{/* 此页面由 website/scripts/generate-skill-docs.py 从技能的 SKILL.md 自动生成。请编辑源文件 SKILL.md,而非此页面。 */}
Domain Intel
Passive domain reconnaissance using Python stdlib. Subdomain discovery, SSL certificate inspection, WHOIS lookups, DNS records, domain availability checks, and bulk multi-domain analysis. No API keys required.
技能元数据
| 来源 | 可选 — 通过 hermes skills install official/research/domain-intel |
| 路径 | optional-skills/research/domain-intel |
| 平台 | linux, macos, windows |
参考:完整 SKILL.md
:::info 以下是 Hermes 在触发此技能时加载的完整技能定义。这是技能激活时代理所看到的指令。 :::
Domain Intelligence — Passive OSINT
Passive domain reconnaissance using only Python stdlib. Zero dependencies. Zero API keys. Works on Linux, macOS, and Windows.
Helper script
This skill includes scripts/domain_intel.py — a complete CLI tool for all domain intelligence operations.
# Subdomain discovery via Certificate Transparency logs
python3 SKILL_DIR/scripts/domain_intel.py subdomains example.com
# SSL certificate inspection (expiry, cipher, SANs, issuer)
python3 SKILL_DIR/scripts/domain_intel.py ssl example.com
# WHOIS lookup (registrar, dates, name servers — 100+ TLDs)
python3 SKILL_DIR/scripts/domain_intel.py whois example.com
# DNS records (A, AAAA, MX, NS, TXT, CNAME)
python3 SKILL_DIR/scripts/domain_intel.py dns example.com
# Domain availability check (passive: DNS + WHOIS + SSL signals)
python3 SKILL_DIR/scripts/domain_intel.py available coolstartup.io
# Bulk analysis — multiple domains, multiple checks in parallel
python3 SKILL_DIR/scripts/domain_intel.py bulk example.com github.com google.com
python3 SKILL_DIR/scripts/domain_intel.py bulk example.com github.com --checks ssl,dnsSKILL_DIR is the directory containing this SKILL.md file. All output is structured JSON.
Available commands
| Command | What it does | Data source |
|---|---|---|
subdomains | Find subdomains from certificate logs | crt.sh (HTTPS) |
ssl | Inspect TLS certificate details | Direct TCP:443 to target |
whois | Registration info, registrar, dates | WHOIS servers (TCP:43) |
dns | A, AAAA, MX, NS, TXT, CNAME records | System DNS + Google DoH |
available | Check if domain is registered | DNS + WHOIS + SSL signals |
bulk | Run multiple checks on multiple domains | All of the above |
何时使用 this vs built-in tools
- Use this skill for infrastructure questions: subdomains, SSL certs, WHOIS, DNS records, availability
- Use
web_searchfor general research about what a domain/company does - Use
web_extractto get the actual content of a webpage - Use
terminalwithcurl -Ifor a simple “is this URL reachable” check
| Task | Better tool | Why |
|---|---|---|
| ”What does example.com do?” | web_extract | Gets page content, not DNS/WHOIS data |
| ”Find info about a company” | web_search | General research, not domain-specific |
| ”Is this website safe?” | web_search | Reputation checks need web context |
| ”Check if a URL is reachable” | terminal with curl -I | Simple HTTP check |
| ”Find subdomains of X” | This skill | Only passive source for this |
| ”When does the SSL cert expire?” | This skill | Built-in tools can’t inspect TLS |
| ”Who registered this domain?” | This skill | WHOIS data not in web search |
| ”Is coolstartup.io available?” | This skill | Passive availability via DNS+WHOIS+SSL |
Platform compatibility
Pure Python stdlib (socket, ssl, urllib, json, concurrent.futures).
Works identically on Linux, macOS, and Windows with no dependencies.
- crt.sh queries use HTTPS (port 443) — works behind most firewalls
- WHOIS queries use TCP port 43 — may be blocked on restrictive networks
- DNS queries use Google DoH (HTTPS) for MX/NS/TXT — firewall-friendly
- SSL checks connect to the target on port 443 — the only “active” operation
Data sources
All queries are passive — no port scanning, no vulnerability testing:
- crt.sh — Certificate Transparency logs (subdomain discovery, HTTPS only)
- WHOIS servers — Direct TCP to 100+ authoritative TLD registrars
- Google DNS-over-HTTPS — MX, NS, TXT, CNAME resolution (firewall-friendly)
- System DNS — A/AAAA record resolution
- SSL check is the only “active” operation (TCP connection to target:443)
说明
- WHOIS queries use TCP port 43 — may be blocked on restrictive networks
- Some WHOIS servers redact registrant info (GDPR) — mention this to the user
- crt.sh can be slow for very popular domains (thousands of certs) — set reasonable expectations
- The availability check is heuristic-based (3 passive signals) — not authoritative like a registrar API
Contributed by @FurkanL0