🧪 Skills

Subdomain Enum

Enumerate subdomains for any domain using DNS brute-force and certificate transparency logs (crt.sh). Use when a user needs to discover subdomains, perform r...

v1.0.0
❤️ 0
⬇️ 48
👁 1
Save📁 Collect
Share

Description

name: subdomain-enum description: Enumerate subdomains for any domain using DNS brute-force and certificate transparency logs (crt.sh). Use when a user needs to discover subdomains, perform reconnaissance, audit attack surface, find forgotten or exposed services, or map the infrastructure of a domain. No API keys required. Supports custom wordlists, concurrent threads, and JSON output.

Subdomain Enumerator

Discover subdomains for any domain using two complementary techniques: DNS brute-force resolution and certificate transparency log mining via crt.sh.

Quick Start

python3 scripts/subenum.py example.com

Commands

# Basic enumeration (built-in wordlist + crt.sh)
python3 scripts/subenum.py example.com

# Custom wordlist
python3 scripts/subenum.py example.com --wordlist /path/to/wordlist.txt

# Faster with more threads
python3 scripts/subenum.py example.com --threads 20

# DNS only (skip crt.sh)
python3 scripts/subenum.py example.com --no-crtsh

# JSON output
python3 scripts/subenum.py example.com --json

# Save results to file
python3 scripts/subenum.py example.com --output subdomains.txt

# Verbose progress
python3 scripts/subenum.py example.com -v

Options

Flag Default Description
--wordlist, -w built-in (~120 words) Custom wordlist file
--threads, -t 10 Concurrent DNS resolution threads
--timeout 15 HTTP timeout for crt.sh query
--no-crtsh off Skip certificate transparency lookup
--json off Output as JSON
--output, -o Write results to file
--verbose, -v off Show progress during scan

Techniques

  1. DNS Brute-force — Resolves {word}.{domain} against DNS for each word in the wordlist. Returns IP addresses for live subdomains.
  2. Certificate Transparency (crt.sh) — Queries public CT logs for certificates issued to *.domain, revealing subdomains that may not respond to DNS but have had TLS certificates.

Dependencies

pip install requests

Notes

  • Built-in wordlist covers common subdomains (www, api, mail, staging, etc.)
  • For comprehensive scans, use a larger wordlist (e.g., SecLists DNS wordlists)
  • Results are deduplicated across sources
  • Use responsibly — only scan domains you own or have authorization to test

Reviews (0)

Sign in to write a review.

No reviews yet. Be the first to review!

Comments (0)

Sign in to join the discussion.

No comments yet. Be the first to share your thoughts!

Compatible Platforms

Links

📂 Source Code

Pricing

Free

Related Configs

🧪 Skill

self-improving-agent

Free

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...

❤️ 2.0k ⬇️ 218k
🧪 Skill

Self Improving Agent

Free

Captures learnings, errors, and corrections to enable continuous improvement. And also 50+ models for image generation, video generation, text-to-speech, spe...

❤️ 2.0k ⬇️ 206k
🧪 Skill

Find Skills

Free

Search, discover, and install skills from the open agent skills ecosystem to extend agent capabilities for specific tasks or domains.

❤️ 814 ⬇️ 199k
🧪 Skill

Summarize

Free

--- name: summarize description: Summarize URLs or files with the summarize CLI (web, PDFs, images, audio, YouTube). homepage: https://summarize.sh metadata: {"clawdbot":{"emoji":"🧾","requires":{"b

❤️ 609 ⬇️ 160k