TLDSweep

TLDSweep is a TLD recon & domain intelligence OSINT tool that sweeps a domain name across 800+ TLDs to discover what's registered, who owns it, and what's running on it. It identifies newly registered domains, flags suspicious TLDs, and alerts users via Telegram and Discord.

Want Cyber Threat Intelligence updates? Visit DarkWebInformer.com for real-time insights on data breaches, data leaks, ransomware and more dark web threats.

Discord & Telegram Alerts

---

Features

• TLD Sweep – Scans a base domain across 800+ priority and secondary TLDs to find all registered variants.
• DNS Resolution – Fast batch DNS sweep via raw UDP queries to Cloudflare and Quad9 resolvers, with full A, AAAA, CNAME, MX, NS, SOA, TXT, SPF, and DMARC record resolution during recon.
• WHOIS Lookup – Raw socket WHOIS queries with registrar referral chasing, creation/expiry date parsing, registrant info, and DNSSEC status.
• Newly Registered Detection – Flags domains registered within a configurable threshold (default: 90 days) for brand protection and phishing detection.
• TLS Certificate Grabbing – Extracts subject, issuer, SAN, serial number, and validity dates from SSL/TLS certificates.
• HTTP/HTTPS Probing – Detects live web servers, captures status codes, server headers, page titles, redirect chains, and body hashes.
• Technology Fingerprinting – Identifies web technologies (Nginx, Apache, Cloudflare, PHP, Express.js, Next.js, Django, etc.) from response headers.
• Favicon Hashing – Computes MMH3/MD5 hashes of favicons for Shodan-compatible fingerprinting.
• ASN Lookup – Team Cymru DNS-based ASN resolution for IP geolocation and network attribution.
• Bogon IP Detection – Flags RFC 1918 and reserved IPs that shouldn't appear in public DNS.
• Risk Indicators – Automatically flags suspicious TLDs, newly registered domains, bogon IPs, and missing security records.
• Telegram & Discord Alerts – Sends rich notifications with scan summaries, total scan time, newly registered domains, and diff reports between scans. Confirms delivery success in the terminal.
• Watch Mode – Continuous monitoring with configurable re-scan intervals for ongoing brand surveillance.
• Interactive HTML Reports – Auto-generates self-contained HTML reports with sortable tables and scan metadata.
• Multiple Export Formats – JSON (with scan history tracking), CSV, and HTML report outputs.
• Scan Diffing – Compares current results against previous scans to highlight NEW and GONE domains.
• Interactive Mode – Run with no arguments for a guided menu-driven scan configuration.
• Rich CLI Output – Color-coded terminal output with clickable hyperlinks, progress bars, and ETA estimates.
• Zero External Dependencies – Pure Python 3 with raw sockets for DNS, WHOIS, HTTP, and TLS. No pip packages required.
• Graceful Shutdown – Ctrl+C finishes in-flight requests cleanly before exiting.
• Cross-Platform – Works on Windows, Linux, and macOS.

---

Known Issues / Bugs

• WHOIS Rate Limiting – Some WHOIS servers may temporarily block queries if scanned too aggressively. TLDSweep throttles queries per server, but large sweeps may still trigger limits.
• DNS Query Failures – Some TLDs may not return results due to NXDOMAIN errors or unresponsive authoritative servers.
• IDN/Punycode TLDs – Internationalized TLDs (xn--*) have limited WHOIS server coverage.

---

System Requirements

• Python 3.8+ (Latest version preferred)
• No external packages required – Runs entirely on the Python standard library

Optional Python Packages

These are optional and enhance functionality if installed:

mmh3    (improved favicon hashing compatible with Shodan)

---

Project Structure

File	Description
tldsweep.py	Main script — scanner, CLI, exporters, notifications
tldsweep_data.py	TLD lists (800+ priority and secondary TLDs) and WHOIS server mappings. Required by the main script.

Both files must be in the same directory.

---

Installation Guide

Follow these steps to install and set up TLDSweep on your system.

