Sublist3r, a tool to find subdomains
Note: the Sublist3r tool can be used for illegal activities. Please keep in mind that all your actions are your own responsibilities.
The first step of a complete and thorough penetration test is reconnaissance. During this phase, a penetration tester will gather as much information as possible. One of the important, often missed, pieces of information are the subdomains of a specific host. The subdomains can reveal information about the staging environment, the mail service used, or even access to an API of the company. An attacker may not be able to get into the production system but would work his way into one of the systems of the subdomains instead. To find the subdomains yourself, you can use a tool named Sublist3r.
Installation
The installation is pretty straightforward. You have to clone the repository of Sublist3r.
git clone https://github.com/aboul3la/Sublist3r.git
cd Sublist3r
Dependencies:
The file: requirements.txt contains all the Python library dependencies. In order for the tool to run, all the modules should be installed.
sudo pip3 install -r requirements.txt
Usage:
python3 sublist3r.py -d example.com
The result should be somewhat similar to the following figure
In the results, you can see multiple subdomains. The functionality of the systems found on the subdomains varies greatly. Some examples of domain services are API’s, web servers and mail servers. By pinging all the subdomains, one can find the IP addresses of every system. Furthermore, you can perform a thorough port scan with tools like nmap to find out which services are running on the system linked to a specific subdomain.
In order to prevent your legacy systems to be hacked or prevent yourself from other malicious activities on your subdomains, you should run the tool on your own domain name too. Finding out which subdomains you are using might give you a better insight into your publicly available subdomains. I suggest you disable unutilized subdomains entirely. The fastest way to do so is by changing your DNS records. You should change your DNS settings in order to disable subdomains. Usually, you change this at the settings of your hosting provider.
