Domained is a domain name enumeration tool. The tools contained in it requires Kali Linux (preferred) or Debian 7+ and Recon-ng.
It uses several subdomain enumeration tools and wordlists to create a unique list of subdomains that are passed to EyeWitness for reporting with categorized screenshots, server response headers and signature based default credential checking. (resources are saved to ./bin and output is saved to ./output).
Initial Install
- Domained tools
python3 domained.py –install
- Python required modules
sudo pip install -r ./ext/requirements.txt
Other Dependencies
- ldns library for DNS programming:
sudo apt-get install libldns-dev -y
- Go Programming Language:
sudo apt-get install golang
NOTE: This is an active recon – only perform on applications that you have permission to test against.
Also Read – Chromepass : Hacking Chrome Saved Passwords
Tools Leveraged
- Subdomain Enumeraton Tools
- Reporting + Wordlists:
- EyeWitness by ChrisTruncer
- SecList (DNS Recon List) by Daniel Miessler
- LevelUp All.txt Subdomain List by Jason Haddix
Usage
First Step:
Install Required Python Modules: sudo pip install -r ./ext/requirements.txt
Install Tools: sudo python3 domained.py –install
Example 1: python3 domained.py -d example.com
Uses subdomain example.com (Sublist3r (+subbrute), enumall, Knock, Amass, and SubFinder)
Example 2: python3 domained.py -d example.com -b -p –vpn
Uses subdomain example.com with seclist subdomain list bruteforcing (massdns, subbrute, Sublist3r, Amass, enumall, and SubFinder), adds ports 8443/8080 and checks if on VPN
Example 3: python3 domained.py -d example.com -b –bruteall
Uses subdomain example.com with large-all.txt bruteforcing (massdns, subbrute, Sublist3r, Amass, enumall and SubFinder)
Example 4: python3 domained.py -d example.com –quick
Uses subdomain example.com and only Amass and SubFinder
Example 5: python3 domained.py -d example.com –quick –notify
Uses subdomain example.com, only Amass and SubFinder and notification
Example 6: python3 domained.py -d example.com –noeyewitness
Uses subdomain example.com with no EyeWitness
Note: –bruteall must be used with the -b flag
| Option | Description |
|---|---|
| –install/–upgrade | Both do the same function – install all prerequisite tools |
| –vpn | Check if you are on VPN (update with your provider) |
| –quick | Use ONLY Amass and SubFinder |
| –bruteall | Bruteforce with JHaddix All.txt List instead of SecList |
| –fresh | Delete old data from output folder |
| –notify | Send Pushover or Gmail Notifications |
| –active | EyeWitness Active Scan |
| –noeyewitness | No Eyewitness |
| -d | The domain you want to preform recon on |
| -b | Bruteforce with subbrute/massdns and SecList wordlist |
| -s n | Only HTTPs domains |
| -p | Add port 8080 for HTTP and 8443 for HTTPS |
Notifications
- Complete the ext/notifycfg.ini for Pushover or Gmail notifications. (Enable must be set to True)
- Please see the Pushover API info here and instructions on how to allow less secure apps on your gmail account here
Credit: ccsplit, jafoca, mortymorty, Chan9390, dainok & Apoorv Raj Saxena
 or Debian 7+ and Recon-ng.){kind=link}