Dome - Subdomain Enumeration Tool. Fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports.

Overview

DOME - A subdomain enumeration tool

Version Build Build Contributions Welcome

Alt Text

Check the Spanish Version

Dome is a fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports. This tool is recommended for bug bounty hunters and pentester in their reconnaissance phase.

the more surface area exposed the faster a rock with break down

If you want to use more OSINT engines, fill the config.api file with the needed API tokens

Passive Mode:

Use OSINT techniques to obtain subdomains from the target. This mode will not make any connection to the target so it is undetectable. The basic use of this mode is:

python dome.py -m passive -d domain

Active Mode:

Perform bruteforce attacks to obtain alive subdomains. There are 2 types of bruteforce:

  • Pure Bruteforce: Check subdomains from a.domain.com to zzz.domain.com (26 + 26^2 + 26^3 = 18278 subdomains) this bruteforce can be disabled with -nb, --no-bruteforce
  • Wordlist based: Use a custom wordlist provided by the user using the flag -w, --wordlist. If no wordlists is specified, this mode won't be executed

This mode will also make passive mode attack but in this case, the connection is tested to ensure the subdomain is still alive. To disable passive scan in active scan mode, use --no-passive flag

The basic use of this mode is:

python dome.py -m active -d domain -w wordlist.txt

Add -p option or a built-it port option (see usage menu) to perform port scanning

python dome.py -m active -d domain -w wordlist.txt -p 80,443,8080

Installation

You can run Dome with Python 2 or 3. Python3 is recommended

Install the dependencies and run the program

git clone https://github.com/v4d1/Dome.git
cd Dome
pip install -r requirements.txt
python dome.py --help

Top Features

  • Easy to use. Just install the requirements.txt and run
  • Active and Passive scan (read above)
  • Faster than other subdomain enumeration tools
  • 7 different resolvers/nameservers including google, cloudfare (fastest), Quad9 and cisco DNS (use --resolvers filename.txt to use a custom list of resolvers, one per line)
  • Up to 21 different OSINT sources
  • Subdomains obtained via OSINT are tested to know if they are alive (only in active mode)
  • Support for webs that requires API token
  • Detects when api key is no longer working (Other tools just throw an error and stops working)
  • Wildcard detection and bypass
  • Custom Port scaning and built-in params for Top100,Top1000 and Top Web ports
  • Colored and uncolored output for easy read
  • Windows and Python 2/3 support (Python 3 is recommended)
  • Highly customizable through arguments
  • Scan more than one domain simultaneously
  • Possibility to use threads for faster bruteforce scans
  • Export output in different formats such as txt, json, html

Buy me a Coffee

"Buy Me A Coffee"

Screenshots

tool_in_action

Passive mode:

tool_in_action

Active mode + port scan:

tool_in_action

OSINT Search Engines

Dome uses these web pages to obtain subdomains

Without API:

  • AlienVault
  • HackerTarget
  • RapidDNS
  • ThreatMiner
  • urlscan.io
  • threatcrowd.org
  • web.archive.org
  • crt.sh
  • bufferover.run
  • CertSpotter
  • Anubis-DB
  • Hunt.io
  • Sonar
  • SiteDossier
  • DNSrepo

With API:

  • VirusTotal
  • Shodan
  • Spyse
  • SecurityTrails
  • PassiveTotal
  • BinaryEdge

