ZeroTrace OSINT
Sublist3r Builder
Build subdomain-enumeration command lines for Sublist3r, with source selection and output options.
Sublist3r is a popular subdomain-enumeration tool that aggregates results from many public sources. The builder configures source selection, output format, and the brute-force option, then assembles the command line.
For most subdomain work, the toolkit's own subdomain discovery is the right tool — it runs inside the application, pivots into the rest of your investigation, and pins to your profile. Sublist3r is the right tool when you specifically want Sublist3r's source aggregation or its output integrating with other shell-based pipelines.
What you configure
| Section | Options |
|---|---|
| Domain | The apex to enumerate |
| Sources | Select which engines to query: Baidu, Yahoo, Google, Bing, ASK, Netcraft, DNSdumpster, VirusTotal, ThreatCrowd, SSL Certificates, PassiveDNS |
| Brute-force | Enable optional brute-force pass with a wordlist |
| Wordlist | Path to wordlist (only when brute-force enabled) |
| Threads | Concurrency for brute-force |
| Output file | Where to save discovered subdomains |
| Verbose mode | Detailed source attribution per result |
Source selection guidance
Different sources have different strengths:
- Search-engine sources (Google, Bing, Yahoo, Baidu) — broad coverage but rate-limited; can return stale results.
- Certificate transparency (SSL Certificates source) — historical truth; catches every certificate-bearing subdomain ever.
- Passive DNS (PassiveDNS, ThreatCrowd) — community feeds; good for lateral / co-hosted infrastructure.
- DNS-resolver indexers (DNSdumpster, Netcraft) — useful for active-DNS view.
For a thorough enumeration, run all sources. For a quick look, certificate transparency alone often catches the majority.
Generated command
sublist3r -d example.com -e google,bing,yahoo,ssl,passivedns -t 30 -o subdomains.txt -v
Pivots
Sublist3r output feeds into:
- The toolkit's subdomain discovery — paste the discovered list into the live-probe pass to find which are alive.
- Site analysis — per discovered subdomain.
- TLS inspector — per discovered subdomain.
The toolkit's built-in subdomain discovery overlaps with Sublist3r and runs inside the application without leaving the workflow. Use Sublist3r when you specifically need its sources or its shell-pipeline integration; otherwise the in-app tool is faster.
Sources
- The flag-explanation catalog is bundled.
- No external sources are queried (the builder produces a command; running it queries Sublist3r's own configured sources).