Dome – Fast And Reliable Python Script That Makes Active And/Or Passive Scan To Obtain Subdomains And Search For Open Ports
Passive mode:
Active mode + port scan:
OSINT Search Engines
Dome uses these web pages to obtain subdomains
Without API:
- AlienVault
- HackerTarget
- RapidDNS
- ThreatMiner
- urlscan.io
- threatcrowd.org
- web.archive.org
- crt.sh
- bufferover.run
- CertSpotter
- Anubis-DB
- Hunt.io
- Sonar
- SiteDossier
- DNSrepo
With API:
- VirusTotal
- Shodan
- Spyse
- SecurityTrails
- PassiveTotal
- BinaryEdge
TODO List
Feel free to implement this features
- Add arguments
- Add DNS wildcard detection and bypass
- Add port scan and port argument
- Add colored screen output (also option for no-colour)
- Add -i option to show the subdomains’ IP address
- Add –silent argument to show nothing on screen
- Create a dicc structure like {“ip”: “domain”} to avoid duplicate port scans
- Generate output in html and json format, also a txt for subdomains found during scan
- Add timestamps
- Recursive scan
- Autoupdate Script
- Add more OSINT engines with API token (create config file)
- Add compatibility with Windows
- Add compatibility with Python 2.7
- Add Shodan for passive open ports? (Check requests limit with api key)
- Add support for domains like .gov.uk (at this moment, the program only works with one level domain like domain.com) (https://publicsuffix.org/list/public_suffix_list.dat)
- Add precompiled files for Linux and Windows (Mac OS?)
- Add Spyse as osint engine
- Added DNS resolvers
- Implement spyse offset in request to get more subdomains (https://spyse-dev.readme.io/reference/domain_search)
- Add common prefix to valid subdomains like -testing, -staging, etc
- Delete wordlists words <= 3 letters if pure bruteforce was made (avoid duplicate connections)
- Add exclusion file so bug bounty hunters can specify OOS subdomains in order to not print/output them
Usage
Arguments | Description | Arg example |
---|---|---|
-m, –mode | Scan mode. Valid options: active or passive | active |
-d, –domain | Domains name to enumerate subdomains (Separated by commas) | hackerone.com,facebook.com |
-w, –wordlist | Wordlist containing subdomain prefix to bruteforce | subdomains-5000.txt |
-i, –ip | When a subdomain is found, show its ip | |
–no-passive | Do not use OSINT techniques to obtain valid subdomains | |
-nb, –no-bruteforce | Dont make pure bruteforce up to 3 letters | |
-p, –ports | Scan the subdomains found against specific tcp ports | 80,443,8080 |
–top-100-ports | Scan the top 100 ports of the subdomain (Not compatible with -p option) | |
–top-1000-ports | Scan the top 1000 ports of the subdomain (Not compatible with -p option) | |
–top-web-ports | Scan the top web ports of the subdomain (Not compatible with -p option) | |
-s, –silent | Silent mode. No output in terminal | |
–no-color | Dont print colored output | |
-t, –threads | Number of threads to use (Default: 25) | 20 |
-o, –output | Save the results to txt, json and html files | |
–max-response-size | Maximun length for HTTP response (Default:5000000 (5MB)) | 1000000 |
–r, –resolvers | Textfile with DNS resolvers to use. One per line | resolvers.txt |
-h, –help | Help command | |
–version | Show dome version and exit | |
-v, –verbose | Show more information during execution |
Examples
Perform active and passive scan, show the ip adress of each subdomain and make a port scan using top-web-ports. Data will also be written in /results folder:
python dome.py -m active -d domain -w wordlist.txt -i --top-web-ports -o
Perform passive scan in silent mode and write output to files.
python dome.py -m passive -d domain --silent --output
Perform active scan without passive and port scan
python dome.py -m active -d domain -w wordlist.txt --no-passive
Only bruteforce with wordlist
python dome.py -m active -d domain -w wordlist.txt --no-bruteforce
Scan active and passive and perform port scan ONLY in ports 22,80,3306
python dome.py -m active -d domain -w wordlist.txt -p 22,80,3306
Contact
You can contact me at [email protected]
License: for commercial use, contact me at email above
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.