Skip to content

bitsflip/domain-scanner

Repository files navigation

domain-scanner

A multi-stage recon toolkit written in Python: given a domain, it brute-forces subdomains, port-scans whatever it finds, grabs HTTPS headers, and brute-forces common web paths on each host.

Built as a learning project to understand how recon tools work under the hood — sockets, TLS/SNI, threading, and DNS resolution — rather than relying on existing tools like nmap, gobuster, or subfinder.

Https path crawling is currently being worked on.

Pipeline

domain
  │
  ▼
subdomain_enum.py   →  brute-forces subdomain prefixes, resolves via DNS
  │
  ▼ (for each subdomain found)
port_scanner.py     →  TCP-scans top 100 ports, grabs HTTPS header on 443 (SNI-aware)
  │
  ▼ (if 443 is open)
path_crawler.py     →  brute-forces common paths/files, filters known false-positive response sizes
  │
  ▼
beautify_report.py  →  turns the raw output into a readable .txt report

Project structure

File Purpose
main.py Entry point — runs the subdomain enumerator
subdomain_enum.py Subdomain brute-forcer + DNS resolution
port_scanner.py Threaded TCP port scanner + HTTPS header grabber
path_crawler.py Web path/directory brute-forcer
beautify_report.py Converts raw scan output into a readable report
sub_prefix_list.txt Wordlist of subdomain prefixes (www, admin, mail, ...)
ports_100.txt Top 100 TCP ports (by nmap's frequency data)
paths.txt Wordlist of common web paths/files

Requirements

  • Python 3.10+ (uses match statements)
  • requests
pip install requests

Usage

python main.py

You'll be prompted for:

  • A subdomain wordlist file (default: sub_prefix_list.txt)
  • An output file name (default: found_subdomains.txt)
  • The target domain
  • Whether to port-scan + crawl paths on each found subdomain (Y/N)

Limitations

This tool is more of a learning exercise than a practically useful scanner. In real-world testing results varied:

  • Most production sites today sit behind a CDN/WAF (Cloudflare, CloudFront, Azure Front Door, etc.) that rate-limits or blocks automated, non-browser-like traffic almost immediately — often after just a handful of requests.
  • Many subdomains return generic 403/503 block pages regardless of what's actually behind them, which gives little real signal.
  • The path brute-forcer is especially affected — fast, threaded requests against a single host are exactly the pattern WAFs are built to detect and shut down.

In short: this works cleanly against test environments (local servers, deliberately vulnerable apps, infrastructure you control), but don't expect meaningful results against random real-world domains — that's by design on their end, not a bug on this end.

Disclaimer

This tool performs active scanning (port scanning, brute forcing) against the targets it's pointed at. Only run it against domains and infrastructure you own or have explicit permission to test. Unauthorized scanning of third-party systems may be illegal depending on your jurisdiction.

License

MIT

Todo

  • fix https path scanning (handle errors better).

  • add automatic content length checker to catch false positives on pathcrawler ✅(0 + only adds 1 per subdomain)

  • add input parcing trough direct cli (python ./main (domain) scan_ports=yes,..).

  • add the functionality to run specific tool(s).

  • give user choice on how many threads are allowed.

  • remove debug print statements.

  • actually structure code and use main.py better

  • check code for redundancy and just general bad practice (there are definitly a few).

  • use OOP?

learn C

About

not usefull in practice, it sends a few mbs a second so you get ratelimited FAST (on a good website)

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages