Home

Awesome

DOME - A subdomain enumeration tool

Version Build Build Contributions Welcome

Alt Text

Check the Spanish Version

Dome is a fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports. This tool is recommended for bug bounty hunters and pentester in their reconnaissance phase.

the more surface area exposed the faster a rock with break down

If you want to use more OSINT engines, fill the config.api file with the needed API tokens

Passive Mode:

Use OSINT techniques to obtain subdomains from the target. This mode will not make any connection to the target so it is undetectable. The basic use of this mode is:

python dome.py -m passive -d domain

Active Mode:

Perform bruteforce attacks to obtain alive subdomains. There are 2 types of bruteforce:

This mode will also make passive mode attack but in this case, the connection is tested to ensure the subdomain is still alive. To disable passive scan in active scan mode, use --no-passive flag

The basic use of this mode is:

python dome.py -m active -d domain -w wordlist.txt

Add -p option or a built-it port option (see usage menu) to perform port scanning

python dome.py -m active -d domain -w wordlist.txt -p 80,443,8080

Installation

You can run Dome with Python 2 or 3. Python3 is recommended

Install the dependencies and run the program

git clone https://github.com/v4d1/Dome.git
cd Dome
pip install -r requirements.txt
python dome.py --help

Top Features

Buy me a Coffee

"Buy Me A Coffee"

Screenshots

tool_in_action

Passive mode:

tool_in_action

Active mode + port scan:

tool_in_action

OSINT Search Engines

Dome uses these web pages to obtain subdomains

Without API:

With API:

TODO List

Feel free to implement this features

Usage

ArgumentsDescriptionArg example
-m, --modeScan mode. Valid options: active or passiveactive
-d, --domainDomains name to enumerate subdomains (Separated by commas)hackerone.com,facebook.com
-w, --wordlistWordlist containing subdomain prefix to bruteforcesubdomains-5000.txt
-i, --ipWhen a subdomain is found, show its ip
--no-passiveDo not use OSINT techniques to obtain valid subdomains
-nb, --no-bruteforceDont make pure bruteforce up to 3 letters
-p, --portsScan the subdomains found against specific tcp ports80,443,8080
--top-100-portsScan the top 100 ports of the subdomain (Not compatible with -p option)
--top-1000-portsScan the top 1000 ports of the subdomain (Not compatible with -p option)
--top-web-portsScan the top web ports of the subdomain (Not compatible with -p option)
-s, --silentSilent mode. No output in terminal
--no-colorDont print colored output
-t, --threadsNumber of threads to use (Default: 25)20
-o, --outputSave the results to txt, json and html files
--max-response-sizeMaximun length for HTTP response (Default:5000000 (5MB))1000000
--r, --resolversTextfile with DNS resolvers to use. One per lineresolvers.txt
-h, --helpHelp command
--versionShow dome version and exit
-v, --verboseShow more information during execution

Examples

Perform active and passive scan, show the ip adress of each subdomain and make a port scan using top-web-ports. Data will also be written in /results folder:

python dome.py -m active -d domain -w wordlist.txt -i --top-web-ports -o

Perform passive scan in silent mode and write output to files.

python dome.py -m passive -d domain --silent --output

Perform active scan without passive and port scan

python dome.py -m active -d domain -w wordlist.txt --no-passive

Only bruteforce with wordlist

python dome.py -m active -d domain -w wordlist.txt --no-bruteforce

Scan active and passive and perform port scan ONLY in ports 22,80,3306

python dome.py -m active -d domain -w wordlist.txt -p 22,80,3306

Contact

You can contact me at vadi@securihub.com

License: for commercial use, contact me at email above