Subdomain Hunter

Skill Name: subdomain-hunter
Version: 1.0.0
Category: Security / Reconnaissance
Price: Lifetime: $39 / Optional Monthly: $7/mo (all Pro features permanently)
Author: EdgeIQ Labs
OpenClaw Compatible: Yes — Python 3, pure stdlib + socket, WSL + Linux

---

What It Does

Passive subdomain enumeration using Certificate Transparency logs, DNS zone transfer checks, and takeover detection. Reconnaissance-grade discovery without sending active probes.

⚠️ Legal Notice: Only enumerate domains you own or have explicit written permission to audit. Unauthorized recon is illegal.

---

Features

• Certificate Transparency enumeration — scrape crt.sh for subdomain history
• DNS zone transfer check — attempt AXFR with common NS records
• Takeover detection — identify subdomains pointing to unclaimed/inactive services (CNAME to dead endpoints)
• Common subdomain bruteforce — lightweight wordlist scan for common subdomains
• Subdomain resolution — verify discovered subdomains resolve
• JSON export — structured output for integration

---

Tier Comparison

Feature	Free	Pro ($19/mo)	Bundle ($39/mo)
CT log enumeration	✅ (50 results)	✅ (unlimited)	✅ (unlimited)
Zone transfer check	✅	✅	✅
Takeover detection	—	✅	✅
Bruteforce wordlist	✅ (2000 names)	✅ (2000 names)	✅ (2000 names)
JSON export	✅	✅	✅
Concurrent resolution	✅ (50 threads)	✅ (50 threads)	✅ (50 threads)

---

Installation

cp -r /home/guy/.openclaw/workspace/apps/subdomain-hunter ~/.openclaw/skills/subdomain-hunter

---

Usage

Basic scan (free tier — 50 results)

python3 subdomain_hunter.py --domain example.com

Pro scan (unlimited + takeover detection)

EDGEIQ_EMAIL=your_email@gmail.com python3 subdomain_hunter.py --domain example.com --pro

Full bundle scan (bruteforce + concurrent threads)

EDGEIQ_EMAIL=your_email@gmail.com python3 subdomain_hunter.py --domain example.com --bundle --bruteforce

Export to JSON

python3 subdomain_hunter.py --domain example.com --output results.json

Check for takeovers only

python3 subdomain_hunter.py --domain example.com --takeover-only

As OpenClaw Discord Command

In #edgeiq-support channel:

!subdomain example.com
!subdomain example.com --takeover
!subdomain example.com --bruteforce

---

Parameters

Flag	Type	Default	Description
--domain	string	—	Target domain
--pro	flag	False	Enable Pro features
--bundle	flag	False	Enable Bundle features
--bruteforce	flag	False	Run common subdomain wordlist
--takeover	flag	False	Run takeover detection
--takeover-only	flag	False	Only run takeover detection
--output	string	—	Write JSON report to file
--threads	int	20/50	Concurrent threads (Pro/Bundle)

---

Output Example

=== Subdomain Hunter ===
example.com
  CT Entries:    47
  Resolved:      31
  Dead:          5
  Takeovers:     2 🔴

  Discovered subdomains:
    api.example.com         ✅ resolves → 1.2.3.4
    staging.example.com    ✅ resolves → 1.2.3.5
    dev.example.com         ❌ DEAD (CNAME to Heroku)
    old.example.com         🔴 TAKEOVER (no CNAME, 404)
    blog.example.com        ✅ resolves → 1.2.3.6

  Zone Transfer:  BLOCKED
  Threat Level:  MEDIUM

---

Pricing

Lifetime License: $39 — your tool forever, all features included permanently.

Optional Monthly: $7/mo — for those who prefer recurring billing (cancel anytime). 👉 Buy Lifetime — $39 👉 Subscribe Monthly — $7/mo 👉 Subscribe Monthly — $7/mo

Pro Upgrade (deprecated)

All features now included in Lifetime purchase.

---

Support

Open a ticket in #edgeiq-support or email gpalmieri21@gmail.com

---

🔗 More from EdgeIQ Labs

edgeiqlabs.com — Security tools, OSINT utilities, and micro-SaaS products for developers and security professionals.

• 🛠️ Subdomain Hunter — Passive subdomain enumeration via Certificate Transparency
• 📸 Screenshot API — URL-to-screenshot API for developers
• 🔔 uptime.check — URL uptime monitoring with alerts
• 🛡️ headers.check — HTTP security headers analyzer

👉 Visit edgeiqlabs.com →