https://github.com/azersd/domainhound

This is an automated reconnaissance script for initial bug bounty or penetration testing. Subdomain Enumeration - Filtering Sensitive Subdomains - Content Discovery - Domains Screenshotting.
https://github.com/azersd/domainhound

Last synced: about 1 year ago
JSON representation

This is an automated reconnaissance script for initial bug bounty or penetration testing. Subdomain Enumeration - Filtering Sensitive Subdomains - Content Discovery - Domains Screenshotting.

• Host: GitHub
• URL: https://github.com/azersd/domainhound
• Owner: AzerSD
• License: mit
• Created: 2024-11-02T13:11:17.000Z (over 1 year ago)
• Default Branch: master
• Last Pushed: 2024-11-02T14:21:48.000Z (over 1 year ago)
• Last Synced: 2025-02-15T19:52:48.324Z (over 1 year ago)
• Language: Python
• Size: 13.7 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# DomainHound

This is an automated reconnaissance script for initial bug bounty or penetration testing. Subdomain Enumeration - Filtering Sensitive Subdomains - Content Discovery - Domains Screenshotting

## Features

- **Subdomain Enumeration**: Uses `subfinder` to find subdomains of a specified domain.

- **Sensitive Root Domain Identification**: Filters subdomains based on keywords (like `api`, `dev`, `prod`, etc.).

- **Domain Resolution**: Checks if domains are live with `httprobe`.

- **Content Discovery**: Uses `meg` to locate and retrieve various endpoints.

- **Screenshotting**: Captures screenshots of root domains using a specified command (like Aquatone or Eyewitness).

---

## Prerequisites

Make sure the following tools are installed:

- [Subfinder](https://github.com/projectdiscovery/subfinder)

- [Meg](https://github.com/tomnomnom/meg)

- [Httprobe](https://github.com/tomnomnom/httprobe)

- Screenshotting tool (Aquatone, Eyewitness, or equivalent)

Use the following commands to install these tools:

```bash

# Install Subfinder

go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

# Install Meg

go install -v github.com/tomnomnom/meg@latest

# Install Httprobe

go install -v github.com/tomnomnom/httprobe@latest

```

## Usage

1. **Clone the Repository**

   ```bash

   git clone https://github.com/AzerSD/DomainHound.git

   cd DomainHound

   ```

2. **Run the Script**

   ```bash

   python3 DomainHound.py -d  -a  -w 

   ```

   **Arguments**:

   - `-d, --domain`: Target domain for reconnaissance.

   - `-a, --aquatone`: Command to use for screenshotting (e.g., `aquatone` or `eyewitness`).

   - `-w, --paths`: Path to a list of endpoints to be checked during content discovery. (e.g from SecList: Discovery/Web-Content `/api/api-endpoints.txt, /common.txt, /config-files.txt, information-disclosure/php-info.txt`)

   **Example**:

   ```bash

   python3 DomainHound.py -d example.com -a "aquatone" -w endpoints.txt

   ```

## Output Structure

The script creates a `data/` directory for each target domain with the following structure:

```

data/

└── /

    ├── subdomains.txt       # All enumerated subdomains

    ├── hosts                # Sensitive root domains

    ├── hosts-resolved       # Resolved domains (live hosts)

    └── out/                 # Content discovered by meg

```

## Script Breakdown

### 1. `fetch_domains(domain)`

   - Runs `subfinder` to gather subdomains and stores them in `subdomains.txt`.

### 2. `get_roots(domain)`

   - Identifies sensitive subdomains (e.g., `api`, `prod`, `dev`) and saves them to `hosts`.

### 3. `resolve(domain)`

   - Uses `httprobe` to resolve domains from `hosts` and stores live domains in `hosts-resolved`.

### 4. `content_discovery(domain, paths)`

   - Uses `meg` to find available endpoints, based on the input `paths` list, and saves them in the `out/` directory.

### 5. `screenshot_domains(domain, command)`

   - Runs the screenshot command on the root domains for easy visualization.