Web Information Gathering / WebApp PenTest

domained: Subdomain Enumeration

by do son · Published March 10, 2018 · Updated April 2, 2023

domained

The tools contained in domained requires Kali Linux (preferred) or Debian 7+ and Recon-ng

Domained uses several subdomain enumeration tools and wordlists to create a unique list of subdomains that are passed to EyeWitness for reporting with categorized screenshots, server response headers and signature-based default credential checking. (resources are saved to ./bin and output is saved to ./output)

Major Updates

06-20-2018: Added Amass and option for no EyeWitness

Installation

git clone https://github.com/reconned/domained.git
python domained.py –install

NOTE: This is an active recon – only perform on applications that you have permission to test against.

Tools leveraged:

Subdomain Enumeration Tools:

Sublist3r by Ahmed Aboul-Ela
enumall by Jason Haddix
Knock by Gianni Amato
Subbrute by TheRook
massdns by B. Blechschmidt
Recon-ng by Tim Tomes (LaNMaSteR53)

Reporting + Wordlists:

EyeWitness by ChrisTruncer
SecList (DNS Recon List) by Daniel Miessler
LevelUp All.txt Subdomain List by Jason Haddix

Usage

First Step:

Install Required Python Modules: sudo pip install -r ./ext/requirements.txt

Install Tools: sudo python domained.py --install



Example 1: python domained.py -d example.com

Uses subdomain example.com (Sublist3r enumall, Knock)



Example 2: python domained.py -d example.com -b -p --vpn

Uses subdomain example.com with seclist subdomain list bruteforcing (massdns, subbrute, Sublist3r and enumall), adds ports 8443/8080 and checks if on VPN



Example 3: python domained.py -d example.com -b --bruteall

Uses subdomain example.com with large-all.txt bruteforcing (massdns, subbrute, Sublist3r and enumall)



Example 4: python domained.py -d example.com --quick

Uses subdomain example.com and only Sublist3r (+subbrute)



Example 5: python domained.py -d example.com --quick --notify

Uses subdomain example.com, only Sublist3r (+subbrute) and notification



Note: --bruteall must be used with the -b flag

Option	Description
–install/–upgrade	Both do the same function – install all prerequisite tools (Kali is a prerequisite AFAIK)
–vpn	Check if you are on VPN (update with your provider)
–quick	Use ONLY Sublis3r’s subdomain methods (+ subbrute)
–bruteall	Bruteforce with JHaddix All.txt List instead of SecList
–fresh	Delete old data from output folder
–notify	Send Pushover or Gmail Notifications
–active	EyeWitness Active Scan
-d	The domain you want to perform recon on
-b	Bruteforce with subbrute/massdns and SecList wordlist
-s n	Only HTTPs domains
-p	Add port 8080 for HTTP and 8443 for HTTPS

Notifications

Complete the ext/notifycfg.ini for Pushover or Gmail notifications. (Enable must be set to True)
Please see the Pushover API info here and instructions on how to allow less secure apps on your Gmail account here

Source: https://github.com/reconned/

Tags: Domained

domained: Subdomain Enumeration

Search

Brilliantly

Content & Links