home / skills / transilienceai / communitytools / subdomain_enumeration

subdomain_enumeration skill

needs review

/projects/techstack_identification/.claude/skills/subdomain_enumeration

This skill enumerates subdomains for a domain using CT logs, passive DNS, and dorks to map attack surface.

npx playbooks add skill transilienceai/communitytools --skill subdomain_enumeration

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

4.3 KB

---
name: subdomain-enumeration
description: Enumerates subdomains using CT logs, passive DNS, and search engine dorks
tools: Bash, WebFetch
model: inherit
hooks:
  PreToolUse:
    - matcher: "Bash"
      hooks:
        - type: command
          command: "../../../hooks/skills/pre_network_skill_hook.sh"
        - type: command
          command: "../../../hooks/skills/pre_rate_limit_hook.sh"
  PostToolUse:
    - matcher: "Bash"
      hooks:
        - type: command
          command: "../../../hooks/skills/post_skill_logging_hook.sh"
---

# Subdomain Enumeration Skill

## Purpose

Enumerate all discoverable subdomains for a given domain using passive reconnaissance techniques including Certificate Transparency logs, passive DNS, and search engine dorks.

## Operations

### 1. query_crt_sh

Query Certificate Transparency logs via crt.sh API.

**Endpoint:**
```
GET https://crt.sh/?q=%25.{domain}&output=json
```

**Process:**
1. URL encode the wildcard query
2. Make HTTP GET request
3. Parse JSON response
4. Extract unique subdomains from name_value field
5. Deduplicate and sort results

**Example Response:**
```json
[
  {
    "issuer_ca_id": 183267,
    "issuer_name": "C=US, O=Let's Encrypt, CN=R3",
    "common_name": "*.example.com",
    "name_value": "api.example.com\nwww.example.com"
  }
]
```

### 2. search_engine_dorks

Use search engine dorks to discover subdomains.

**Dork Queries:**
```
site:*.{domain} -www
site:{domain} inurl:subdomain
site:*.*.{domain}
```

**Process:**
1. Execute each dork query
2. Extract unique subdomains from results
3. Validate each subdomain resolves
4. Merge with CT log results

### 3. check_common_subdomains

Test a wordlist of common subdomains.

**Common Subdomain Wordlist:**
```
api, app, dev, staging, test, beta, www, mail, webmail,
admin, portal, dashboard, docs, status, support, help,
blog, news, cdn, static, assets, media, img, images,
auth, login, sso, id, account, my, secure, vpn,
git, gitlab, github, jenkins, ci, build, deploy,
k8s, kubernetes, docker, registry, grafana, prometheus,
shop, store, checkout, cart, payments, billing,
crm, erp, hr, internal, intranet, wiki, confluence,
slack, jira, trello, asana, notion, airtable,
aws, azure, gcp, cloud, s3, storage, backup,
mobile, ios, android, m, wap,
v1, v2, v3, api-v1, api-v2, rest, graphql, gql
```

**Process:**
1. For each subdomain in wordlist:
   - Construct FQDN: {subdomain}.{domain}
   - Attempt DNS resolution
   - Record if resolves
2. Return list of valid subdomains

### 4. passive_dns_lookup

Query passive DNS databases (if available).

**Data Sources:**
- VirusTotal (requires API key)
- SecurityTrails (requires API key)
- DNSDumpster (free, limited)

**Note:** This operation is optional and depends on available API access.

## Output

```json
{
  "skill": "subdomain_enumeration",
  "domain": "string",
  "results": {
    "total_subdomains": "number",
    "subdomains": [
      {
        "fqdn": "api.example.com",
        "source": "crt.sh",
        "resolves": true,
        "ip_addresses": ["array"]
      }
    ],
    "sources_queried": ["crt.sh", "search_dorks", "wordlist"],
    "naming_patterns_detected": [
      {
        "pattern": "{env}-{service}",
        "examples": ["prod-api", "staging-api", "dev-api"]
      }
    ]
  },
  "evidence": [
    {
      "type": "ct_log",
      "source": "crt.sh",
      "count": "number",
      "timestamp": "ISO-8601"
    }
  ]
}
```

## Naming Pattern Detection

Analyze discovered subdomains to detect naming conventions:

```
Pattern: {environment}-{service}
  Examples: prod-api, staging-web, dev-backend

Pattern: {service}.{environment}
  Examples: api.prod, web.staging, backend.dev

Pattern: {service}{number}
  Examples: api1, api2, web01, web02

Pattern: {geo}-{service}
  Examples: us-east-api, eu-west-cdn, apac-app
```

## Rate Limiting

| Source | Rate Limit |
|--------|------------|
| crt.sh | 10 requests/minute |
| Search engines | 10 requests/minute |
| DNS resolution | 30 requests/minute |

## Error Handling

- If crt.sh times out, retry with backoff
- If search engine blocks, wait and retry
- Continue with partial results if some sources fail
- Log all errors for debugging

## Security Considerations

- Only use passive techniques
- No active subdomain brute-forcing
- Respect rate limits to avoid blocking
- Log all queries for audit trail

Overview

This skill enumerates discoverable subdomains for a target domain using passive reconnaissance: Certificate Transparency logs, passive DNS sources, search-engine dorks, and common subdomain wordlists. It focuses on non-intrusive data collection and returns validated FQDNs, resolution status, IP addresses, source attribution, and detected naming patterns. Results are suitable for penetration testing, bug bounty triage, and security research.

How this skill works

The skill queries crt.sh to pull certificate entries for the target domain, normalizes and deduplicates name_value entries, and extracts candidate subdomains. It runs search-engine dorks to gather indexed hosts and parses results for additional FQDNs. A common-subdomain wordlist is applied and each candidate is DNS-resolved; optional passive-DNS APIs (VirusTotal, SecurityTrails, DNSDumpster) are queried when API keys are available. Final output merges sources, validates resolution, annotates IPs, and analyzes naming patterns.

When to use it

Initial external reconnaissance during a pentest or bug bounty engagement
Triage of a newly reported domain or asset scope validation
Discovery prior to vulnerability scanning or web application testing
Security research and monitoring of external asset exposure
Inventorying subdomains for attack surface reduction initiatives

Best practices

Use only passive sources and respect rate limits to avoid blocking
Supply API keys for passive DNS services to increase coverage when permitted
Validate every candidate by DNS resolution and record IP addresses and TTLs
Deduplicate and sort results; annotate each subdomain with its source(s) and evidence timestamps
Implement exponential backoff and logging for crt.sh and search engine queries to handle rate limiting and blocks

Example use cases

Enumerate subdomains of a client domain before scoped penetration testing to build a safe target list
Augment bug bounty reports with crt.sh and passive-DNS evidence for newly discovered hosts
Run periodic checks to detect leaked or forgotten subdomains exposed in CT logs
Combine wordlist checks with naming-pattern detection to find environment-specific hosts like staging-api or dev-backend
Validate third-party or partner domains for unexpected subdomain exposure prior to onboarding

FAQ

Does this perform active brute-force subdomain enumeration?

No. The skill uses passive techniques (CT logs, search dorks, passive DNS, and a common-wordlist DNS check) and avoids intrusive brute-force scanning.

What if a passive DNS provider requires an API key?

The skill supports optional passive-DNS integrations; provide API keys to enable VirusTotal or SecurityTrails lookups. Without keys, the skill continues with crt.sh, search dorks, and the wordlist.