Agent-Skills.md

Agent Skills: Performing Subdomain Enumeration with Subfinder

Enumerate subdomains of target domains using ProjectDiscovery's Subfinder passive reconnaissance tool to map the attack surface during security assessments.

UncategorizedID: plurigrid/asi/performing-subdomain-enumeration-with-subfinder

Repository

plurigrid/asi
plurigridLicense: MIT
165

Install this agent skill to your local

pnpm dlx add-skill https://github.com/plurigrid/asi/tree/HEAD/plugins/asi/skills/performing-subdomain-enumeration-with-subfinder

Skill Files

Browse the full folder contents for performing-subdomain-enumeration-with-subfinder.

Download Skill

Loading file tree…

plugins/asi/skills/performing-subdomain-enumeration-with-subfinder/SKILL.md

Skill Metadata

Name
performing-subdomain-enumeration-with-subfinder
Description
Enumerate subdomains of target domains using ProjectDiscovery's Subfinder passive reconnaissance tool to map the attack surface during security assessments.

Performing Subdomain Enumeration with Subfinder

When to Use

  • During the reconnaissance phase of penetration testing or bug bounty hunting
  • When mapping the external attack surface of a target organization
  • Before performing vulnerability scanning on discovered subdomains
  • When building an asset inventory for continuous security monitoring
  • During red team engagements requiring passive information gathering

Prerequisites

  • Go 1.21+ installed for building from source
  • Subfinder v2 installed (go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest)
  • API keys configured for passive sources (Shodan, Censys, VirusTotal, SecurityTrails, Chaos)
  • Provider configuration file at $HOME/.config/subfinder/provider-config.yaml
  • Network access to passive DNS and certificate transparency sources
  • httpx or httprobe for validating discovered subdomains

Workflow

Step 1 — Install and Configure Subfinder

# Install subfinder
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

# Verify installation
subfinder -version

# Configure API keys for enhanced results
mkdir -p $HOME/.config/subfinder
cat > $HOME/.config/subfinder/provider-config.yaml << 'EOF'
shodan:
  - YOUR_SHODAN_API_KEY
censys:
  - YOUR_CENSYS_API_ID:YOUR_CENSYS_API_SECRET
virustotal:
  - YOUR_VT_API_KEY
securitytrails:
  - YOUR_ST_API_KEY
chaos:
  - YOUR_CHAOS_API_KEY
EOF

Step 2 — Run Basic Subdomain Enumeration

# Single domain enumeration
subfinder -d example.com -o subdomains.txt

# Multiple domains from a file
subfinder -dL domains.txt -o all_subdomains.txt

# Use all passive sources (slower but more thorough)
subfinder -d example.com -all -o subdomains_all.txt

# Silent mode for piping to other tools
subfinder -d example.com -silent | httpx -silent -status-code

Step 3 — Filter and Customize Source Selection

# Use specific sources only
subfinder -d example.com -s crtsh,virustotal,shodan -o filtered.txt

# Exclude specific sources
subfinder -d example.com -es github -o results.txt

# Enable recursive subdomain enumeration
subfinder -d example.com -recursive -o recursive_subs.txt

# Match specific patterns
subfinder -d example.com -m "api,dev,staging" -o matched.txt

Step 4 — Control Rate Limiting and Output Format

# Rate limit to avoid API throttling
subfinder -d example.com -rate-limit 10 -t 5 -o rate_limited.txt

# JSON output for programmatic processing
subfinder -d example.com -oJ -o subdomains.json

# Output with source information
subfinder -d example.com -cs -o subdomains_with_sources.txt

# Collect results in a directory per domain
subfinder -dL domains.txt -oD ./results/

Step 5 — Validate Discovered Subdomains with httpx

# Pipe subfinder output to httpx for live validation
subfinder -d example.com -silent | httpx -silent -status-code -title -tech-detect -o live_hosts.txt

# Check for specific ports
subfinder -d example.com -silent | httpx -ports 80,443,8080,8443 -o web_services.txt

# Resolve IP addresses
subfinder -d example.com -silent | dnsx -a -resp -o resolved.txt

Step 6 — Integrate with Broader Recon Pipeline

# Chain with nuclei for vulnerability scanning
subfinder -d example.com -silent | httpx -silent | nuclei -t cves/ -o vulns.txt

# Combine with amass for comprehensive enumeration
subfinder -d example.com -o subfinder_results.txt
amass enum -passive -d example.com -o amass_results.txt
cat subfinder_results.txt amass_results.txt | sort -u > combined_subdomains.txt

# Screenshot discovered hosts
subfinder -d example.com -silent | httpx -silent | gowitness file -f - -P screenshots/

Key Concepts

| Concept | Description | |---------|-------------| | Passive Enumeration | Discovering subdomains without directly querying target DNS servers | | Certificate Transparency | Public logs of SSL/TLS certificates revealing subdomain names | | DNS Aggregation | Collecting subdomain data from multiple passive DNS databases | | Recursive Enumeration | Discovering subdomains of subdomains for deeper coverage | | Source Providers | External APIs and databases queried for subdomain intelligence | | CNAME Records | Canonical name records that may reveal additional infrastructure | | Wildcard DNS | DNS configuration returning results for any subdomain query |

Tools & Systems

| Tool | Purpose | |------|---------| | Subfinder | Primary passive subdomain enumeration engine | | httpx | HTTP probe tool for validating live subdomains | | dnsx | DNS resolution and validation toolkit | | Nuclei | Template-based vulnerability scanner for discovered hosts | | Amass | Complementary subdomain enumeration with active/passive modes | | gowitness | Web screenshot utility for visual reconnaissance | | Shodan | Internet-wide scanning database for subdomain intelligence | | crt.sh | Certificate transparency log search engine |

Common Scenarios

  1. Bug Bounty Reconnaissance — Enumerate all subdomains of a target program scope to identify forgotten or misconfigured assets that may contain vulnerabilities
  2. Attack Surface Mapping — Build a comprehensive inventory of externally accessible subdomains for ongoing security monitoring and risk assessment
  3. Cloud Asset Discovery — Identify subdomains pointing to cloud services (AWS, Azure, GCP) that may be vulnerable to subdomain takeover
  4. CI/CD Integration — Automate subdomain monitoring in pipelines to detect new subdomains and alert on changes to the attack surface
  5. Merger & Acquisition Due Diligence — Map the complete external footprint of an acquisition target during security assessment

Output Format

## Subdomain Enumeration Report
- **Target Domain**: example.com
- **Total Subdomains Found**: 247
- **Live Hosts**: 183
- **Unique IP Addresses**: 42
- **Sources Used**: crt.sh, VirusTotal, Shodan, SecurityTrails, Censys

### Discovered Subdomains
| Subdomain | IP Address | Status Code | Technology |
|-----------|-----------|-------------|------------|
| api.example.com | 10.0.1.5 | 200 | Nginx, Node.js |
| staging.example.com | 10.0.2.10 | 403 | Apache |
| dev.example.com | 10.0.3.15 | 200 | Express |

### Recommendations
- Remove DNS records for decommissioned subdomains
- Investigate subdomains with CNAME pointing to unclaimed services
- Restrict access to development and staging environments