Dome - Subdomain Enumeration Tool. Fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports.
Alternatives To Dome
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
Scanners Box7,483
2 months ago2
A powerful and open-source toolkit for hackers and security automation - 安全行业从业者自研开源扫描器合辑
4 hours ago21mitHTML
reconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities
7 hours ago140August 17, 202317gpl-3.0Python
OSINT automation for hackers.
Pentest Tools2,652
9 months ago1Python
A collection of custom security tools for quick needs.
7 months agoMarch 29, 201846apache-2.0Go
Subdomain Takeover tool written in Go
Dictionary Of Pentesting1,612
2 months agoShell
Dictionary collection project such as Pentesing, Fuzzing, Bruteforce and BugBounty. 渗透测试、SRC漏洞挖掘、爆破、Fuzzing等字典收集项目。
2 years ago18mitGo
5 days ago17July 08, 20234mitGo
OSINT tools and more but without API ke
4 years ago5mitPython
K8Ladon大型内网渗透自定义插件化扫描神器,包含信息收集、网络资产、漏洞扫描、密码爆破、漏洞利用,程序采用多线程批量扫描大型内网多个IP段C段主机,目前插件包含: C段旁注扫描、子域名扫描、Ftp密码爆破、Mysql密码爆破、Oracle密码爆破、MSSQL密码爆破、Windows/Linux系统密码爆破、存活主机扫描、端口扫描、Web信息探测、操作系统版本探测、Cisco思科设备扫描等,支持调用任意外部程序或脚本,支持Cobalt Strike联动
4 months ago14bsd-2-clauseGo
A Powerful Subdomain Takeover Tool
Alternatives To Dome
Select To Compare

Alternative Project Comparisons

DOME - A subdomain enumeration tool

Version Build Build Contributions Welcome

Alt Text

Check the Spanish Version

Dome is a fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports. This tool is recommended for bug bounty hunters and pentester in their reconnaissance phase.

the more surface area exposed the faster a rock with break down

If you want to use more OSINT engines, fill the config.api file with the needed API tokens

Passive Mode:

Use OSINT techniques to obtain subdomains from the target. This mode will not make any connection to the target so it is undetectable. The basic use of this mode is:

python -m passive -d domain

Active Mode:

Perform bruteforce attacks to obtain alive subdomains. There are 2 types of bruteforce:

  • Pure Bruteforce: Check subdomains from to (26 + 26^2 + 26^3 = 18278 subdomains) this bruteforce can be disabled with -nb, --no-bruteforce
  • Wordlist based: Use a custom wordlist provided by the user using the flag -w, --wordlist. If no wordlists is specified, this mode won't be executed

This mode will also make passive mode attack but in this case, the connection is tested to ensure the subdomain is still alive. To disable passive scan in active scan mode, use --no-passive flag

The basic use of this mode is:

python -m active -d domain -w wordlist.txt

Add -p option or a built-it port option (see usage menu) to perform port scanning

python -m active -d domain -w wordlist.txt -p 80,443,8080


You can run Dome with Python 2 or 3. Python3 is recommended

Install the dependencies and run the program

git clone
cd Dome
pip install -r requirements.txt
python --help

Top Features

  • Easy to use. Just install the requirements.txt and run
  • Active and Passive scan (read above)
  • Faster than other subdomain enumeration tools
  • 7 different resolvers/nameservers including google, cloudfare (fastest), Quad9 and cisco DNS (use --resolvers filename.txt to use a custom list of resolvers, one per line)
  • Up to 21 different OSINT sources
  • Subdomains obtained via OSINT are tested to know if they are alive (only in active mode)
  • Support for webs that requires API token
  • Detects when api key is no longer working (Other tools just throw an error and stops working)
  • Wildcard detection and bypass
  • Custom Port scaning and built-in params for Top100,Top1000 and Top Web ports
  • Colored and uncolored output for easy read
  • Windows and Python 2/3 support (Python 3 is recommended)
  • Highly customizable through arguments
  • Scan more than one domain simultaneously
  • Possibility to use threads for faster bruteforce scans
  • Export output in different formats such as txt, json, html

