Passive mode:

Active mode + port scan:

OSINT Search Engines

Dome uses these web pages to obtain subdomains

Without API:

  • AlienVault
  • HackerTarget
  • RapidDNS
  • ThreatMiner
  • CertSpotter
  • Anubis-DB
  • Sonar
  • SiteDossier
  • DNSrepo

With API:

  • VirusTotal
  • Shodan
  • Spyse
  • SecurityTrails
  • PassiveTotal
  • BinaryEdge


Feel free to implement this features

  • Add arguments
  • Add DNS wildcard detection and bypass
  • Add port scan and port argument
  • Add colored screen output (also option for no-colour)
  • Add -i option to show the subdomains’ IP address
  • Add –silent argument to show nothing on screen
  • Create a dicc structure like {“ip”: “domain”} to avoid duplicate port scans
  • Generate output in html and json format, also a txt for subdomains found during scan
  • Add timestamps
  • Recursive scan
  • Autoupdate Script
  • Add more OSINT engines with API token (create config file)
  • Add compatibility with Windows
  • Add compatibility with Python 2.7
  • Add Shodan for passive open ports? (Check requests limit with api key)
  • Add support for domains like (at this moment, the program only works with one level domain like (
  • Add precompiled files for Linux and Windows (Mac OS?)
  • Add Spyse as osint engine
  • Added DNS resolvers
  • Implement spyse offset in request to get more subdomains (
  • Add common prefix to valid subdomains like -testing, -staging, etc
  • Delete wordlists words <= 3 letters if pure bruteforce was made (avoid duplicate connections)
  • Add exclusion file so bug bounty hunters can specify OOS subdomains in order to not print/output them


Arguments Description Arg example
-m, –mode Scan mode. Valid options: active or passive active
-d, –domain Domains name to enumerate subdomains (Separated by commas),
-w, –wordlist Wordlist containing subdomain prefix to bruteforce subdomains-5000.txt
-i, –ip When a subdomain is found, show its ip
–no-passive Do not use OSINT techniques to obtain valid subdomains
-nb, –no-bruteforce Dont make pure bruteforce up to 3 letters
-p, –ports Scan the subdomains found against specific tcp ports 80,443,8080
–top-100-ports Scan the top 100 ports of the subdomain (Not compatible with -p option)
–top-1000-ports Scan the top 1000 ports of the subdomain (Not compatible with -p option)
–top-web-ports Scan the top web ports of the subdomain (Not compatible with -p option)
-s, –silent Silent mode. No output in terminal
–no-color Dont print colored output
-t, –threads Number of threads to use (Default: 25) 20
-o, –output Save the results to txt, json and html files
–max-response-size Maximun length for HTTP response (Default:5000000 (5MB)) 1000000
–r, –resolvers Textfile with DNS resolvers to use. One per line resolvers.txt
-h, –help Help command
–version Show dome version and exit
-v, –verbose Show more information during execution


Perform active and passive scan, show the ip adress of each subdomain and make a port scan using top-web-ports. Data will also be written in /results folder:

python -m active -d domain -w wordlist.txt -i --top-web-ports -o

Perform passive scan in silent mode and write output to files.

python -m passive -d domain --silent --output

Perform active scan without passive and port scan

python -m active -d domain -w wordlist.txt --no-passive

Only bruteforce with wordlist

python -m active -d domain -w wordlist.txt --no-bruteforce

Scan active and passive and perform port scan ONLY in ports 22,80,3306

python -m active -d domain -w wordlist.txt -p 22,80,3306


You can contact me at [email protected]

License: for commercial use, contact me at email above

Download Dome

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.


Original Source