Vincent Yiu
  • Red Team
  • About Vincent Yiu
  • Red Team Tips
  • Videos
  • Red Team
    • Attack Infrastructure
      • CloudFlare for IP Address Filtering
      • Azure Apps for Command and Control
      • CobaltSplunk
    • Backdooring PE Files
      • Backdoor 101
      • Backdoor 102
      • Backdoor 103
    • Cloud Security
      • CloudFront Domain Hijacks under Attack
      • Vultr Domain Hijacking
      • CloudFlare for Command and Control
    • Command and Control
      • TryCloudFlare Infrastructure and Domain Fronting
      • Domain Fronting using StackPath CDN
      • HAMMERTHROW: Rotate my domain
      • Domain Fronting via. CloudFront Alternate Domains
      • Validated CloudFront SSL Domains
      • Domain Fronting: Who Am I?
      • Host Header Manipulation
      • Finding Target-relevant Domain Fronts
      • Alibaba CDN Domain Fronting
      • TOR Fronting — Utilising Hidden Services to Hide Attack Infrastructure
    • General Exploitation
      • Payload Generation with CACTUSTORCH
      • Exploiting CVE-2017–8759: SOAP WSDL Parser Code Injection
      • Exploiting CVE-2017–0199: HTA Handler Vulnerability
      • F# Shellcode Execution
      • Bypassing Gmail Attachment Virus Check
      • IPFuscation
    • Hardware and Gadgets
      • USBNinja
      • Aorus Gaming Box for Password Cracking
      • Proxmark Adventures 101
      • Poor man’s guide to Raspberry Pi initial installation
    • Post Exploitation
      • Introducing ANGRYPUPPY
      • RDPInception
      • VLAN Attacks
    • Reconaissance
      • Reconnaissance using LinkedInt
      • DomLink — Automating domain discovery
      • OffensiveSplunk vs. Grep
    • Misc
      • Under the wire: Trebek — Walkthrough
Powered by GitBook
On this page
  • DomLink
  • Example
  • Download Link
  • Usage

Was this helpful?

  1. Red Team
  2. Reconaissance

DomLink — Automating domain discovery

PreviousReconnaissance using LinkedIntNextOffensiveSplunk vs. Grep

Last updated 6 years ago

Was this helpful?

TLDR: Give DomLink a domain, it’ll go and find associated organization and e-mail registered then use this information to perform reverse WHOIS. Simple. You then get an output of lots of other associated domains registered by the company.

Author: Vincent Yiu (@vysecurity)

DomLink

Not saying this is a new thing, but I needed a tool to do this without me having to manually do it over and over again for larger businesses. It’s useful for both Bug Bounty hunters who need to discover scope, penetration testers or even red teamers who need to map out the target’s digital attack surface.

DomLink roughly follows the following process. It takes the user-supplied domain name, looks for associated organization and e-mail records. It then takes the associated organization records and performs a Reverse WHOIS to discover additional domains which have associated e-mails attached to them. The tool prompts you with whether or not you want to add the discovered e-mail to your list of organization e-mails (most of the time requires human interaction to filter out junk). It then runs a further domain enumeration phase by taking the total list of associated e-mails and runs Reverse WHOIS on it again to get a final list of associated organizations, e-mails and domains.

You might be thinking, why not run this in a recursive loop? Why even have manual prompting? I thought about this, and tried it, but without manual filtering, it ends up recursing out and obtains a whole load of junk domains not associated anymore. Therefore I stopped with a simple iteration and it works pretty good.

Example

Download Link

Usage

  1. Get an API key from WHOXY.com

  2. Set that API key in a file named domLink.cfg in the same directory.

    python domlink.py -d target.com -o target.out.txt

License:

DomLink - A tool to link a domain with registered organisation names and emails, to other domains.
MIT https://github.com/vysecurity/DomLink/blob/master/LICENSE.md