Claude
Skills
Sign in
Back

performing-subdomain-enumeration-with-subfinder

Included with Lifetime
$97 forever

Enumerate subdomains of target domains using ProjectDiscovery's Subfinder passive reconnaissance tool to map the attack surface during security assessments.

Securitysubdomain-enumerationreconnaissancebug-bountyattack-surfacesubfinderpassive-reconosintscriptsassets

What this skill does


# Performing Subdomain Enumeration with Subfinder

## When to Use
- During the reconnaissance phase of penetration testing or bug bounty hunting
- When mapping the external attack surface of a target organization
- Before performing vulnerability scanning on discovered subdomains
- When building an asset inventory for continuous security monitoring
- During red team engagements requiring passive information gathering

## Prerequisites
- Go 1.21+ installed for building from source
- Subfinder v2 installed (`go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest`)
- API keys configured for passive sources (Shodan, Censys, VirusTotal, SecurityTrails, Chaos)
- Provider configuration file at `$HOME/.config/subfinder/provider-config.yaml`
- Network access to passive DNS and certificate transparency sources
- httpx or httprobe for validating discovered subdomains

## Workflow

### Step 1 — Install and Configure Subfinder
```bash
# Install subfinder
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

# Verify installation
subfinder -version

# Configure API keys for enhanced results
mkdir -p $HOME/.config/subfinder
cat > $HOME/.config/subfinder/provider-config.yaml << 'EOF'
shodan:
  - YOUR_SHODAN_API_KEY
censys:
  - YOUR_CENSYS_API_ID:YOUR_CENSYS_API_SECRET
virustotal:
  - YOUR_VT_API_KEY
securitytrails:
  - YOUR_ST_API_KEY
chaos:
  - YOUR_CHAOS_API_KEY
EOF
```

### Step 2 — Run Basic Subdomain Enumeration
```bash
# Single domain enumeration
subfinder -d example.com -o subdomains.txt

# Multiple domains from a file
subfinder -dL domains.txt -o all_subdomains.txt

# Use all passive sources (slower but more thorough)
subfinder -d example.com -all -o subdomains_all.txt

# Silent mode for piping to other tools
subfinder -d example.com -silent | httpx -silent -status-code
```

### Step 3 — Filter and Customize Source Selection
```bash
# Use specific sources only
subfinder -d example.com -s crtsh,virustotal,shodan -o filtered.txt

# Exclude specific sources
subfinder -d example.com -es github -o results.txt

# Enable recursive subdomain enumeration
subfinder -d example.com -recursive -o recursive_subs.txt

# Match specific patterns
subfinder -d example.com -m "api,dev,staging" -o matched.txt
```

### Step 4 — Control Rate Limiting and Output Format
```bash
# Rate limit to avoid API throttling
subfinder -d example.com -rate-limit 10 -t 5 -o rate_limited.txt

# JSON output for programmatic processing
subfinder -d example.com -oJ -o subdomains.json

# Output with source information
subfinder -d example.com -cs -o subdomains_with_sources.txt

# Collect results in a directory per domain
subfinder -dL domains.txt -oD ./results/
```

### Step 5 — Validate Discovered Subdomains with httpx
```bash
# Pipe subfinder output to httpx for live validation
subfinder -d example.com -silent | httpx -silent -status-code -title -tech-detect -o live_hosts.txt

# Check for specific ports
subfinder -d example.com -silent | httpx -ports 80,443,8080,8443 -o web_services.txt

# Resolve IP addresses
subfinder -d example.com -silent | dnsx -a -resp -o resolved.txt
```

### Step 6 — Integrate with Broader Recon Pipeline
```bash
# Chain with nuclei for vulnerability scanning
subfinder -d example.com -silent | httpx -silent | nuclei -t cves/ -o vulns.txt

# Combine with amass for comprehensive enumeration
subfinder -d example.com -o subfinder_results.txt
amass enum -passive -d example.com -o amass_results.txt
cat subfinder_results.txt amass_results.txt | sort -u > combined_subdomains.txt

# Screenshot discovered hosts
subfinder -d example.com -silent | httpx -silent | gowitness file -f - -P screenshots/
```

## Key Concepts

| Concept | Description |
|---------|-------------|
| Passive Enumeration | Discovering subdomains without directly querying target DNS servers |
| Certificate Transparency | Public logs of SSL/TLS certificates revealing subdomain names |
| DNS Aggregation | Collecting subdomain data from multiple passive DNS databases |
| Recursive Enumeration | Discovering subdomains of subdomains for deeper coverage |
| Source Providers | External APIs and databases queried for subdomain intelligence |
| CNAME Records | Canonical name records that may reveal additional infrastructure |
| Wildcard DNS | DNS configuration returning results for any subdomain query |

