Vincent Yiu
linkedingithub@vysecurity
Search…
Red Team
About Vincent Yiu
Red Team Tips
Videos
Red Team
Attack Infrastructure
Backdooring PE Files
Cloud Security
Command and Control
General Exploitation
Hardware and Gadgets
Post Exploitation
Reconaissance
Reconnaissance using LinkedInt
DomLink — Automating domain discovery
OffensiveSplunk vs. Grep
Misc
Powered By GitBook
DomLink — Automating domain discovery
TLDR: Give DomLink a domain, it’ll go and find associated organization and e-mail registered then use this information to perform reverse WHOIS. Simple. You then get an output of lots of other associated domains registered by the company.
Author: Vincent Yiu (@vysecurity)
Not saying this is a new thing, but I needed a tool to do this without me having to manually do it over and over again for larger businesses. It’s useful for both Bug Bounty hunters who need to discover scope, penetration testers or even red teamers who need to map out the target’s digital attack surface.
DomLink roughly follows the following process. It takes the user-supplied domain name, looks for associated organization and e-mail records. It then takes the associated organization records and performs a Reverse WHOIS to discover additional domains which have associated e-mails attached to them. The tool prompts you with whether or not you want to add the discovered e-mail to your list of organization e-mails (most of the time requires human interaction to filter out junk). It then runs a further domain enumeration phase by taking the total list of associated e-mails and runs Reverse WHOIS on it again to get a final list of associated organizations, e-mails and domains.
You might be thinking, why not run this in a recursive loop? Why even have manual prompting? I thought about this, and tried it, but without manual filtering, it ends up recursing out and obtains a whole load of junk domains not associated anymore. Therefore I stopped with a simple iteration and it works pretty good.

Example

Usage

  1. 1.
    Get an API key from WHOXY.com
  2. 2.
    Set that API key in a file named domLink.cfg in the same directory.
    python domlink.py -d target.com -o target.out.txt
Previous
Reconnaissance using LinkedInt
Next
OffensiveSplunk vs. Grep
Last modified 3yr ago
Copy link
Outline
DomLink
Example
Download Link
Usage