Buy me a Coffee

"Buy Me A Coffee"



Passive mode:


Active mode + port scan:


OSINT Search Engines

Dome uses these web pages to obtain subdomains

Without API:

  • AlienVault
  • HackerTarget
  • RapidDNS
  • ThreatMiner
  • CertSpotter
  • Anubis-DB
  • Sonar
  • SiteDossier
  • DNSrepo

With API:

  • VirusTotal
  • Shodan
  • Spyse
  • SecurityTrails
  • PassiveTotal
  • BinaryEdge


Feel free to implement this features

  • [x] Add arguments
  • [x] Add DNS wildcard detection and bypass
  • [x] Add port scan and port argument
  • [x] Add colored screen output (also option for no-colour)
  • [x] Add -i option to show the subdomains' IP address
  • [x] Add --silent argument to show nothing on screen
  • [x] Create a dicc structure like {"ip": "domain"} to avoid duplicate port scans
  • [x] Generate output in html and json format, also a txt for subdomains found during scan
  • [x] Add timestamps
  • [ ] Recursive scan
  • [ ] Autoupdate Script
  • [x] Add more OSINT engines with API token (create config file)
  • [x] Add compatibility with Windows
  • [x] Add compatibility with Python 2.7
  • [x] Add Shodan for passive open ports? (Check requests limit with api key)
  • [ ] Add support for domains like (at this moment, the program only works with one level domain like (
  • [ ] Add precompiled files for Linux and Windows (Mac OS?)
  • [x] Add Spyse as osint engine
  • [x] Added DNS resolvers
  • [ ] Implement spyse offset in request to get more subdomains (
  • [x] Add common prefix to valid subdomains like -testing, -staging, etc
  • [ ] Delete wordlists words <= 3 letters if pure bruteforce was made (avoid duplicate connections)
  • [ ] Add exclusion file so bug bounty hunters can specify OOS subdomains in order to not print/output them


Arguments Description Arg example
-m, --mode Scan mode. Valid options: active or passive active
-d, --domain Domains name to enumerate subdomains (Separated by commas),
-w, --wordlist Wordlist containing subdomain prefix to bruteforce subdomains-5000.txt
-i, --ip When a subdomain is found, show its ip
--no-passive Do not use OSINT techniques to obtain valid subdomains
-nb, --no-bruteforce Dont make pure bruteforce up to 3 letters
-p, --ports Scan the subdomains found against specific tcp ports 80,443,8080
--top-100-ports Scan the top 100 ports of the subdomain (Not compatible with -p option)
--top-1000-ports Scan the top 1000 ports of the subdomain (Not compatible with -p option)
--top-web-ports Scan the top web ports of the subdomain (Not compatible with -p option)
-s, --silent Silent mode. No output in terminal
--no-color Dont print colored output
-t, --threads Number of threads to use (Default: 25) 20
-o, --output Save the results to txt, json and html files
--max-response-size Maximun length for HTTP response (Default:5000000 (5MB)) 1000000
--r, --resolvers Textfile with DNS resolvers to use. One per line resolvers.txt
-h, --help Help command
--version Show dome version and exit
-v, --verbose Show more information during execution


Perform active and passive scan, show the ip adress of each subdomain and make a port scan using top-web-ports. Data will also be written in /results folder:

python -m active -d domain -w wordlist.txt -i --top-web-ports -o

Perform passive scan in silent mode and write output to files.

python -m passive -d domain --silent --output

Perform active scan without passive and port scan

python -m active -d domain -w wordlist.txt --no-passive

Only bruteforce with wordlist

python -m active -d domain -w wordlist.txt --no-bruteforce

Scan active and passive and perform port scan ONLY in ports 22,80,3306

python -m active -d domain -w wordlist.txt -p 22,80,3306


You can contact me at [email protected]

License: for commercial use, contact me at email above

Popular Subdomain Projects
Popular Penetration Testing Projects
Popular Networking Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.
Hacking Tool