## Tools & Systems

| Tool | Purpose |
|------|---------|
| Subfinder | Primary passive subdomain enumeration engine |
| httpx | HTTP probe tool for validating live subdomains |
| dnsx | DNS resolution and validation toolkit |
| Nuclei | Template-based vulnerability scanner for discovered hosts |
| Amass | Complementary subdomain enumeration with active/passive modes |
| gowitness | Web screenshot utility for visual reconnaissance |
| Shodan | Internet-wide scanning database for subdomain intelligence |
| crt.sh | Certificate transparency log search engine |

## Common Scenarios

1. **Bug Bounty Reconnaissance** — Enumerate all subdomains of a target program scope to identify forgotten or misconfigured assets that may contain vulnerabilities
2. **Attack Surface Mapping** — Build a comprehensive inventory of externally accessible subdomains for ongoing security monitoring and risk assessment
3. **Cloud Asset Discovery** — Identify subdomains pointing to cloud services (AWS, Azure, GCP) that may be vulnerable to subdomain takeover
4. **CI/CD Integration** — Automate subdomain monitoring in pipelines to detect new subdomains and alert on changes to the attack surface
5. **Merger & Acquisition Due Diligence** — Map the complete external footprint of an acquisition target during security assessment

## Output Format

```
## Subdomain Enumeration Report
- **Target Domain**: example.com
- **Total Subdomains Found**: 247
- **Live Hosts**: 183
- **Unique IP Addresses**: 42
- **Sources Used**: crt.sh, VirusTotal, Shodan, SecurityTrails, Censys

### Discovered Subdomains
| Subdomain | IP Address | Status Code | Technology |
|-----------|-----------|-------------|------------|
| api.example.com | 10.0.1.5 | 200 | Nginx, Node.js |
| staging.example.com | 10.0.2.10 | 403 | Apache |
| dev.example.com | 10.0.3.15 | 200 | Express |

### Recommendations
- Remove DNS records for decommissioned subdomains
- Investigate subdomains with CNAME pointing to unclaimed services
- Restrict access to development and staging environments
```
Files: 8
Size: 36.5 KB
Complexity: 78/100
Category: Security
Source: https://github.com/mukul975/anthropic-cybersecurity-skills/tree/main/skills/performing-subdomain-enumeration-with-subfinder

Related in Security

mac-ops

Included

Comprehensive macOS workstation operations — diagnose kernel panics, identify failing drives, audit launchd startup items, decode wake reasons, triage TCC permission denials, manage APFS snapshots, recover from no-boot. Use for: Mac is slow, slow bootup, won't boot, kernel panic, kernel_task hot, mds_stores CPU, photoanalysisd, cloudd, login loop, gray screen, sleep wake failure, drive failing, IO errors, APFS snapshots eating space, Time Machine local snapshots, Spotlight indexing, launchd, LaunchAgent, LaunchDaemon, login items, TCC permissions, Full Disk Access, Screen Recording denied, Gatekeeper, quarantine, com.apple.quarantine, app is damaged, helper tool, /Library/PrivilegedHelperTools, pmset, wake reasons, dark wake, sysdiagnose, panic.ips, DiagnosticReports, configuration profile, MDM profile, remote diagnostics over SSH.

Securityscripts

a11y-audit

Included

Run accessibility audits on web projects combining automated scanning (axe-core, Lighthouse) with WCAG 2.1 AA compliance mapping, manual check guidance, and structured reporting. Output is configurable: markdown report only, markdown plus machine-readable JSON, or markdown plus issue tracker integration. Use this skill whenever the user mentions "accessibility audit", "a11y audit", "WCAG audit", "accessibility check", "compliance scan", or asks to check a web project for accessibility issues. Also trigger when the user wants to verify WCAG conformance or map findings to a specific standard (CAN-ASC-6.2, EN 301 549, ADA/AODA).

Securityscripts

erpclaw

Included

AI-native ERP system with self-extending OS. Full accounting, invoicing, inventory, purchasing, tax, billing, HR, payroll, advanced accounting (ASC 606/842, intercompany, consolidation), and financial reporting. 413 actions across 14 domains, 43 expansion modules. Constitutional guardrails, adversarial audit, schema migration. Double-entry GL, immutable audit trail, US GAAP.

Securityscripts

assess

Included

Assesses and rates quality 0-10 across multiple dimensions (correctness, maintainability, security, performance, testability, simplicity) with pros/cons analysis. Compares against project conventions and prior decisions from memory. Produces structured evaluation reports with actionable improvement suggestions. Use when evaluating code, designs, architectures, or comparing alternative approaches.

Securityscripts

spring-boot-security-jwt

Included

Provides JWT authentication and authorization patterns for Spring Boot 3.5.x covering token generation with JJWT, Bearer/cookie authentication, database/OAuth2 integration, and RBAC/permission-based access control using Spring Security 6.x. Use when implementing authentication or authorization in Spring Boot applications.

Securityscripts

code-hardcode-audit

Included

Detect hardcoded values, magic numbers, and leaked secrets. TRIGGERS - hardcode audit, magic numbers, PLR2004, secret scanning.

Securityscripts
Sign up & unlock — $97