nikit0s/pius
1
0
Fork 0
mirror of https://github.com/praetorian-inc/pius.git synced 2026-06-20 09:27:29 +00:00
Code Issues Projects Releases Packages Wiki Activity
Page: Domain Plugins
Pages
Architecture CIDR Plugins Configuration Contributing Domain Plugins FAQ Home Installation Plugins Quick Start Guide Troubleshooting
1 Domain Plugins
anushka edited this page 2026-03-13 10:51:03 -05:00
Table of Contents

Pius Domain Plugins

Pius includes 14 domain discovery plugins that find domains owned by an organization using certificate transparency, passive DNS, WHOIS, corporate registries, and DNS enumeration techniques.

All domain plugins run in Phase 0 (independent, concurrent) unless otherwise noted.

Passive domain plugins

These plugins use only OSINT sources and run by default.

Plugin Data Source Auth Required Notes
crt-sh Certificate Transparency logs None Deduplicates wildcard entries; requires --domain
apollo Apollo.io enrichment API APOLLO_API_KEY Caches results 24h; 0.85 confidence for domain queries
github-org GitHub organization search GITHUB_TOKEN (optional) Confidence-scored; 0.65 threshold to emit
gleif GLEIF LEI corporate registry None Discovers parent/subsidiary domains via LEI records
passive-dns SecurityTrails passive DNS SECURITYTRAILS_API_KEY Historical subdomain records
reverse-whois ViewDNS reverse WHOIS VIEWDNS_API_KEY 0.75 confidence; registrant email matching
google-dorks Google Knowledge Graph None Carousel scraping for subsidiary companies
reverse-ip PTR records, HackerTarget, ViewDNS VIEWDNS_API_KEY (optional) Phase 3; consumes CIDRs from Phase 2
wikidata Wikidata SPARQL None P749/P355/P127 corporate relationships; 24h cache

Active domain plugins

Active plugins send network probes and must be enabled with --mode active or --mode all.

Plugin Data Source Auth Required Notes
dns-brute Local DNS resolver None 50 concurrent goroutines; embedded wordlist
dns-zone-transfer DNS AXFR None Extracts A, AAAA, CNAME, MX, SRV records
doh-enum DNS-over-HTTPS resolvers AWS credentials (optional) 50 concurrent workers; round-robin endpoint rotation; optional API Gateway for IP diversity
favicon-hash Shodan + FOFA favicon search SHODAN_API_KEY, FOFA_API_KEY (optional) MurmurHash3 of favicon; discovers origin IPs behind CDNs
dns-permutation Discovered subdomains None Phase 3; altdns-style permutations; wildcard filtering

How does DoH enumeration work?

The doh-enum plugin performs DNS-over-HTTPS subdomain enumeration using multiple public resolvers (Cloudflare, Google, AdGuard) with round-robin rotation. It supports:

  • An embedded default wordlist or a custom wordlist via --doh-wordlist
  • Custom DoH servers via --doh-servers
  • Optional AWS API Gateway deployment across 8 regions for IP rotation via --doh-deploy-gateways
# Basic DoH enumeration
pius run --domain acme.com --mode active --plugins doh-enum

# With API Gateway IP rotation (requires AWS credentials)
pius run --domain acme.com --mode active --plugins doh-enum --doh-deploy-gateways

What does confidence scoring mean for domain plugins?

Plugins like github-org, reverse-whois, and apollo use confidence scoring because they match organization names to domains, which can be ambiguous. Scores work as follows:

Score Range Behavior
Above 0.65 Emitted as a finding
0.35 - 0.65 Emitted with needs-review flag
Below 0.35 Dropped as noise

Related pages

Pius Wiki

Built by Praetorian | Apache 2.0 License | Report Issues