Recon Tool: Dome

Premium Content

Reading Time: 3 Minutes


Dome by v4d1, is a fast and reliable Subdomain Enumeration Tool that facilitates active and passive scanning to discover subdomains and identify open ports. This tool is recommended for bug bounty hunters and pentesters in their reconnaissance phase.

If you want to use more OSINT engines, fill the config.api file with the needed API tokens

See Also: So you want to be a hacker?
Offensive Security Courses

Passive Mode:

Use OSINT techniques to obtain subdomains from the target. This mode will not make any connection to the target so it is undetectable. The basic use of this mode is:

python -m passive -d domain


Active Mode:

Perform bruteforce attacks to obtain alive subdomains. There are 2 types of bruteforce:

Pure Bruteforce: Check subdomains from to (26 + 26^2 + 26^3 = 18278 subdomains) this bruteforce can be disabled with -nb, –no-bruteforce
Wordlist based: Use a custom wordlist provided by the user using the flag -w, –wordlist. If no wordlists is specified, this mode won’t be executed

This mode will also make passive mode attack but in this case, the connection is tested to ensure the subdomain is still alive. To disable passive scan in active scan mode, use –no-passive flag

The basic use of this mode is:

python -m active -d domain -w wordlist.txt

Add -p option or a built-it port option (see usage menu) to perform port scanning

python -m active -d domain -w wordlist.txt -p 80,443,8080

See Also: OSINT Tool: GooFuzz


You can run Dome with Python 2 or 3. Python3 is recommended

Install the dependencies and run the program

git clone

cd Dome

pip install -r requirements.txt

python –help



Top Features

Easy to use. Just install the requirements.txt and run
Active and Passive scan (read above)
Faster than other subdomain enumeration tools
7 different resolvers/nameservers including google, cloudfare (fastest), Quad9 and cisco DNS (use –resolvers filename.txt to use a custom list of resolvers, one per line)
Up to 21 different OSINT sources
Subdomains obtained via OSINT are tested to know if they are alive (only in active mode)
Support for webs that requires API token
Detects when api key is no longer working (Other tools just throw an error and stops working)
Wildcard detection and bypass
Custom Port scaning and built-in params for Top100,Top1000 and Top Web ports
Colored and uncolored output for easy read
Windows and Python 2/3 support (Python 3 is recommended)
Highly customizable through arguments
Scan more than one domain simultaneously
Possibility to use threads for faster bruteforce scans
Export output in different formats such as txt, json, html


Passive mode:

Active mode + port scan:


OSINT Search Engines

Dome uses these web pages to obtain subdomains

Without API:


With API:





Feel free to implement this features

 Add arguments
 Add DNS wildcard detection and bypass
 Add port scan and port argument
 Add colored screen output (also option for no-colour)
 Add -i option to show the subdomains’ IP address
 Add –silent argument to show nothing on screen
 Create a dicc structure like {“ip”: “domain”} to avoid duplicate port scans
 Generate output in html and json format, also a txt for subdomains found during scan
 Add timestamps
 Recursive scan
 Autoupdate Script
 Add more OSINT engines with API token (create config file)
 Add compatibility with Windows
 Add compatibility with Python 2.7
 Add Shodan for passive open ports? (Check requests limit with api key)
 Add support for domains like (at this moment, the program only works with one level domain like (
 Add precompiled files for Linux and Windows (Mac OS?)
 Add Spyse as osint engine
 Added DNS resolvers
 Implement spyse offset in request to get more subdomains (
 Add common prefix to valid subdomains like -testing, -staging, etc
 Delete wordlists words <= 3 letters if pure bruteforce was made (avoid duplicate connections)
 Add exclusion file so bug bounty hunters can specify OOS subdomains in order to not print/output them


Arg example

-m, –mode
Scan mode. Valid options: active or passive

-d, –domain
Domains name to enumerate subdomains (Separated by commas),

-w, –wordlist
Wordlist containing subdomain prefix to bruteforce

-i, –ip
When a subdomain is found, show its ip

Do not use OSINT techniques to obtain valid subdomains

-nb, –no-bruteforce
Dont make pure bruteforce up to 3 letters

-p, –ports
Scan the subdomains found against specific tcp ports

Scan the top 100 ports of the subdomain (Not compatible with -p option)

Scan the top 1000 ports of the subdomain (Not compatible with -p option)

Scan the top web ports of the subdomain (Not compatible with -p option)

-s, –silent
Silent mode. No output in terminal

Dont print colored output

-t, –threads
Number of threads to use (Default: 25)

-o, –output
Save the results to txt, json and html files

Maximun length for HTTP response (Default:5000000 (5MB))

–r, –resolvers
Textfile with DNS resolvers to use. One per line

-h, –help
Help command

Show dome version and exit

-v, –verbose
Show more information during execution




Perform active and passive scan, show the ip adress of each subdomain and make a port scan using top-web-ports. Data will also be written in /results folder:

python -m active -d domain -w wordlist.txt -i –top-web-ports -o 

Perform passive scan in silent mode and write output to files.

python -m passive -d domain –silent –output

Perform active scan without passive and port scan

python -m active -d domain -w wordlist.txt –no-passive

Only bruteforce with wordlist

python -m active -d domain -w wordlist.txt –no-bruteforce

Scan active and passive and perform port scan ONLY in ports 22,80,3306

python -m active -d domain -w wordlist.txt -p 22,80,3306



Clone the repo from here: GitHub Link

Recent Tools

OSINT Tool: GooFuzz

May 12, 2023

GooFuzz is a tool to perform fuzzing with an OSINT …

Recon Tool: Sniffer

May 5, 2023

Sniffer is a network troubleshooting tool that lets you analyze …

Malware Analysis Tool: retoolkit

April 29, 2023

Retoolkit is a Reverse Engineering and Malware Analysis collection of …

Offensive Security Tool: Go365

April 27, 2023

Go365 is an Office365 user attack tool and its designed …

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

The post Recon Tool: Dome first appeared on Black Hat Ethical Hacking.

About The Author