Domained – Multi Tool Subdomain Enumeration

Domained is a framework that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains that are passed to EyeWitness for reporting with categorized screenshots, server response headers and signature based default credential checking.

Domained - Multi Tool Subdomain Enumeration
Domained – Multi Tool Subdomain Enumeration

There are several tools included with this program that may cover the enumeration , reporting and wordlists. This will allow penetration tester to verify the target against different programs.

Subdomain Enumeration Tools:

  1. Sublist3r by Ahmed Aboul-Ela
  2. enumall by Jason Haddix
  3. Knock by Gianni Amato
  4. Subbrute by TheRook
  5. massdns by B. Blechschmidt
  6. Recon-ng by Tim Tomes (LaNMaSteR53)
  7. Amass by Jeff Foley (caffix)
  8. SubFinder by by Ice3man543
Reporting + Wordlists:
  • EyeWitness by ChrisTruncer
  • SecList (DNS Recon List) by Daniel Miessler
  • LevelUp All.txt Subdomain List by Jason Haddix

Some usage examples:

Example 1: -d
Uses subdomain (Sublist3r (+subbrute), enumall, Knock, Amass, and SubFinder)

Example 2: -d -b -p –vpn
Uses subdomain with seclist subdomain list bruteforcing (massdns, subbrute, Sublist3r, Amass, enumall, and SubFinder), adds ports 8443/8080 and checks if on VPN

Example 3: -d -b –bruteall
Uses subdomain with large-all.txt bruteforcing (massdns, subbrute, Sublist3r, Amass, enumall and SubFinder)

Example 4: -d –quick
Uses subdomain and only Amass and SubFinder

Example 5: -d –quick –notify
Uses subdomain, only Amass and SubFinder and notification

Example 6: -d –noeyewitness
Uses subdomain with no EyeWitness

You can read more and download this framework over here:

Notify of
Inline Feedbacks
View all comments