TLDR: Give DomLink a domain, it’ll go and find associated organization and e-mail registered then use this information to perform reverse WHOIS. Simple. You then get an output of lots of other associated domains registered by the company.
Author: Vincent Yiu (@vysecurity)
Not saying this is a new thing, but I needed a tool to do this without me having to manually do it over and over again for larger businesses. It’s useful for both Bug Bounty hunters who need to discover scope, penetration testers or even red teamers who need to map out the target’s digital attack surface.
DomLink roughly follows the following process. It takes the user-supplied domain name, looks for associated organization and e-mail records. It then takes the associated organization records and performs a Reverse WHOIS to discover additional domains which have associated e-mails attached to them. The tool prompts you with whether or not you want to add the discovered e-mail to your list of organization e-mails (most of the time requires human interaction to filter out junk). It then runs a further domain enumeration phase by taking the total list of associated e-mails and runs Reverse WHOIS on it again to get a final list of associated organizations, e-mails and domains.
You might be thinking, why not run this in a recursive loop? Why even have manual prompting? I thought about this, and tried it, but without manual filtering, it ends up recursing out and obtains a whole load of junk domains not associated anymore. Therefore I stopped with a simple iteration and it works pretty good.
Get an API key from WHOXY.com
Set that API key in a file named domLink.cfg in the same directory.
python domlink.py -d target.com -o target.out.txt