Enumerate subdomains of target domains using ProjectDiscovery's Subfinder passive reconnaissance tool to map the attack surface during security assessments.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionperforming-subdomain-enumeration-with-subfinderExecute the skills CLI command in your project's root directory to begin installation:
Fetches performing-subdomain-enumeration-with-subfinder from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate performing-subdomain-enumeration-with-subfinder. Access via /performing-subdomain-enumeration-with-subfinder in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
1
total installs
1
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
1
installs
1
this week
8.6K
stars
| name | performing-subdomain-enumeration-with-subfinder |
| description | Enumerate subdomains of target domains using ProjectDiscovery's Subfinder passive reconnaissance tool to map the attack surface during security assessments. |
| domain | cybersecurity |
| subdomain | web-application-security |
| tags | - subdomain-enumeration - reconnaissance - bug-bounty - attack-surface - subfinder - passive-recon - osint |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.PS-01 - ID.RA-01 - PR.DS-10 - DE.CM-01 |
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest)$HOME/.config/subfinder/provider-config.yaml# Install subfinder
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
# Verify installation
subfinder -version
# Configure API keys for enhanced results
mkdir -p $HOME/.config/subfinder
cat > $HOME/.config/subfinder/provider-config.yaml << 'EOF'
shodan:
- YOUR_SHODAN_API_KEY
censys:
- YOUR_CENSYS_API_ID:YOUR_CENSYS_API_SECRET
virustotal:
- YOUR_VT_API_KEY
securitytrails:
- YOUR_ST_API_KEY
chaos:
- YOUR_CHAOS_API_KEY
EOF
# Single domain enumeration
subfinder -d example.com -o subdomains.txt
# Multiple domains from a file
subfinder -dL domains.txt -o all_subdomains.txt
# Use all passive sources (slower but more thorough)
subfinder -d example.com -all -o subdomains_all.txt
# Silent mode for piping to other tools
subfinder -d example.com -silent | httpx -silent -status-code
# Use specific sources only
subfinder -d example.com -s crtsh,virustotal,shodan -o filtered.txt
# Exclude specific sources
subfinder -d example.com -es github -o results.txt
# Enable recursive subdomain enumeration
subfinder -d example.com -recursive -o recursive_subs.txt
# Match specific patterns
subfinder -d example.com -m "api,dev,staging" -o matched.txt
# Rate limit to avoid API throttling
subfinder -d example.com -rate-limit 10 -t 5 -o rate_limited.txt
# JSON output for programmatic processing
subfinder -d example.com -oJ -o subdomains.json
# Output with source information
subfinder -d example.com -cs -o subdomains_with_sources.txt
# Collect results in a directory per domain
subfinder -dL domains.txt -oD ./results/
# Pipe subfinder output to httpx for live validation
subfinder -d example.com -silent | httpx -silent -status-code -title -tech-detect -o live_hosts.txt
# Check for specific ports
subfinder -d example.com -silent | httpx -ports 80,443,8080,8443 -o web_services.txt
# Resolve IP addresses
subfinder -d example.com -silent | dnsx -a -resp -o resolved.txt
# Chain with nuclei for vulnerability scanning
subfinder -d example.com -silent | httpx -silent | nuclei -t cves/ -o vulns.txt
# Combine with amass for comprehensive enumeration
subfinder -d example.com -o subfinder_results.txt
amass enum -passive -d example.com -o amass_results.txt
cat subfinder_results.txt amass_results.txt | sort -u > combined_subdomains.txt
# Screenshot discovered hosts
subfinder -d example.com -silent | httpx -silent | gowitness file -f - -P screenshots/
| Concept | Description |
|---|---|
| Passive Enumeration | Discovering subdomains without directly querying target DNS servers |
| Certificate Transparency | Public logs of SSL/TLS certificates revealing subdomain names |
| DNS Aggregation | Collecting subdomain data from multiple passive DNS databases |
| Recursive Enumeration | Discovering subdomains of subdomains for deeper coverage |
| Source Providers | External APIs and databases queried for subdomain intelligence |
| CNAME Records | Canonical name records that may reveal additional infrastructure |
| Wildcard DNS | DNS configuration returning results for any subdomain query |
| Tool | Purpose |
|---|---|
| Subfinder | Primary passive subdomain enumeration engine |
| httpx | HTTP probe tool for validating live subdomains |
| dnsx | DNS resolution and validation toolkit |
| Nuclei | Template-based vulnerability scanner for discovered hosts |
| Amass | Complementary subdomain enumeration with active/passive modes |
| gowitness | Web screenshot utility for visual reconnaissance |
| Shodan | Internet-wide scanning database for subdomain intelligence |
| crt.sh | Certificate transparency log search engine |
## Subdomain Enumeration Report
- **Target Domain**: example.com
- **Total Subdomains Found**: 247
- **Live Hosts**: 183
- **Unique IP Addresses**: 42
- **Sources Used**: crt.sh, VirusTotal, Shodan, SecurityTrails, Censys
### Discovered Subdomains
| Subdomain | IP Address | Status Code | Technology |
|-----------|-----------|-------------|------------|
| api.example.com | 10.0.1.5 | 200 | Nginx, Node.js |
| staging.example.com | 10.0.2.10 | 403 | Apache |
| dev.example.com | 10.0.3.15 | 200 | Express |
### Recommendations
- Remove DNS records for decommissioned subdomains
- Investigate subdomains with CNAME pointing to unclaimed services
- Restrict access to development and staging environments
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
We added performing-subdomain-enumeration-with-subfinder from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
performing-subdomain-enumeration-with-subfinder fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
performing-subdomain-enumeration-with-subfinder reduced setup friction for our internal harness; good balance of opinion and flexibility.
Keeps context tight: performing-subdomain-enumeration-with-subfinder is the kind of skill you can hand to a new teammate without a long onboarding doc.
performing-subdomain-enumeration-with-subfinder is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
I recommend performing-subdomain-enumeration-with-subfinder for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
performing-subdomain-enumeration-with-subfinder has been reliable in day-to-day use. Documentation quality is above average for community skills.
Keeps context tight: performing-subdomain-enumeration-with-subfinder is the kind of skill you can hand to a new teammate without a long onboarding doc.
Useful defaults in performing-subdomain-enumeration-with-subfinder — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
Solid pick for teams standardizing on skills: performing-subdomain-enumeration-with-subfinder is focused, and the summary matches what you get after install.
showing 1-10 of 42