Sce Domain Osint

• domain: Target domain name (e.g., example.com)
• depth: Optional (basic, standard, comprehensive)
• include_historical: Optional boolean to include historical records

Output

Domain intelligence report (JSON format):

{
  "investigation_id": "OSINT-DOMAIN-uuid",
  "timestamp": "ISO-8601",
  "target_domain": "example.com",
  "risk_score": "Low|Medium|High|Critical",
  "findings": {
    "whois": {
      "registrar": "Example Registrar",
      "registrant": "Company Name",
      "registration_date": "2020-01-01",
      "expiry_date": "2025-01-01",
      "name_servers": ["ns1.example.com", "ns2.example.com"],
      "status": ["clientTransferProhibited"]
    },
    "dns": {
      "a_records": ["1.2.3.4"],
      "mx_records": ["mail.example.com"],
      "txt_records": ["v=spf1 include:_spf.example.com ~all"],
      "ns_records": ["ns1.example.com"],
      "cname_records": {},
      "dnssec": true
    },
    "ssl_tls": {
      "valid": true,
      "issuer": "Let's Encrypt",
      "valid_from": "2025-01-01",
      "valid_until": "2025-04-01",
      "subject_alt_names": ["example.com", "www.example.com"],
      "certificate_transparency": true
    },
    "subdomains": [
      "www.example.com",
      "api.example.com",
      "mail.example.com"
    ],
    "historical": {
      "previous_owners": [],
      "ip_history": [],
      "wayback_snapshots": 150
    }
  },
  "recommendations": []
}

Intelligence Gathered

WHOIS Information

• Registrar details
• Registrant information
• Registration and expiry dates
• Name servers
• Domain status
• Contact information (if available)

DNS Records

• A records (IPv4)
• AAAA records (IPv6)
• MX records (mail)
• TXT records (SPF, DKIM, DMARC)
• NS records (name servers)
• CNAME records
• DNSSEC validation

SSL/TLS Certificates

• Certificate validity
• Issuer information
• Subject alternative names (SANs)
• Certificate chain
• Certificate transparency logs

Subdomains

• Active subdomain discovery
• Passive subdomain enumeration
• Certificate transparency subdomain extraction
• DNS zone transfers (if misconfigured)

Historical Records

• Previous WHOIS records
• IP address history
• Wayback Machine snapshots
• Historical DNS records

Usage Example

# Basic domain investigation
python scripts/domain_osint.py --domain example.com --output report.json

# Comprehensive investigation with history
python scripts/domain_osint.py --domain example.com --depth comprehensive --historical

# Quick DNS check
python scripts/domain_osint.py --domain example.com --depth basic

Helper Scripts

• domain_osint.py: Main domain intelligence gatherer
• whois_lookup.py: WHOIS data extraction
• dns_enum.py: DNS record enumeration
• ssl_analyzer.py: SSL/TLS certificate analysis
• subdomain_enum.py: Subdomain discovery

Risk Scoring

• Critical: Active malicious activity, C2 indicators, known phishing domain
• High: Suspicious registration patterns, privacy-protected WHOIS, short TTL
• Medium: Recently registered, no DNSSEC, expired SSL
• Low: Standard domain, normal patterns, good security posture

Safety Rules

1. Read-only: Never performs actions against target domains
2. Passive reconnaissance: Uses only public data sources
3. Legal compliance: Respects robots.txt and rate limits
4. Scope focus: Reports only on domain intelligence, not related entities