loading
loading
Recon
Enumerate subdomains using OSINT across many search engines.
overview
Sublist3r enumerates a domain's subdomains from open sources. It queries search engines including Google, Yahoo, Bing, Baidu, and Ask, plus services like Netcraft, VirusTotal, ThreatCrowd, and DNSdumpster, then merges everything they have indexed into one deduplicated list. For penetration testers and bug hunters it is a quick way to gather a target's known names without sending traffic to the target.
It also goes active on demand. Enable the bundled SubBrute module with -b and Sublist3r resolves a wordlist of candidate names against the domain, catching subdomains no search engine surfaced. Set -t to raise the brute-force thread count, -e to limit which engines it queries, and -p to scan the discovered hosts against specific TCP ports.
On Trickest, Sublist3r is a Recon node that takes a domain and writes a file and a folder of subdomains. Reach for it early: run a fast passive sweep to scope a target, then pass the names to httpx to learn which are live before deeper scanning.
use cases
Query Google, Bing, Yahoo, Baidu, and Ask at once with -d to collect the subdomains a target already has indexed across the public web.
Turn on the SubBrute module with -b to resolve a wordlist alongside the passive results and catch names the search engines never surfaced.
Run a fast passive sweep at the start of an engagement to build a working subdomain list before deeper recon.
Pass -p with a port list to scan the discovered subdomains and flag which expose services worth probing next.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| domain | STRING | -d | Domain name to enumerate subdomains of. |
| engines | STRING | -e | Comma-separated list of search engines to use. |
| bruteforce | BOOLEAN | -b | Enable the SubBrute brute-force module. |
| threads | STRING | -t | Number of threads to use for the SubBrute brute-force. |
| ports | STRING | -p | Scan the found subdomains against specific TCP ports. |
| verbose | BOOLEAN | -v | Enable verbose mode and display results in real time. |
Showing key inputs. sublist3r exposes 6 inputs in total.
example
# search-engine OSINT sweep plus SubBrute, save resultssublist3r -d example.com -e google,bing,yahoo -b -t 50 -o subdomains.txt[-] Enumerating subdomains now for example.com[-] Searching now in Google..[-] Searching now in Bing..[-] Searching now in Yahoo..[-] Total Unique Subdomains Found: 5www.example.comapi.example.commail.example.comdev.example.comstaging.example.comguidance
Use Sublist3r for a fast OSINT subdomain sweep across search engines, optionally with brute forcing bolted on. It finds names, not live hosts, so follow it with httpx. For broader passive sources and per-provider rate limits, subfinder is the more modern choice.
Modern passive enumerator with many sources and rate-limit controls. Sublist3r leans on search engines plus optional brute forcing.
Deeper OSINT and DNS mapping. Sublist3r is lighter and quicker for a first passive pass.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A domain feeds Sublist3r, which enumerates subdomains via OSINT and passes them to httpx so only live names land as output.
Facts on this page come from the live Trickest tool library.