Multi-source subdomain enumeration using CT logs, DNS bruteforce, web scraping, and Shodan certificate search
From greyhatccnpx claudepluginhub overtimepog/greyhatcc --plugin greyhatccThis skill uses the workspace's default tool permissions.
Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
/greyhatcc:subdomains <domain>
{{ARGUMENTS}} is parsed automatically — just provide a target in any format:
No format specification needed from user — detect and proceed.
Before executing this skill:
.greyhatcc/scope.json — verify target domain is in scope, note exclusions.greyhatcc/hunt-state.json — check active phase, resume contextfindings_log.md, tested.json, gadgets.json — avoid duplicating workrecon/subdomains.txt — if prior enumeration exists, merge resultsWebFetch: https://crt.sh/?q=%25.<domain>&output=json
Parse JSON, extract unique name_value fields. Split multi-domain entries on newlines.
Use MCP tool greyhatcc_s__shodan_ssl_cert to find certificates mentioning the domain.
Also try: greyhatcc_s__shodan_search with query ssl.cert.subject.CN:<domain>
Use MCP tool greyhatcc_sec__dns_records to validate discovered subdomains.
Also use greyhatcc_s__shodan_dns_domain for Shodan's DNS dataset.
subfinder -d <domain> -all -silent
Uses 40+ passive sources (VirusTotal, SecurityTrails, Censys, etc.)
Use greyhatcc_s__shodan_dns_reverse on discovered IPs to find additional hostnames.
WebFetch: https://web.archive.org/cdx/search/cdx?url=*.<domain>&output=text&fl=original&collapse=urlkey&limit=500
Extract unique hostnames from archived URLs.
WebSearch: site:<domain> -www
WebSearch: site:*.<domain>
If the target has known ASN ranges:
WebSearch: "<org_name>" ASN bgp.he.net
Map ASN → IP ranges → reverse DNS → additional subdomains.
After initial enumeration, generate permutations to find undiscovered subdomains:
Mutation patterns:
- api-<word>.<domain> → api-v2, api-staging, api-internal
- <word>-api.<domain> → dev-api, test-api, admin-api
- <env>.<domain> → dev, staging, uat, preprod, qa, sandbox
- <env>-<service>.<domain> → dev-app, staging-api, qa-admin
- <service>.<domain> → mail, vpn, portal, dashboard, admin, cms
- <geo>.<domain> → us, eu, ap, au, uk, sg
- <geo>-<service>.<domain> → us-api, eu-app, ap-admin
Validate mutations via DNS resolution (batch with dig or dnsx if available).
For each discovered subdomain:
# Resolve A record
dig +short A <subdomain>
# Check for CNAME (takeover potential)
dig +short CNAME <subdomain>
# Check for wildcard DNS
dig +short A randomnonexistent.<domain>
# If this returns an IP, the domain has wildcard DNS — filter accordingly
For all resolved subdomains, check HTTP/HTTPS availability:
# Quick check with curl
curl -sk -o /dev/null -w "%{http_code} %{redirect_url}" "https://<subdomain>/" --connect-timeout 5
# Or use httpx if available
cat subdomains.txt | httpx -silent -status-code -title -tech-detect
/greyhatcc:takeover)recon/subdomains.txt - One subdomain per line (sorted, deduplicated)recon/subdomains.md - Formatted with live/dead status, IP addresses, CNAME targets, HTTP status codesAfter completing this skill:
tested.json — record what was tested (asset + vuln class)gadgets.json — add any informational findings with provides/requires tags for chaining (e.g., dangling CNAMEs provide trusted_origin)findings_log.md — log any confirmed findings with severity