Domained – Multi Tool Subdomain Enumeration

 Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains that are passed to EyeWitness for reporting.

This produces categorized screenshots, server response headers and signature based default credential checking. It is written in Python heavily leveraging Recon-ng.

Domains Subdomain Enumeration Tools Leveraged

Subdomain Enumeraton Tools:

• Sublist3r
• enumall
• Knock
• Subbrute
• massdns
• Recon-ng
• Amass
• SubFinder

Reporting + Wordlists:

• EyeWitness
• SecList (DNS Recon List)
• LevelUp All.txt Subdomain List

Domained Subdomain Enumeration Tool Usage

1 2 3 4 5 6 7 8 9 10 11 12

--install/--upgrade Both do the same function – install all prerequisite tools --vpn Check if you are on VPN (update with your provider) --quick Use ONLY Amass and SubFinder --bruteall Bruteforce with JHaddix All.txt List instead of SecList --fresh Delete old data from output folder --notify Send Pushover or Gmail Notifications --active EyeWitness Active Scan --noeyewitness No Eyewitness -d The domain you want to preform recon on -b Bruteforce with subbrute/massdns and SecList wordlist -s n Only HTTPs domains -p Add port 8080 for HTTP and 8443 for HTTPS

Subdomain Enumeration Examples

First Steps are to install required Python modules and tools:

1 2	sudo pip install -r ./ext/requirements.txt sudo python domained.py --install

Example 1 – Uses subdomain example.com (Sublist3r (+subbrute), enumall, Knock, Amass, and SubFinder)

1	python domained.py -d example.com

Example 2: – Uses subdomain example.com with seclist subdomain list bruteforcing (massdns, subbrute, Sublist3r, Amass, enumall, and SubFinder), adds ports 8443/8080 and checks if on VPN

1	python domained.py -d example.com -b -p --vpn

Example 3: – Uses subdomain example.com with large-all.txt bruteforcing (massdns, subbrute, Sublist3r, Amass, enumall and SubFinder)

1	python domained.py -d example.com -b --bruteall

Example 4: – Uses subdomain example.com and only Amass and SubFinder

1	python domained.py -d example.com --quick

Example 5: – Uses subdomain example.com, only Amass and SubFinder and notification

1	python domained.py -d example.com --quick --notify

Example 6: – Uses subdomain example.com with no EyeWitness

1	python domained.py -d example.com --noeyewitness

Note: --bruteall must be used with the -b flag

You can download Domained here:

domained-master.zip

Or read more here.