bounty research. Sublist3r is designed for penetration testers and bug hunters who need a fast, automated way to collect that list.

The tool queries multiple public sources at once: search engines including Google, Yahoo, Bing, Baidu, and Ask, plus dedicated security databases such as Netcraft, VirusTotal, ThreatCrowd, DNSdumpster, and ReverseDNS. It also bundles an optional bruteforce module called subbrute, which tries many possible subdomain names against the target using a wordlist to catch ones that do not appear in public indexes.

From the command line, you point it at a domain name and it returns a list of discovered subdomains. Optional flags let you filter that list to only show subdomains with specific open network ports (like 80 for web traffic or 443 for encrypted web traffic), display results as they come in rather than waiting for a full scan, and save results to a file. You can also import it directly into a Python script and call its main function if you want to incorporate subdomain enumeration into a larger automated workflow.

Installation requires cloning the repository and installing three Python libraries: requests, dnspython, and argparse. The tool supports both Python 2.7 and Python 3.4 or newer, and installation instructions for Windows, Ubuntu/Debian, and CentOS/Red Hat are all included in the README.

The project is licensed under the GNU GPL license and is at version 1.0. The bruteforce wordlist comes from separate research by another contributor, and several individuals are credited for improvements to the tool over time.