Subdomain Enumeration Skill
Purpose
Enumerate all discoverable subdomains for a given domain using passive reconnaissance techniques including Certificate Transparency logs, passive DNS, and search engine dorks.
Operations
- query_crt_sh
Query Certificate Transparency logs via crt.sh API.
Endpoint:
GET https://crt.sh/?q=%25.{domain}&output=json
Process:
-
URL encode the wildcard query
-
Make HTTP GET request
-
Parse JSON response
-
Extract unique subdomains from name_value field
-
Deduplicate and sort results
Example Response:
[ { "issuer_ca_id": 183267, "issuer_name": "C=US, O=Let's Encrypt, CN=R3", "common_name": "*.example.com", "name_value": "api.example.com\nwww.example.com" } ]
- search_engine_dorks
Use search engine dorks to discover subdomains.
Dork Queries:
site:.{domain} -www site:{domain} inurl:subdomain site:.*.{domain}
Process:
-
Execute each dork query
-
Extract unique subdomains from results
-
Validate each subdomain resolves
-
Merge with CT log results
- check_common_subdomains
Test a wordlist of common subdomains.
Common Subdomain Wordlist:
api, app, dev, staging, test, beta, www, mail, webmail, admin, portal, dashboard, docs, status, support, help, blog, news, cdn, static, assets, media, img, images, auth, login, sso, id, account, my, secure, vpn, git, gitlab, github, jenkins, ci, build, deploy, k8s, kubernetes, docker, registry, grafana, prometheus, shop, store, checkout, cart, payments, billing, crm, erp, hr, internal, intranet, wiki, confluence, slack, jira, trello, asana, notion, airtable, aws, azure, gcp, cloud, s3, storage, backup, mobile, ios, android, m, wap, v1, v2, v3, api-v1, api-v2, rest, graphql, gql
Process:
-
For each subdomain in wordlist:
-
Construct FQDN: {subdomain}.{domain}
-
Attempt DNS resolution
-
Record if resolves
-
Return list of valid subdomains
- passive_dns_lookup
Query passive DNS databases (if available).
Data Sources:
-
VirusTotal (requires API key)
-
SecurityTrails (requires API key)
-
DNSDumpster (free, limited)
Note: This operation is optional and depends on available API access.
Output
{ "skill": "subdomain_enumeration", "domain": "string", "results": { "total_subdomains": "number", "subdomains": [ { "fqdn": "api.example.com", "source": "crt.sh", "resolves": true, "ip_addresses": ["array"] } ], "sources_queried": ["crt.sh", "search_dorks", "wordlist"], "naming_patterns_detected": [ { "pattern": "{env}-{service}", "examples": ["prod-api", "staging-api", "dev-api"] } ] }, "evidence": [ { "type": "ct_log", "source": "crt.sh", "count": "number", "timestamp": "ISO-8601" } ] }
Naming Pattern Detection
Analyze discovered subdomains to detect naming conventions:
Pattern: {environment}-{service} Examples: prod-api, staging-web, dev-backend
Pattern: {service}.{environment} Examples: api.prod, web.staging, backend.dev
Pattern: {service}{number} Examples: api1, api2, web01, web02
Pattern: {geo}-{service} Examples: us-east-api, eu-west-cdn, apac-app
Rate Limiting
Source Rate Limit
crt.sh 10 requests/minute
Search engines 10 requests/minute
DNS resolution 30 requests/minute
Error Handling
-
If crt.sh times out, retry with backoff
-
If search engine blocks, wait and retry
-
Continue with partial results if some sources fail
-
Log all errors for debugging
Security Considerations
-
Only use passive techniques
-
No active subdomain brute-forcing
-
Respect rate limits to avoid blocking
-
Log all queries for audit trail