Domain Name Enumeration Tool
Gist: Some terrible continually updated python code leveraging some awesome tools that I use for bug bounty reconnaissance.
The tools contained in domained requires Kali Linux (preferred) or Debian 7+ and Recon-ng
Domained uses several subdomain enumeration tools and wordlists to create a unique list of subdmains that are passed to EyeWitness for reporting with categorized screenshots, server response headers and signature based default credential checking. (resources are saved to ./bin and output is saved to ./output)
Initial Install: python domained.py --install
NOTE: This is an active recon – only perform on applications that you have permission to test against.
- Sublist3r by Ahmed Aboul-Ela
- enumall by Jason Haddix
- Knock by Gianni Amato
- Subbrute by TheRook
- massdns by B. Blechschmidt
- Recon-ng by Tim Tomes (LaNMaSteR53)
- EyeWitness by ChrisTruncer
- SecList (DNS Recon List) by Daniel Miessler
- LevelUp All.txt Subdomain List by Jason Haddix
First Step:
Install Required Python Modules: sudo pip install -r ./ext/requirements.txt
Install Tools: sudo python domained.py --install
Example 1: python domained.py -d example.com
Uses subdomain example.com (Sublist3r enumall, Knock)
Example 2: python domained.py -d example.com -b -p --vpn
Uses subdomain example.com with seclist subdomain list bruteforcing (massdns, subbrute, Sublist3r and enumall), adds ports 8443/8080 and checks if on VPN
Example 3: python domained.py -d example.com -b --bruteall
Uses subdomain example.com with large-all.txt bruteforcing (massdns, subbrute, Sublist3r and enumall)
Example 4: python domained.py -d example.com --quick
Uses subdomain example.com and only Sublist3r (+subbrute)
Example 5: python domained.py -d example.com --quick --notify
Uses subdomain example.com, only Sublist3r (+subbrute) and notification
Note: --bruteall must be used with the -b flag
| Option | Description |
|---|---|
| --install/--upgrade | Both do the same function – install all prerequisite tools (Kali is a prerequisite AFAIK) |
| --vpn | Check if you are on VPN (update with your provider) |
| --quick | Use ONLY Sublis3r's subdomain methods (+ subbrute) |
| --bruteall | Bruteforce with JHaddix All.txt List instead of SecList |
| --fresh | Delete old data from output folder |
| --notify | Send Pushover or Gmail Notifications |
| --active | EyeWitness Active Scan |
| -d | The domain you want to preform recon on |
| -b | Bruteforce with subbrute/massdns and SecList wordlist |
| -s n | Only HTTPs domains |
| -p | Add port 8080 for HTTP and 8443 for HTTPS |
- Complete the ext/notifycfg.ini for Pushover or Gmail notifications. (Enable must be set to True)
- Please see the Pushover API info here and instructions on how to allow less secure apps on your gmail account here
- ccsplit - Multiple code improvements including the ability to run domained from any directory
- Chan9390 - Updates to the requirements.txt
- 07-15-2017: Updated to include error handling and updated reconnaissance techniques from Bugcrowd's LevelUp Conference (including subbrute/masscan and subdomain lists) - influenced by Jason Haddix's talk Bug Hunter's Methodology 2.0
- 08-09-2017: Various fixes (+ phantomjs error), added --fresh option, removed redundant PyBrute folder from output and added pip requirements.txt
- 08-15-2017: Added notification (--notify) option with Pushover or Gmail support
- 08-18-2017: Moved repo from https://github.com/OrOneEqualsOne/reconned
- 09-28-2017: Updated for Recon-ng dependency + Python3 changes