TODO List

Feel free to implement this features

  • Add arguments
  • Add DNS wildcard detection and bypass
  • Add port scan and port argument
  • Add colored screen output (also option for no-colour)
  • Add -i option to show the subdomains' IP address
  • Add --silent argument to show nothing on screen
  • Create a dicc structure like {"ip": "domain"} to avoid duplicate port scans
  • Generate output in html and json format, also a txt for subdomains found during scan
  • Add timestamps
  • Recursive scan
  • Autoupdate Script
  • Add more OSINT engines with API token (create config file)
  • Add compatibility with Windows
  • Add compatibility with Python 2.7
  • Add Shodan for passive open ports? (Check requests limit with api key)
  • Add support for domains like .gov.uk (at this moment, the program only works with one level domain like domain.com) (https://publicsuffix.org/list/public_suffix_list.dat)
  • Add precompiled files for Linux and Windows (Mac OS?)
  • Add Spyse as osint engine
  • Added DNS resolvers
  • Implement spyse offset in request to get more subdomains (https://spyse-dev.readme.io/reference/domain_search)
  • Add common prefix to valid subdomains like -testing, -staging, etc
  • Delete wordlists words <= 3 letters if pure bruteforce was made (avoid duplicate connections)
  • Add exclusion file so bug bounty hunters can specify OOS subdomains in order to not print/output them

Usage

Arguments Description Arg example
-m, --mode Scan mode. Valid options: active or passive active
-d, --domain Domains name to enumerate subdomains (Separated by commas) hackerone.com,facebook.com
-w, --wordlist Wordlist containing subdomain prefix to bruteforce subdomains-5000.txt
-i, --ip When a subdomain is found, show its ip
--no-passive Do not use OSINT techniques to obtain valid subdomains
-nb, --no-bruteforce Dont make pure bruteforce up to 3 letters
-p, --ports Scan the subdomains found against specific tcp ports 80,443,8080
--top-100-ports Scan the top 100 ports of the subdomain (Not compatible with -p option)
--top-1000-ports Scan the top 1000 ports of the subdomain (Not compatible with -p option)
--top-web-ports Scan the top web ports of the subdomain (Not compatible with -p option)
-s, --silent Silent mode. No output in terminal
--no-color Dont print colored output
-t, --threads Number of threads to use (Default: 25) 20
-o, --output Save the results to txt, json and html files
--max-response-size Maximun length for HTTP response (Default:5000000 (5MB)) 1000000
--r, --resolvers Textfile with DNS resolvers to use. One per line resolvers.txt
-h, --help Help command
--version Show dome version and exit
-v, --verbose Show more information during execution

Examples

Perform active and passive scan, show the ip adress of each subdomain and make a port scan using top-web-ports. Data will also be written in /results folder:

python dome.py -m active -d domain -w wordlist.txt -i --top-web-ports -o

Perform passive scan in silent mode and write output to files.

python dome.py -m passive -d domain --silent --output

Perform active scan without passive and port scan

python dome.py -m active -d domain -w wordlist.txt --no-passive

Only bruteforce with wordlist

python dome.py -m active -d domain -w wordlist.txt --no-bruteforce

Scan active and passive and perform port scan ONLY in ports 22,80,3306

python dome.py -m active -d domain -w wordlist.txt -p 22,80,3306

Contact

You can contact me at [email protected]

License: for commercial use, contact me at email above

You might also like...
log4j2 passive burp rce scanning tool get post cookie full parameter recognition
log4j2 passive burp rce scanning tool get post cookie full parameter recognition

log4j2_burp_scan 自用脚本log4j2 被动 burp rce扫描工具 get post cookie 全参数识别,在ceye.io api速率限制下,最大线程扫描每一个参数,记录过滤已检测地址,重复地址 token替换为你自己的http://ceye.io/ token 和域名地址

A Tool to find subdomains from hackerone reports.
A Tool to find subdomains from hackerone reports.

Hactivity A Tool to find subdomains from Hackerone reports of a given company or a search term (xss, ssrf, etc). It can also print out URL and Title o

ShoLister - a tool that collects all available subdomains for specific hostname or organization from Shodan
ShoLister - a tool that collects all available subdomains for specific hostname or organization from Shodan

ShoLister is a tool that collects all available subdomains for specific hostname or organization from Shodan. The tool is designed to be used from Penetration Tester and Bug Bounty Hunters.

