DEV Community

Cover image for DOMINI Suite: how I built two OSINT tools to analyze domains and IPs from scratch
Evolve profile image Kristina
Kristina for Evolve

Posted on

DOMINI Suite: how I built two OSINT tools to analyze domains and IPs from scratch

#cybersecurity #python #infosec #networking

When I was assigned an OSINT practice project, I knew from the start that I wanted to build something using free tools — no paid APIs, no services with rate limits, nothing that required signing up or paying for a subscription.

The result was the DOMINI Suite — two complementary tools that map the attack surface of domains and IPs using only public information and open source libraries: nmap, dnspython, python-whois, ip-api.com, AbuseIPDB and AlienVault OTX on their free tiers. The only exception is LeakRadar, which requires a paid subscription for API access, but the suite implements an automatic fallback using Google Dorks on Pastebin that works with no key at all.

The problem I wanted to solve

I wanted to automate the full infrastructure reconnaissance workflow into two tools that worked together naturally.

That workflow — which manually means opening mxtoolbox, whois.domaintools.com, abuseipdb.com and Google separately — should be executable with a single command and end with a visual report ready to deliver.

The two tools

DOMINUS — Domain Intelligence & Risk Scoring

Given a domain, DOMINUS runs six passive reconnaissance phases:

  • WHOIS — registrar, registrant, expiration dates
  • DNS — A, MX, NS, SPF, DMARC, DKIM records
  • Subdomains — passive enumeration via Certificate Transparency logs (crt.sh)
  • Ports — open TCP services via nmap
  • HTTP Headers — audit of CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy
  • LeakRadar — credential leak search on Pastebin via Google Dorks

The most interesting finding during testing was the DMARC analysis. A domain with p=none can be freely spoofed for phishing — emails from ceo@company.com reach inboxes without any authentication failure. DOMINUS detects it and explains it in the report.

SENTINEL — IP Threat Intelligence

DOMINUS extracts IPs from the target's DNS records. Those IPs go directly to SENTINEL, which runs six more phases:

  • Geolocation — country, city, ASN, ISP via ip-api.com (no key required)
  • Abuse — report history, confidence score and attack categories via AbuseIPDB
  • Threat feeds — presence in AlienVault OTX pulses
  • Ports — exposed TCP services
  • Cloud detection — identifies if the IP belongs to AWS, Azure, GCP or Cloudflare
  • Tor detection — real-time lookup against the live Tor exit node list

When we analyzed 185.220.101.1 as a test target, SENTINEL immediately detected it as an active Tor exit node with 143 abuse reports — and generated specific recommendations: block full Tor exit node ranges, not just that IP, and implement MFA because brute force via Tor is resistant to IP-based blocking.

The combined workflow 

DOMINUS(domain.com) → DNS → target IPs
                              ↓
                    SENTINEL(IP 1) → provider · country · Score X/100
                    SENTINEL(IP 2) → provider · country · Score X/100
Enter fullscreen mode Exit fullscreen mode

In tests against a real domain (with authorization), the combined analysis revealed that the infrastructure was clean and well-hosted in Europe — two servers at known European providers, no abuse history, only ports 80 and 443 open. The only real risk was in the DNS configuration: DMARC in monitor mode and SPF with soft-fail. The risk wasn't in the servers — it was in the email configuration.

That kind of nuanced conclusion is exactly what separates a professional analysis from a simple lookup.

Architecture: what mattered most to me

Both tools share the same design pattern. Every module exposes a single function run(target) -> dict. The engine orchestrates the phases, isolates failures per module, and feeds the scorer. The scorer calculates the score with declarative weights and explains every point in the report.

Target
  └── Module A → run(target) → dict
  └── Module B → run(target) → dict
  └── Engine → Scorer → Generator → standalone HTML
Enter fullscreen mode Exit fullscreen mode

The final report is a single .html file with all CSS and JS inline — open it in any browser, send it to a client, or submit it to a professor with no dependencies. It includes an animated SVG score ring, a findings table with severity badges, numbered actionable recommendations, an interactive geolocation map (SENTINEL), and a language switcher between Spanish and Russian.

What I learned

The most valuable lesson was understanding how much passive reconnaissance reveals without touching anything. Using only public information — DNS records, certificate logs, HTTP headers, abuse lists — you can build a complete risk profile of any organization.

I also learned that modular architecture matters from the start. Adding LeakRadar to DOMINUS after everything else was built meant creating one new file and registering it — nothing else needed to change.

Next steps: full IP range scanning in SENTINEL, Shodan API integration, and a local web interface to run scans without using the terminal.

Repositories

This project is part of my cybersecurity portfolio and was developed during the Master in Cybersecurity & AI at Evolve Academy.

Top comments (0)