top of page
68747470733a2f2f692e696d6775722e636f6d2f4c5532627238792e706e67-768x474.png
R (7).png

Surely some of you thought I had stopped publishing articles on the web, but no. For a month now I have been developing a new tool for subdomain enumeration. Due to the work and other issues I have not been able to do both at the same time so I have dedicated myself 100% to the creation of the tool. But let's get to the mess.

I present Dome, a tool written in python that lists subdomains both passively and actively and also shows the ports it has open.

It is a perfect tool for Bug Bounty Hunters and Pentesters during the enumeration phase.

Through its two modes we can perform active or passive scans if what we want is to be undetectable.

Passive mode

This mode uses OSINT techniques to obtain subdomains. This mode does not make any requests to the domain so it is undetectable.

To use 100% of the search engines, fill in the config.api file with the corresponding APIs.

The basic use of this mode is:

python dome.py -m passive -d domain

Active mode

This mode performs brute force using two techniques to obtain valid subdomains.

  • Pure Brute Force: This scan lists subdomains from a.dominio.com to zzz.dominio.com. (26¹ + 26² + 26³ = 18278 different subdomains). This mode can be disabled by -nb, --no-bruteforce

  • Using dictionary: This mode uses a dictionary provided by the user using the argument . if this argument is not specified when you run the program this mode will not run-w, --wordlist

The active mode will also run the passive mode but in this case, the subdomains found will be tested to see if they are still active. To disable passive scanning you must use the argument --no-passive

The basic use of this mode is:

python dome.py -m active -d domain -w wordlist.txt

If you also want to perform a port scan, you can use the option or use an argument that specifies the "top ports" to use (section use)-p

 
Installation

You can run Dome on Linux or Windows with Python 2 or 3 although we recommend using Python 3

Install the dependencies and run the program:

git clone https://github.com/v4d1/Dome.git

cd Dome

pip install -r requirements.txt

python dome.py --help

Main features of Dome

  • Easy to use, just install the requirements and run it

  • Active and passive scanning (read above)

  • 7 different resolvers including Google, CloudFare (the fastest, Quad9 and Cisco DNS (use to use a custom list of resolvers, one per line)--resolvers filename.txt

  • 20+ different OSINT fonts

  • Passively obtained subdomains are tested to see if they are still available (active mode only)

  • Support for websites that require API tokens

  • Detects when an API key no longer works (Other tools throw an error and stop working)

  • Wildcard DNS detection and bypass

  • Custom port scanning or using the Top100 Top1000 or TopWeb arguments

  • Output with colors for better reading

  • Support for Windows and Linux as well as python 2 and 3 (Python 3 recommended)

  • Highly customizable through arguments

  • Ability to scan more than one domain simultaneously

  • Ability to use threads for faster scans

  • Export the results in different formats such as txt, json or html

OSINT search engines

dome uses the following websites to get the subdomains in passive mode

No API:

  • AlienVault

  • HackerTarget

  • RapidDNS

  • ThreatMiner

  • urlscan.io

  • threatcrowd.org

  • web.archive.org

  • crt.sh

  • bufferover.run

  • CertSpotter

  • Anubis-DB

  • Hunt.io

  • Sound

  • SiteDossier

  • DNSrepo

With API:

  • VirusTotal

  • Shodan

  • Spyse

  • SecurityTrails

  • PassiveTotal

  • BinaryEdge

 
Arguments

ArgumentsDescriptionExample

-m, –modeScan mode: active or passiveactive

-d, –domainDomains to analyze (if there are several, separate them by comma)hackerone.com,facebook.com

-w, –wordlistFile with the subdomains to testsubdomains-5000.txt

-i, –ipWhen a subdomain is found, it displays the IP on which it is hosted 

–no-passiveDo not use OSINT techniques to obtain subdomains 

-nb, –no-bruteforceDo not do pure brute force 

-p, –portsScan the TCP ports of the found subdomains80,443,8080

–top-100-portsScans the Top 100 ports (Not compatible with the -p option) 

–top-1000-portsScans the Top 1000 ports (Not compatible with the -p option) 

–top-web-portsScans the Top Web ports (Not compatible with the -p option) 

-s, –silentSilent mode. Shows nothing per screen 

–non-colorDisplays output without color 

-t, –threadsNumber of threads to use (Default: 25)20

-or, –outputSave the results in txt, json and html files 

–max-response-sizeMaximum size for HTTP responses (Default:5000000 (5MB))1000000

–r, –resolvers

Text file with the resolvers to use. One per row.

resolve.txt

-h, –helpHelp command 

–versionDisplays the Version of Dome and Ends 

-v, –verboseDisplays additional information during execution

 

Examples

Performs active and passive scanning, displays the associated ip and performs a port scan using the top-web-ports. In addition, save the results in /results:

python dome.py -m active -d domain -w wordlist.txt -i --top-web-ports -o --verbose`

Perform a passive scan in silent mode and write the results to the /results folder:

python dome.py -m passive -d domain --silent -o

Performs active scan and port scanning but NOT passive scanning:

python dome.py -m active -d domain -w wordlist.txt --no-passive

Perform brute force only based on dictionary:

python dome.py -m active -d domain -w wordlist.txt --no-bruteforce

Performs active and passive scanning and scans only ports 22,80,3306

python dome.py -m active -d domain -w wordlist.txt -p 22,80,3306

© Copyright KALI LINUX TUTORIAL
  • Instagram
  • Instagram
  • Facebook
  • Twitter
  • Twitter

Subscribe to our newsletter • Don’t miss out!

Thanks for subscribing!

bottom of page