transilienceai/communitytools
Overview
This skill enumerates discoverable subdomains for a target domain using passive reconnaissance: Certificate Transparency logs, passive DNS sources, search-engine dorks, and common subdomain wordlists. It focuses on non-intrusive data collection and returns validated FQDNs, resolution status, IP addresses, source attribution, and detected naming patterns. Results are suitable for penetration testing, bug bounty triage, and security research.
How this skill works
The skill queries crt.sh to pull certificate entries for the target domain, normalizes and deduplicates name_value entries, and extracts candidate subdomains. It runs search-engine dorks to gather indexed hosts and parses results for additional FQDNs. A common-subdomain wordlist is applied and each candidate is DNS-resolved; optional passive-DNS APIs (VirusTotal, SecurityTrails, DNSDumpster) are queried when API keys are available. Final output merges sources, validates resolution, annotates IPs, and analyzes naming patterns.
When to use it
- Initial external reconnaissance during a pentest or bug bounty engagement
- Triage of a newly reported domain or asset scope validation
- Discovery prior to vulnerability scanning or web application testing
- Security research and monitoring of external asset exposure
- Inventorying subdomains for attack surface reduction initiatives
Best practices
- Use only passive sources and respect rate limits to avoid blocking
- Supply API keys for passive DNS services to increase coverage when permitted
- Validate every candidate by DNS resolution and record IP addresses and TTLs
- Deduplicate and sort results; annotate each subdomain with its source(s) and evidence timestamps
- Implement exponential backoff and logging for crt.sh and search engine queries to handle rate limiting and blocks
Example use cases
- Enumerate subdomains of a client domain before scoped penetration testing to build a safe target list
- Augment bug bounty reports with crt.sh and passive-DNS evidence for newly discovered hosts
- Run periodic checks to detect leaked or forgotten subdomains exposed in CT logs
- Combine wordlist checks with naming-pattern detection to find environment-specific hosts like staging-api or dev-backend
- Validate third-party or partner domains for unexpected subdomain exposure prior to onboarding
FAQ
No. The skill uses passive techniques (CT logs, search dorks, passive DNS, and a common-wordlist DNS check) and avoids intrusive brute-force scanning.
What if a passive DNS provider requires an API key?
The skill supports optional passive-DNS integrations; provide API keys to enable VirusTotal or SecurityTrails lookups. Without keys, the skill continues with crt.sh, search dorks, and the wordlist.
16 skills
This skill enumerates subdomains for a domain using CT logs, passive DNS, and dorks to map attack surface.
This skill analyzes HTML to extract technology signals from meta tags, comments, script patterns, and structured data for security research.
This skill analyzes an organization's security posture by evaluating headers, CSP, HSTS, security.txt, and email security signals to identify gaps.
This skill coordinates pentest activities, deploying specialized agents, aggregating findings, and generating comprehensive reports to streamline engagement
This skill queries Certificate Transparency logs to discover SANs, infer subdomain patterns, and surface potential internal naming conventions for security
This skill infers frontend technologies by analyzing signals from JavaScript, HTML, and CSS to identify frameworks and UI patterns.
This skill analyzes Wayback snapshots to detect technology migrations over time, revealing historical stack changes and migration patterns for a domain.
This skill detects cloud providers, PaaS, and serverless platforms from signals such as IP, DNS, headers, and TLS to identify infrastructure.
This skill discovers public API portals, OpenAPI/Swagger endpoints, and developer docs to map exposure and assist security research.
This skill identifies third-party services such as payments, analytics, auth, CRM, and support from signals across a target.
This skill coordinates specialized agents to identify and validate XSS, injection, CSRF, and other web vulnerabilities across modern apps.
This skill finds and validates a company's official domain using web search, WHOIS lookups, and common TLD checks.
This skill detects frontend frameworks by analyzing global variables, DOM attributes, bundle patterns, and source maps to reveal technologies.
This skill identifies CDNs and WAFs from HTTP, DNS, and TLS signals to reveal protection layers and potential exposure.
This skill automates HackerOne workflows by parsing scope CSVs, deploying parallel pentest agents, validating PoCs, and generating ready-to-submit reports.
This skill extracts technology requirements from job postings and career pages to reveal a company's tech stack for targeted talent insights.