Skip to content

Sublist3r Executor

Category: Network Reconnaissance Script: sublist3r.sh (Shell script) Integration: CLI (bash) Faraday Plugin: Raw JSON (no plugin — generates Faraday JSON via jq)

Description

Runs Sublist3r to enumerate subdomains of a target domain, resolves each discovered subdomain to its IP address using getent hosts, and outputs Faraday JSON with the discovered hosts.

This is the only shell-script executor in the official collection.

Prerequisites

  • Sublist3r installed (sublist3r.py available in $PATH or /usr/bin)
  • jq installed for JSON construction
  • getent available (standard on Linux)

Configuration

Environment Variables (Setup)

(none required)

Execution Arguments

Parameter Type Mandatory Description
DOMAIN string Yes Target domain for subdomain enumeration (e.g., example.com)

YAML Configuration Example

executors:
  subdomain_enum:
    repo_executor: sublist3r.sh
    max_size: 65536
    varenvs: {}
    params:
      DOMAIN:
        mandatory: true
        type: string
        base: string

How It Works

  1. Runs sublist3r.py -d <domain> -o <output_file>
  2. Reads each discovered subdomain from the output file
  3. For each subdomain, runs getent hosts <subdomain> to resolve the IP address
  4. Uses jq to construct Faraday JSON with host entries (IP + hostname)
  5. Outputs the combined JSON

Notes

  • Sublist3r uses passive sources (search engines, DNS databases) — no active scanning of targets
  • getent hosts may fail for subdomains that don't resolve; these are skipped
  • The jq dependency is essential for JSON output construction