Subdomain Enum
v1.0.0Enumerate subdomains for any domain using DNS brute-force and certificate transparency logs (crt.sh). Use when a user needs to discover subdomains, perform r...
⭐ 0· 270·1 current·1 all-time
byJohn Wang@johnnywang2001
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name and description match the included script and SKILL.md: DNS brute-force and crt.sh lookups are exactly what the script implements; no unrelated binaries, env vars, or services are requested.
Instruction Scope
SKILL.md simply instructs running the included Python script and documents options. The script may read a user-supplied wordlist file and can write results to a file — both expected for this tool, but these capabilities mean it can access arbitrary paths you pass as arguments.
Install Mechanism
No install spec; the only runtime dependency is the widely used 'requests' package (pip). This is proportionate, but installing packages via pip requires network access and privileges in the environment where the agent runs.
Credentials
No environment variables, credentials, or config paths are required. The script only performs DNS lookups and HTTPS requests to crt.sh; requested capabilities are minimal and aligned with the purpose.
Persistence & Privilege
Skill is not always-enabled and does not modify other skills or system-wide settings. It does not persist credentials or enable itself.
Assessment
This skill is a straightforward subdomain enumerator. Before installing/running: only scan domains you own or are authorized to test; review any custom wordlist files you pass in (they may contain words that expand scan scope); be aware the script will write output to any file path you specify (avoid overwriting important files and don't run it as root). Installing the 'requests' package requires network access and appropriate permissions in the environment. If you plan to let an agent invoke this automatically, ensure network egress to crt.sh is acceptable and that the agent is not given broader file-system access than necessary.Like a lobster shell, security has layers — review code before you run it.
latest
John Wang@johnnywang2001
DownloadSubdomain Enumerator
Discover subdomains for any domain using two complementary techniques: DNS brute-force resolution and certificate transparency log mining via crt.sh.
Quick Start
python3 scripts/subenum.py example.com
Commands
# Basic enumeration (built-in wordlist + crt.sh)
python3 scripts/subenum.py example.com
# Custom wordlist
python3 scripts/subenum.py example.com --wordlist /path/to/wordlist.txt
# Faster with more threads
python3 scripts/subenum.py example.com --threads 20
# DNS only (skip crt.sh)
python3 scripts/subenum.py example.com --no-crtsh
# JSON output
python3 scripts/subenum.py example.com --json
# Save results to file
python3 scripts/subenum.py example.com --output subdomains.txt
# Verbose progress
python3 scripts/subenum.py example.com -v
Options
| Flag | Default | Description |
|---|---|---|
--wordlist, -w | built-in (~120 words) | Custom wordlist file |
--threads, -t | 10 | Concurrent DNS resolution threads |
--timeout | 15 | HTTP timeout for crt.sh query |
--no-crtsh | off | Skip certificate transparency lookup |
--json | off | Output as JSON |
--output, -o | — | Write results to file |
--verbose, -v | off | Show progress during scan |
Techniques
- DNS Brute-force — Resolves
{word}.{domain}against DNS for each word in the wordlist. Returns IP addresses for live subdomains. - Certificate Transparency (crt.sh) — Queries public CT logs for certificates issued to
*.domain, revealing subdomains that may not respond to DNS but have had TLS certificates.
Dependencies
pip install requests
Notes
- Built-in wordlist covers common subdomains (www, api, mail, staging, etc.)
- For comprehensive scans, use a larger wordlist (e.g., SecLists DNS wordlists)
- Results are deduplicated across sources
- Use responsibly — only scan domains you own or have authorization to test
Comments
Loading comments...