README
¶
domainintel
A command-line reconnaissance tool for gathering comprehensive intelligence about domains.
Overview
domainintel automates the process of discovering subdomains through Certificate Transparency logs, checking their availability, resolving IP addresses, and validating TLS certificates — all from a single command.
Features
- Certificate Transparency Enumeration: Discovers subdomains through CT logs (crt.sh)
- HTTP/HTTPS Reachability Checks: Tests connectivity with status codes and response times
- IP Address Resolution: Resolves A and AAAA records
- TLS Certificate Validation: Checks certificate validity and expiration
- Extended DNS Queries: Full DNS reconnaissance (A, AAAA, MX, TXT, NS, CNAME, SOA)
- WHOIS Lookups: Domain registration information with caching
- Third-Party Reputation: Integration with VirusTotal and URLVoid, DNSBL, Spamhaus, and Google Safe Browsing (API keys required)
- Security Headers Analysis: Integration with SecurityHeaders.com (no API key required, uses privacy mode)
- SSL/TLS Analysis: Integration with SSL Labs for comprehensive SSL/TLS grading (no API key required)
- Multiple Output Formats: Text tables, JSON, and CSV
- Concurrent Processing: Configurable worker pool for faster scans
- Security Hardened: Input validation, path sanitization, and secure defaults
Installation
From Source
Requires Go 1.25.4 or later.
# Clone the repository
git clone https://github.com/commjoen/domainintel.git
cd domainintel
# Build the binary
make build
# Or build directly with Go
go build -o domainintel ./cmd/domainintel
Pre-built Binaries
Download pre-built binaries from the Releases page.
Usage
Basic Usage
# Basic subdomain enumeration
domainintel --domains example.com
# Multiple domains
domainintel --domains example.com,example.org
Output Formats
# Text output (default)
domainintel --domains example.com --format text
# JSON output (great for jq processing)
domainintel --domains example.com --format json
# CSV output
domainintel --domains example.com --format csv
# Save to file
domainintel --domains example.com --format csv --out results.csv
Advanced Options
# Increase timeout for slow networks
domainintel --domains example.com --timeout 30s
# Increase concurrency for faster scans
domainintel --domains example.com --concurrent 20
# Verbose output for debugging
domainintel --domains example.com --verbose
jq Examples
# Extract all discovered subdomains
domainintel --domains example.com --format json | jq -r '.domains[].subdomains[].hostname'
# Get subdomain and status pairs
domainintel --domains example.com --format json | jq '.domains[].subdomains[] | {hostname, status: .https.status}'
# List all unique IP addresses
domainintel --domains example.com --format json | jq -r '.domains[].subdomains[].ips[]' | sort -u
# Find subdomains with TLS issues
domainintel --domains example.com --format json | jq '.domains[].subdomains[] | select(.tls.valid == false)'
# Export reachable subdomains only
domainintel --domains example.com --format json | jq -r '.domains[].subdomains[] | select(.reachable == true) | .hostname'
CLI Flags
| Flag | Short | Type | Default | Description |
|---|---|---|---|---|
--domains |
-d |
string | (required) | Comma-separated list of target domains (max 100) |
--format |
-f |
string | text |
Output format: text, json, or csv |
--out |
-o |
string | stdout | Write output to file path |
--timeout |
-t |
duration | 10s |
HTTP request timeout |
--concurrent |
-c |
int | 10 |
Maximum concurrent requests |
--verbose |
-v |
bool | false |
Enable verbose logging |
--progress |
-p |
bool | false |
Show progress bar during scan |
--providers |
string | Comma-separated reputation providers |
Reputation Providers
domainintel integrates with several third-party reputation services:
| Provider | Flag Value | API Key Required | Description |
|---|---|---|---|
| VirusTotal | vt |
Yes (VT_API_KEY) |
Comprehensive threat intelligence |
| URLVoid | urlvoid |
Yes (URLVOID_API_KEY) |
Website reputation checking |
| DNSBL | dnsbl |
No | DNS-based Blackhole Lists (spam/malware) |
| Spamhaus | spamhaus |
No | Spamhaus DBL domain reputation |
| Safe Browsing | safebrowsing |
Yes (SAFEBROWSING_API_KEY) |
Google Safe Browsing API |
| SSL Labs | ssllabs |
No | SSL/TLS grading and analysis |
Usage Examples
# Use DNSBL and Spamhaus (no API keys required)
domainintel --domains example.com --providers dnsbl,spamhaus
# Use VirusTotal (requires API key)
export VT_API_KEY=your_virustotal_api_key
domainintel --domains example.com --providers vt
# Use Google Safe Browsing (requires API key)
export SAFEBROWSING_API_KEY=your_google_api_key
domainintel --domains example.com --providers safebrowsing
# Use SSL Labs (no API key required)
domainintel --domains example.com --providers ssllabs
# Use multiple providers
export VT_API_KEY=your_key
domainintel --domains example.com --providers vt,dnsbl,spamhaus,ssllabs
Security
This tool implements several security measures:
- Input Validation: All domain names are validated against RFC 1035
- Path Sanitization: Output file paths are sanitized to prevent directory traversal
- Domain Limit: Maximum 100 domains per scan to prevent abuse
- TLS 1.2+: All HTTPS connections require TLS 1.2 or higher
- Timeouts: Configurable timeouts for all network operations
- No Secrets in Logs: Sensitive information is never logged
Development
Prerequisites
- Go 1.25.4 or later
- golangci-lint (optional, for linting)
- gosec (optional, for security scanning)
Build Commands
# Build
make build
# Run tests
make test
# Run tests with coverage
make test-coverage
# Run linter
make lint
# Run security scan
make security
# Build for all platforms
make build-all
# Clean build artifacts
Project Structure
domainintel/
├── cmd/domainintel/ # CLI entry point
├── internal/
│ ├── crt/ # Certificate Transparency queries
│ ├── dns/ # Extended DNS queries
│ ├── whois/ # WHOIS lookups
│ ├── providers/ # Third-party reputation services
│ ├── reachability/ # HTTP checks and IP resolution
│ └── output/ # Output formatters
├── pkg/models/ # Shared data structures
├── tests/
│ ├── integration/ # Integration tests
│ └── fixtures/ # Test fixtures
├── Makefile # Build automation
└── README.md # This file
Test Coverage
The project maintains comprehensive test coverage:
- Unit tests for all modules
- Integration tests with mock servers
- Table-driven tests for edge cases
- Security scanning with gosec
License
This project is licensed under the MIT License - see the LICENSE file for details.
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
domainintel
command
domainintel is a command-line reconnaissance tool for gathering intelligence about domains
|
domainintel is a command-line reconnaissance tool for gathering intelligence about domains |
|
internal
|
|
|
crt
Package crt provides Certificate Transparency log query functionality
|
Package crt provides Certificate Transparency log query functionality |
|
dns
Package dns provides extended DNS record query functionality
|
Package dns provides extended DNS record query functionality |
|
output
Package output provides formatting options for scan results
|
Package output provides formatting options for scan results |
|
providers
Package providers provides third-party reputation service integrations
|
Package providers provides third-party reputation service integrations |
|
reachability
Package reachability provides HTTP/HTTPS connectivity checks and IP resolution
|
Package reachability provides HTTP/HTTPS connectivity checks and IP resolution |
|
whois
Package whois provides WHOIS lookup functionality
|
Package whois provides WHOIS lookup functionality |
|
pkg
|
|
|
models
Package models contains shared data structures used across the application
|
Package models contains shared data structures used across the application |
Click to show internal directories.
Click to hide internal directories.