As a user of the internet, you will have realized that multiple search engines such as MSN, Google, Yahoo, and Bing frequently learn and index new and existing websites to improve their search results. If you search for a company's website, you are most likely to discover the main domain name, such as company.com. A lot of organizations create subdomains for various reasons, however. As penetration testers, we would like to discover all the possible subdomains of a target organization as they can lead to login portals and sensitive corporate directories, which may contain confidential files and resources.
We can leverage the power of search engines for this task using the Sublist3r tool. Sublist3r is a Python-based tool that is used to enumerate (extract/obtain) the subdomains of a given website using OSINT, such as search engines and other internet indexing platforms.
The Sublist3r tool is not natively installed on Kali Linux, and so we will need to download it from its GitHub repository.
To get started, execute the following steps:
- Open the Terminal on your Kali Linux machine and execute the following command:
git clone https://github.com/aboul3la/Sublist3r.git
- Once the cloning process has been completed, change directory to the Sublist3r folder using the cd Sublist3r command.
- At this point, we can use the Sublist3r tool to search for the subdomains of a target domain (company) using the python sublist3r.py –d domain-name command. The screenshot to the left shows the successful invocation of the tool, while the right-hand screenshot shows the results being populated on the Terminal:
Using this tool can save us a lot of time that would otherwise have been spent manually searching the internet.
You have now learned how to efficiently discover subdomains for a target website using the Sublist3r tool on Kali Linux.