MayorSec DNS Enumeration Tool
MayorSec DNS Enumeration Tool

MayorSecDNSScan MSDNSScan is used to identify DNS records for target domains and check for zone transfers. There really isn't much special about it, a

A fast tool to scan prototype pollution vulnerability
A fast tool to scan prototype pollution vulnerability

proto A fast tool to scan prototype pollution vulnerability Syntax python3 proto.py -l alive.txt Requirements Selenium Google Chrome Webdriver Note :

the swiss army knife in the hash field. fast, reliable and easy to use
the swiss army knife in the hash field. fast, reliable and easy to use

hexxus Hexxus is a fast hash cracking tool which checks more than 30 thousand passwords in under 4 seconds and can crack the following types bcrypt sh

A simple subdomain scanner in python

Subdomain-Scanner A simple subdomain scanner in python ✨ Features scans subdomains of a domain thats it! 💁‍♀️ How to use first download the scanner.p

a cool, easily usable and customisable subdomains scanner
a cool, easily usable and customisable subdomains scanner

Subdah 🔎 another subdomains scanner. Installation ⚠️ Python 3.10 required ⚠️ $ git clone https://github.com/traumatism/subdah $ cd subdah $ pip3 inst

DomainMonitor is a web project that has a RESTful API to get a domain's subdomains and whois data.
DomainMonitor is a web project that has a RESTful API to get a domain's subdomains and whois data.

DomainMonitor is a web project that has a RESTful API to get a domain's subdomains and whois data.

Comments
  • output not running

    output not running

    when i try with argument -o / --output it's not working.

    command? just like that python3 dome.py -o out.txt -m passive -d site1,site2

    so i get this message Error: unrecognized arguments: out.txt

    opened by hnvdie 2
  • API not working

    API not working

    I have added api for all services but they are not working because these services are not receiving requests.

    python version: 3.6.9 config.api -> VIRUSTOTAL, SHODAN, SECURITYTRAILS, PASSIVETOTAL, BINARYEDGE.

    opened by byposeidon 1
Owner
Vadi
My code is shit but it works. Sometimes. [email protected]
Vadi
Subdomain enumeration,Web scraping and finding usernames automation script written in python

Subdomain enumeration,Web scraping and finding usernames automation script written in python

Syam 12 Nov 22, 2022
Advanced subdomain scanner, any domain hidden subdomains

little advanced subdomain scanner made in python, works very quick and has options to change the port u want it to connect for

Nano 5 Nov 23, 2021
A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)

MassDNS A high-performance DNS stub resolver MassDNS is a simple high-performance DNS stub resolver targeting those who seek to resolve a massive amou

B. Blechschmidt 2.5k Jan 7, 2023
A Tool for subdomain scan with other tools

ReconTracer A Tool for subdomain scan with other tools ReconTracer Find subdomains by using another amazing sources!. Obs: In a close future recontrac

null 15 Dec 18, 2021
A Burp extension adding a passive scan check to flag parameters whose name or value may indicate a possible insertion point for SSRF or LFI.

BurpParamFlagger A Burp extension adding a passive scan check to flag parameters whose name or value may indicate a possible insertion point for SSRF

Allyson O'Malley 118 Nov 7, 2022
A small Python Script To get all levels of subdomains from a list

getlevels A small Python Script To get all levels of subdomains Easily get 1st level, 2nd level, 3rd level, 4th level .... nth level subdomains Usag

null 9 Feb 15, 2022
A script to search, scrape and scan for Apache Log4j CVE-2021-44228 affected files using Google dorks

Log4j dork scanner This is an auto script to search, scrape and scan for Apache Log4j CVE-2021-44228 affected files using Google dorks. Installation:

Jagar 5 Dec 27, 2022
CamRaptor is a tool that exploits several vulnerabilities in popular DVR cameras to obtain device credentials.

CamRaptor is a tool that exploits several vulnerabilities in popular DVR cameras to obtain device credentials.

EntySec 118 Dec 24, 2022
A passive-recon tool that parses through found assets and interacts with the Hackerone API

Hackerone Passive Recon Tool A passive-recon tool that parses through found assets and interacts with the Hackerone API. Setup Simply run setup.sh to

elbee 4 Jan 13, 2022