Domained – Multi Tool Subdomain Enumeration

A domain name enumeration tool
The tools contained in domained requires Kali Linux (preferred) or Debian 7+ and Recon-ng
domained uses several subdomain enumeration tools and wordlists to create a unique list of subdomains that are passed to EyeWitness for reporting with categorized screenshots, server response headers and signature based default credential checking. (resources are saved to ./bin and output is saved to ./output)

Initial Install:

• domained tools: python3 domained.py --install
• Python required modules: sudo pip install -r ./ext/requirements.txt

Other Dependencies:

• ldns library for DNS programming:
  • sudo apt-get install libldns-dev -y
• Go Programming Language:
  • sudo apt-get install golang

NOTE: This is an active recon – only perform on applications that you have permission to test against.

Tools leveraged:

Subdomain Enumeraton Tools:

1. Sublist3r by Ahmed Aboul-Ela
2. enumall by Jason Haddix
3. Knock by Gianni Amato
4. Subbrute by TheRook
5. massdns by B. Blechschmidt
6. Recon-ng by Tim Tomes (LaNMaSteR53)
7. Amass by Jeff Foley (caffix)
8. SubFinder by by Ice3man543

Reporting + Wordlists:

• EyeWitness by ChrisTruncer
• SecList (DNS Recon List) by Daniel Miessler
• LevelUp All.txt Subdomain List by Jason Haddix

Usage

First Step:
Install Required Python Modules: sudo pip install -r ./ext/requirements.txt
Install Tools: sudo python3 domained.py --install

Example 1: python3 domained.py -d example.com
Uses subdomain example.com (Sublist3r (+subbrute), enumall, Knock, Amass, and SubFinder)

Example 2: python3 domained.py -d example.com -b -p --vpn
Uses subdomain example.com with seclist subdomain list bruteforcing (massdns, subbrute, Sublist3r, Amass, enumall, and SubFinder), adds ports 8443/8080 and checks if on VPN

Example 3: python3 domained.py -d example.com -b --bruteall
Uses subdomain example.com with large-all.txt bruteforcing (massdns, subbrute, Sublist3r, Amass, enumall and SubFinder)

Example 4: python3 domained.py -d example.com --quick
Uses subdomain example.com and only Amass and SubFinder

Example 5: python3 dom   ained.py -d example.com --quick --notify
Uses subdomain example.com, only Amass and SubFinder and notification

Example 6: python3 domained.py -d example.com --noeyewitness
Uses subdomain example.com with no EyeWitness

Note: --bruteall must be used with the -b flag

Notifications

• Complete the ext/notifycfg.ini for Pushover or Gmail notifications. (Enable must be set to True)
• Please see the Pushover API info here and instructions on how to allow less secure apps on your gmail account here

To-Do List

• Multiple Domains
• Notifications
• Subdomains from censys
• Subdomains from Shodan
• Web Frontend/Dashboard
• Add SubFinder

Thank You to Contributors

• ccsplit – Multiple code improvements including the ability to run domained from any directory
• jafoca – Massdns fix
• mortymorty – SecList brute file fix
• Chan9390 – Updates to the requirements.txt
• dainok – Python 3.6+ fixes
• Apoorv Raj Saxena – Added SubFinder

Major Updates

• 07-15-2017: Updated to include error handling and updated reconnaissance techniques from Bugcrowd’s LevelUp Conference (including subbrute/masscan and subdomain lists) – influenced by Jason Haddix’s talk Bug Hunter’s Methodology 2.0
• 08-09-2017: Various fixes (+ phantomjs error), added –fresh option, removed redundant PyBrute folder from output and added pip requirements.txt
• 08-15-2017: Added notification (–notify) option with Pushover or Gmail support
• 08-18-2017: Moved repo from OrOneEqualsOne/reconned
• 09-28-2017: Updated for Recon-ng dependency + Python3 changes
• 06-20-2018: Added Amass and option for no EyeWitness
• 10-12-2018: Added SubFinder