---

1. Clone the Repository

git clone https://github.com/DarkWebInformer/TLDSweep.git
cd TLDSweep

---

2. Run the Script

Interactive mode (guided menu):

python tldsweep.py

CLI mode (direct scan):

python tldsweep.py example

That's it. No pip install required.

---

3. Setup Notifications (Optional)

Create a .env file in your root directory to enable Telegram and/or Discord alerts:

TLDSWEEP_DISCORD_WEBHOOK=<your_discord_webhook>
TLDSWEEP_TELEGRAM_TOKEN=<your_telegram_bot_token>
TLDSWEEP_TELEGRAM_CHAT_ID=<your_telegram_chat_id>

Replace the placeholder values with your actual credentials.

Or pass them as CLI flags:

python tldsweep.py example --discord-webhook "https://discord.com/api/webhooks/..."
python tldsweep.py example --telegram "BOT_TOKEN:CHAT_ID"

---

Usage Examples

Basic Scan (Full Mode)

python tldsweep.py example

Quick DNS-Only Scan

python tldsweep.py example --quick

New Registrations Only (Brand Protection)

python tldsweep.py example --new-only --newly-registered 30

Custom Threads & Timeout

python tldsweep.py example --threads 50 --dns-threads 200 --timeout 3

Export Results

python tldsweep.py example --output results.json --csv results.csv --html-report report.html

Watch Mode (Continuous Monitoring)

python tldsweep.py example --watch 60

Custom TLD List

python tldsweep.py example --tld-file custom_tlds.txt

Scan Config File

python tldsweep.py example --config scan_profile.json

---

CLI Reference

Flag	Description	Default
domain	Base domain name to scan	required
-t, --threads	Recon threads (WHOIS/HTTP/TLS)	30
--dns-threads	DNS resolution threads	100
--whois-threads	WHOIS lookup threads	20
--timeout	Socket timeout (seconds)	5.0
--connect-timeout	Connection timeout (seconds)	2.0
-o, --output	Standalone JSON export path	—
--csv	CSV export path	—
--html-report	Interactive HTML report path	—
--output-dir	Directory for auto-saved files	.
--no-auto-json	Disable automatic JSON/HTML export	false
--tld-file	Custom TLD list file (one per line)	built-in
--newly-registered	Flag domains ≤ N days old	90
--config	JSON or key:value config file	—
--new-only	DNS + WHOIS creation-date only	false
--quick	DNS-only scan (fastest)	false
--no-whois	Skip WHOIS lookups	false
--no-http	Skip HTTP probing	false
--no-tls	Skip TLS certificate grabbing	false
--no-color	Disable colored output	false
-v, --verbose	Verbose output	false
--registered-only	Only show registered domains	false
--resolvers	Custom DNS resolvers (comma-separated)	Cloudflare, Quad9
--watch	Re-scan every N minutes (0=off)	0
--discord-webhook	Discord webhook URL for alerts	env var
--telegram	Telegram TOKEN:CHAT_ID for alerts	env var
-V, --version	Show version and exit	—

---

Output Files

TLDSweep automatically generates the following files after each scan:

File	Description
<domain>_scans.json	Cumulative scan history with diff tracking across runs
<domain>_report_<timestamp>.html	Self-contained interactive HTML report

Additional exports are available via --output, --csv, and --html-report flags.

Interactive HTML Report

---

Support TLDSweep & Dark Web Informer

TLDSweep is an open-source project dedicated to domain intelligence, brand protection, and cyber threat detection. Your support helps keep this project running!

You can also get access to premium cyber threat intelligence on Dark Web Informer.

Subscription Options:

• Standard Subscription: Sign up here
• Crypto Subscription: Pay with cryptocurrency

Stay ahead of the latest cyber threats with real-time intelligence.

Donate to Support Dark Web Informer's Work

If you find Dark Web Informer and/or TLDSweep valuable, consider making a donation to help future development, research, and cyber threat intelligence. Donate here

Advertise With Dark Web Informer

Looking to promote your cybersecurity services or reach the right audience? Check out the advertising options here: Advertising Rates

Your support helps keep TLDSweep and Dark Web Informer independent and continuously improving. Thank you!

---

Star History

---

License

This project is licensed under the MIT License – see the LICENSE file for details.