Skip to content
/ DomainHound Public

This is an automated reconnaissance script for initial bug bounty or penetration testing. Subdomain Enumeration - Filtering Sensitive Subdomains - Content Discovery - Domains Screenshotting.

License

MIT license
3 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

AzerSD/DomainHound

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
.gitignore
.gitignore
 
 
DomainHound.py
DomainHound.py
 
 
LICENCE
LICENCE
 
 
README.md
README.md
 
 
paths
paths
 
 

Repository files navigation

DomainHound

This is an automated reconnaissance script for initial bug bounty or penetration testing. Subdomain Enumeration - Filtering Sensitive Subdomains - Content Discovery - Domains Screenshotting

Features

  • Subdomain Enumeration: Uses subfinder to find subdomains of a specified domain.
  • Sensitive Root Domain Identification: Filters subdomains based on keywords (like api, dev, prod, etc.).
  • Domain Resolution: Checks if domains are live with httprobe.
  • Content Discovery: Uses meg to locate and retrieve various endpoints.
  • Screenshotting: Captures screenshots of root domains using a specified command (like Aquatone or Eyewitness).

Prerequisites

Make sure the following tools are installed:

Use the following commands to install these tools:

# Install Subfinder
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

# Install Meg
go install -v github.com/tomnomnom/meg@latest

# Install Httprobe
go install -v github.com/tomnomnom/httprobe@latest

Usage

  1. Clone the Repository

    git clone https://github.com/AzerSD/DomainHound.git
cd DomainHound

  2. Run the Script

    python3 DomainHound.py -d <domain> -a <screenshot_command> -w <endpoints_file>

    Arguments:

    • -d, --domain: Target domain for reconnaissance.
    • -a, --aquatone: Command to use for screenshotting (e.g., aquatone or eyewitness).
    • -w, --paths: Path to a list of endpoints to be checked during content discovery. (e.g from SecList: Discovery/Web-Content /api/api-endpoints.txt, /common.txt, /config-files.txt, information-disclosure/php-info.txt)

    Example:

    python3 DomainHound.py -d example.com -a "aquatone" -w endpoints.txt

Output Structure

The script creates a data/ directory for each target domain with the following structure:

data/
└── <domain>/
    ├── subdomains.txt       # All enumerated subdomains
    ├── hosts                # Sensitive root domains
    ├── hosts-resolved       # Resolved domains (live hosts)
    └── out/                 # Content discovered by meg

Script Breakdown

1. fetch_domains(domain)

  • Runs subfinder to gather subdomains and stores them in subdomains.txt.

2. get_roots(domain)

  • Identifies sensitive subdomains (e.g., api, prod, dev) and saves them to hosts.

3. resolve(domain)

  • Uses httprobe to resolve domains from hosts and stores live domains in hosts-resolved.

4. content_discovery(domain, paths)

  • Uses meg to find available endpoints, based on the input paths list, and saves them in the out/ directory.

5. screenshot_domains(domain, command)

  • Runs the screenshot command on the root domains for easy visualization.

About

This is an automated reconnaissance script for initial bug bounty or penetration testing. Subdomain Enumeration - Filtering Sensitive Subdomains - Content Discovery - Domains Screenshotting.

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

Initial Release: Domain Recon Automation Script (v0.1.0) Latest
Nov 2, 2024

Packages

No packages published

Languages