MCP HubMCP Hub
返回技能列表

Automated Subdomain Enumeration

macaugh
更新于 Today
1 次查看
2
2
在 GitHub 上查看
其他aiautomation

关于

This skill automates subdomain discovery using both passive reconnaissance and active techniques like DNS queries and brute-forcing. It's designed for initial reconnaissance to map attack surfaces and identify potentially vulnerable subdomains. The implementation supports multiple languages including bash, python, and go for comprehensive enumeration.

技能文档

Automated Subdomain Enumeration

Overview

Subdomain discovery is a critical first step in reconnaissance. Forgotten subdomains often contain vulnerabilities, outdated software, or misconfigurations that attackers can exploit. A systematic approach combines multiple data sources and techniques to build a comprehensive subdomain list.

Core principle: Combine passive reconnaissance (non-intrusive) with active enumeration (DNS queries, brute-forcing) to maximize coverage while respecting scope and legal boundaries.

When to Use

Use this skill when:

  • Starting reconnaissance on a new target domain
  • Building an inventory of an organization's attack surface
  • Hunting for forgotten or shadow IT assets
  • Looking for development, staging, or test environments
  • Preparing for comprehensive vulnerability assessment

Don't use when:

  • Outside authorized scope (get written permission first)
  • Rate limiting or WAF might trigger alerts prematurely
  • Target has strict testing windows you must respect

The Multi-Phase Approach

Phase 1: Passive Reconnaissance

Goal: Gather subdomains without directly touching target infrastructure.

Techniques:

  1. Certificate Transparency Logs

    # Use crt.sh or similar CT log search
curl -s "https://crt.sh/?q=%25.target.com&output=json" | \
  jq -r '.[].name_value' | \
  sed 's/\*\.//g' | \
  sort -u > ct_subdomains.txt

  2. Search Engine Dorking

    # Google dorks for subdomains
# site:target.com -www
# Use tools like subfinder, amass with passive sources
subfinder -d target.com -silent -all -o passive_subdomains.txt

  3. DNS Aggregators

    • SecurityTrails
    • VirusTotal
    • DNSdumpster
    • Shodan

  4. GitHub/GitLab Code Search

    # Search for domain mentions in code
# "target.com" site:github.com
# Look for: config files, API endpoints, documentation

  5. Web Archives

    # Wayback Machine API
curl -s "http://web.archive.org/cdx/search/cdx?url=*.target.com/*&output=json&fl=original&collapse=urlkey" | \
  jq -r '.[] | .[0]' | \
  grep -oP '(?<=://)[^/]*' | \
  sort -u >> archive_subdomains.txt

Phase 2: Active Enumeration

Goal: Actively query DNS infrastructure to discover additional subdomains.

Techniques:

  1. Brute Force with Wordlists

    # Use tools like puredns, massdns, or dnsx
puredns bruteforce wordlist.txt target.com \
  --resolvers resolvers.txt \
  --write active_subdomains.txt

  2. DNS Zone Transfers (if misconfigured)

    # Test for zone transfer vulnerability
dig axfr @ns1.target.com target.com

  3. Reverse DNS Lookups

    # Get IP ranges, perform reverse lookups
# Useful for finding additional subdomains on same infrastructure

  4. Permutation Scanning

    # Generate permutations of found subdomains
# Example: dev.api.target.com, staging.api.target.com
altdns -i subdomains.txt -o permuted.txt -w words.txt
dnsx -l permuted.txt -o verified_permuted.txt

Phase 3: Validation and Enrichment

Goal: Verify discovered subdomains are live and gather additional context.

  1. Live Host Detection

    # Use httpx to probe for web services
cat all_subdomains.txt | httpx -silent -o live_hosts.txt

# Get status codes, titles, tech stack
httpx -l all_subdomains.txt -title -tech-detect -status-code -o enriched.txt

  2. Port Scanning

    # Identify services on discovered hosts
naabu -list live_hosts.txt -p 80,443,8080,8443 -o ports.txt

  3. Screenshot Capture

    # Visual reconnaissance of web interfaces
gowitness file -f live_hosts.txt -P screenshots/

  4. Technology Fingerprinting

    # Identify web technologies, frameworks, CMS
wappalyzer -l live_hosts.txt -o tech_stack.json

Phase 4: Organization and Analysis

Goal: Structure discovered data for efficient analysis and next steps.

  1. Categorize Subdomains

    • Production vs. development/staging/test
    • Internal-facing vs. external-facing
    • By technology stack or function
    • By sensitivity/criticality

  2. Prioritize Targets

    • High-value targets: admin, api, dev, staging, test, vpn, mail
    • Outdated software versions
    • Unusual ports or services
    • Error messages or debug pages

  3. Document Findings

    # Target: target.com

## Statistics
- Total subdomains discovered: X
- Live hosts: Y
- Unique IP addresses: Z
- Technologies identified: [list]

## High-Priority Targets
1. dev.api.target.com - Swagger UI exposed, no auth
2. old-admin.target.com - PHP 5.6, potential RCE
3. test-payment.target.com - Test environment with prod data?

