Subdomain Enumeration
Switch branches/tags
Nothing to show
Clone or download
cakinney Update ToDo / Contributor List
Added dainok to Contributor List and added SubFinder/SubOver to To-Do List
Latest commit 2aaf952 Aug 18, 2018

README.md

domained

A domain name enumeration tool

Gist: Some terrible continually updated python code leveraging some awesome tools that I use for bug bounty reconnaissance.

The tools contained in domained requires Kali Linux (preferred) or Debian 7+ and Recon-ng

Domained uses several subdomain enumeration tools and wordlists to create a unique list of subdmains that are passed to EyeWitness for reporting with categorized screenshots, server response headers and signature based default credential checking. (resources are saved to ./bin and output is saved to ./output)

Initial Install:
  • domained tools: python domained.py --install
  • Python required modules: sudo pip install -r ./ext/requirements.txt
Other Dependencies:
  • ldns library for DNS programming: sudo apt-get install libldns-dev -y
  • Go Programming Language: sudo apt-get install golang

NOTE: This is an active recon – only perform on applications that you have permission to test against.

Tools leveraged:
Subdomain Enumeraton Tools:
  1. Sublist3r by Ahmed Aboul-Ela
  2. enumall by Jason Haddix
  3. Knock by Gianni Amato
  4. Subbrute by TheRook
  5. massdns by B. Blechschmidt
  6. Recon-ng by Tim Tomes (LaNMaSteR53)
  7. Amass by Jeff Foley (caffix)
Reporting + Wordlists:
Usage
First Step:
Install Required Python Modules: sudo pip install -r ./ext/requirements.txt
Install Tools: sudo python domained.py --install

Example 1: python domained.py -d example.com
Uses subdomain example.com (Sublist3r enumall, Knock, Amass)

Example 2: python domained.py -d example.com -b -p --vpn
Uses subdomain example.com with seclist subdomain list bruteforcing (massdns, subbrute, Sublist3r, Amass and enumall), adds ports 8443/8080 and checks if on VPN

Example 3: python domained.py -d example.com -b --bruteall
Uses subdomain example.com with large-all.txt bruteforcing (massdns, subbrute, Sublist3r, Amass and enumall)

Example 4: python domained.py -d example.com --quick
Uses subdomain example.com and only Sublist3r (+subbrute)

Example 5: python domained.py -d example.com --quick --notify
Uses subdomain example.com, only Sublist3r (+subbrute) and notification

Example 6: python domained.py -d example.com --noeyewitness
Uses subdomain example.com with no EyeWitness

Note: --bruteall must be used with the -b flag
Option Description
--install/--upgrade Both do the same function – install all prerequisite tools (Kali is a prerequisite AFAIK)
--vpn Check if you are on VPN (update with your provider)
--quick Use ONLY Sublis3r's subdomain methods (+ subbrute)
--bruteall Bruteforce with JHaddix All.txt List instead of SecList
--fresh Delete old data from output folder
--notify Send Pushover or Gmail Notifications
--active EyeWitness Active Scan
--noeyewitness No Eyewitness
-d The domain you want to preform recon on
-b Bruteforce with subbrute/massdns and SecList wordlist
-s n Only HTTPs domains
-p Add port 8080 for HTTP and 8443 for HTTPS
Notifications
  • Complete the ext/notifycfg.ini for Pushover or Gmail notifications. (Enable must be set to True)
  • Please see the Pushover API info here and instructions on how to allow less secure apps on your gmail account here
To-Do List
  • Multiple Domains
  • Notifications
  • Subdomains from censys
  • Subdomains from Shodan
  • Web Frontend/Dashbord
  • Add SubFinder/SubOver
Thank You to Contributors
  • ccsplit - Multiple code improvements including the ability to run domained from any directory
  • jafoca - Massdns fix
  • mortymorty - SecList brute file fix
  • Chan9390 - Updates to the requirements.txt
  • dainok - Python 3.6+ fixes
Major Updates
  • 07-15-2017: Updated to include error handling and updated reconnaissance techniques from Bugcrowd's LevelUp Conference (including subbrute/masscan and subdomain lists) - influenced by Jason Haddix's talk Bug Hunter's Methodology 2.0
  • 08-09-2017: Various fixes (+ phantomjs error), added --fresh option, removed redundant PyBrute folder from output and added pip requirements.txt
  • 08-15-2017: Added notification (--notify) option with Pushover or Gmail support
  • 08-18-2017: Moved repo from OrOneEqualsOne/reconned
  • 09-28-2017: Updated for Recon-ng dependency + Python3 changes
  • 06-20-2018: Added Amass and option for no EyeWitness