subdomain_enumeration_skill

This skill enumerates subdomains for a domain using CT logs, passive DNS, and dorks to map attack surface.
  • Python

42

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill transilienceai/communitytools --skill subdomain_enumeration

  • SKILL.md4.3 KB

Overview

This skill enumerates discoverable subdomains for a target domain using passive reconnaissance: Certificate Transparency logs, passive DNS sources, search-engine dorks, and common subdomain wordlists. It focuses on non-intrusive data collection and returns validated FQDNs, resolution status, IP addresses, source attribution, and detected naming patterns. Results are suitable for penetration testing, bug bounty triage, and security research.

How this skill works

The skill queries crt.sh to pull certificate entries for the target domain, normalizes and deduplicates name_value entries, and extracts candidate subdomains. It runs search-engine dorks to gather indexed hosts and parses results for additional FQDNs. A common-subdomain wordlist is applied and each candidate is DNS-resolved; optional passive-DNS APIs (VirusTotal, SecurityTrails, DNSDumpster) are queried when API keys are available. Final output merges sources, validates resolution, annotates IPs, and analyzes naming patterns.

When to use it

  • Initial external reconnaissance during a pentest or bug bounty engagement
  • Triage of a newly reported domain or asset scope validation
  • Discovery prior to vulnerability scanning or web application testing
  • Security research and monitoring of external asset exposure
  • Inventorying subdomains for attack surface reduction initiatives

Best practices

  • Use only passive sources and respect rate limits to avoid blocking
  • Supply API keys for passive DNS services to increase coverage when permitted
  • Validate every candidate by DNS resolution and record IP addresses and TTLs
  • Deduplicate and sort results; annotate each subdomain with its source(s) and evidence timestamps
  • Implement exponential backoff and logging for crt.sh and search engine queries to handle rate limiting and blocks

Example use cases

  • Enumerate subdomains of a client domain before scoped penetration testing to build a safe target list
  • Augment bug bounty reports with crt.sh and passive-DNS evidence for newly discovered hosts
  • Run periodic checks to detect leaked or forgotten subdomains exposed in CT logs
  • Combine wordlist checks with naming-pattern detection to find environment-specific hosts like staging-api or dev-backend
  • Validate third-party or partner domains for unexpected subdomain exposure prior to onboarding

FAQ

No. The skill uses passive techniques (CT logs, search dorks, passive DNS, and a common-wordlist DNS check) and avoids intrusive brute-force scanning.

What if a passive DNS provider requires an API key?

The skill supports optional passive-DNS integrations; provide API keys to enable VirusTotal or SecurityTrails lookups. Without keys, the skill continues with crt.sh, search dorks, and the wordlist.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
subdomain_enumeration skill by transilienceai/communitytools | VeilStrat