## Next Steps
- Deep enumeration of api.target.com endpoints
- Vulnerability scan of outdated PHP instance
- Manual inspection of test environment

Tool Recommendations

All-in-one suites:

  • Amass (comprehensive, integrates many sources)
  • Subfinder (fast passive enumeration)
  • Assetfinder (simple, effective)

Specialized tools:

  • Puredns (DNS validation and brute-forcing)
  • DNSx (DNS toolkit with various features)
  • Httpx (HTTP probing and enrichment)
  • Naabu (fast port scanner)
  • Gowitness (screenshot capture)

Setup example:

# Install Go tools
go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install github.com/projectdiscovery/dnsx/cmd/dnsx@latest
go install github.com/projectdiscovery/httpx/cmd/httpx@latest
go install github.com/projectdiscovery/naabu/v2/cmd/naabu@latest

# Install other dependencies
pip install altdns

Automation Script Template

#!/bin/bash
# automated_subdomain_enum.sh

DOMAIN=$1
OUTPUT_DIR="${DOMAIN}_recon_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$OUTPUT_DIR"

echo "[*] Starting subdomain enumeration for $DOMAIN"

# Phase 1: Passive
echo "[*] Phase 1: Passive reconnaissance"
subfinder -d "$DOMAIN" -all -silent -o "$OUTPUT_DIR/subfinder.txt"
assetfinder --subs-only "$DOMAIN" > "$OUTPUT_DIR/assetfinder.txt"
curl -s "https://crt.sh/?q=%25.$DOMAIN&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u > "$OUTPUT_DIR/crtsh.txt"

# Combine and deduplicate
cat "$OUTPUT_DIR"/{subfinder,assetfinder,crtsh}.txt | sort -u > "$OUTPUT_DIR/passive_all.txt"
echo "[+] Found $(wc -l < "$OUTPUT_DIR/passive_all.txt") unique subdomains (passive)"

# Phase 2: Active (optional, comment out if too noisy)
# echo "[*] Phase 2: Active enumeration"
# puredns bruteforce /path/to/wordlist.txt "$DOMAIN" -r /path/to/resolvers.txt -w "$OUTPUT_DIR/bruteforce.txt"

# Phase 3: Validation
echo "[*] Phase 3: Validating and probing subdomains"
cat "$OUTPUT_DIR/passive_all.txt" | dnsx -silent -o "$OUTPUT_DIR/validated.txt"
httpx -l "$OUTPUT_DIR/validated.txt" -title -status-code -tech-detect -silent -o "$OUTPUT_DIR/live_hosts.txt"

echo "[+] Found $(wc -l < "$OUTPUT_DIR/live_hosts.txt") live hosts"
echo "[*] Results saved to $OUTPUT_DIR/"

Legal and Ethical Considerations

CRITICAL: Always follow these rules:

  1. Get Written Authorization

    • Never test targets without explicit permission
    • Scope must be clearly defined in writing
    • Understand what techniques are permitted

  2. Respect Rate Limits

    • Don't overwhelm target DNS servers
    • Use reasonable delays between requests
    • Consider impact on production systems

  3. Handle Data Responsibly

    • Discovered subdomains may reveal sensitive information
    • Don't publicly disclose findings without permission
    • Follow responsible disclosure practices

  4. Document Everything

    • Keep records of authorization
    • Log all activities with timestamps
    • Document findings systematically

Common Pitfalls

MistakeImpactSolution
Only using one data sourceMiss many subdomainsCombine multiple techniques
Skipping validationFalse positives waste timeAlways verify with DNS queries
Too aggressive active scanningDetection, blocking, legal issuesStart passive, escalate carefully
Not categorizing resultsInefficient analysisOrganize findings by priority
Ignoring out-of-scope domainsLegal/ethical violationsStrictly adhere to authorized scope

Integration with Other Skills

This skill works with:

  • skills/reconnaissance/web-app-recon - Next step after finding live web apps
  • skills/reconnaissance/service-fingerprinting - Identify services on discovered hosts
  • skills/automation/* - Automate the full recon pipeline
  • skills/documentation/* - Organize findings in knowledge base

Success Metrics

A successful subdomain enumeration should:

  • Discover both obvious and hidden subdomains
  • Identify live hosts and their technologies
  • Categorize findings by risk/priority
  • Provide actionable next steps
  • Complete within scope and authorization
  • Document findings for future reference

References and Further Reading

  • OWASP Testing Guide: Information Gathering
  • "Bug Bounty Bootcamp" by Vickie Li (Chapter on Reconnaissance)
  • ProjectDiscovery blog on subdomain enumeration
  • DNS RFC standards for understanding DNS behavior

快速安装

/plugin add https://github.com/macaugh/super-rouge-hunter-skills/tree/main/automated-subdomain-enum

在 Claude Code 中复制并粘贴此命令以安装该技能

GitHub 仓库

macaugh/super-rouge-hunter-skills
路径: skills/reconnaissance/automated-subdomain-enum

相关推荐技能

llamaguard

其他

LlamaGuard是Meta推出的7-8B参数内容审核模型,专门用于过滤LLM的输入和输出内容。它能检测六大安全风险类别(暴力/仇恨、性内容、武器、违禁品、自残、犯罪计划),准确率达94-95%。开发者可通过HuggingFace、vLLM或Sagemaker快速部署,并能与NeMo Guardrails集成实现自动化安全防护。

查看技能

sglang

SGLang是一个专为LLM设计的高性能推理框架,特别适用于需要结构化输出的场景。它通过RadixAttention前缀缓存技术,在处理JSON、正则表达式、工具调用等具有重复前缀的复杂工作流时,能实现极速生成。如果你正在构建智能体或多轮对话系统,并追求远超vLLM的推理性能,SGLang是理想选择。

查看技能

evaluating-llms-harness

测试

该Skill通过60+个学术基准测试(如MMLU、GSM8K等)评估大语言模型质量,适用于模型对比、学术研究及训练进度追踪。它支持HuggingFace、vLLM和API接口,被EleutherAI等行业领先机构广泛采用。开发者可通过简单命令行快速对模型进行多任务批量评估。

查看技能

langchain

LangChain是一个用于构建LLM应用程序的框架,支持智能体、链和RAG应用开发。它提供多模型提供商支持、500+工具集成、记忆管理和向量检索等核心功能。开发者可用它快速构建聊天机器人、问答系统和自主代理,适用于从原型验证到生产部署的全流程。

查看技能