VirusTotal for long has provided a free online file and URL scanning service. Infact, I think it is THE site that started this kind of service more than 10 years ago. Wikipedia mentions that it was started in the year 2004! It also offers a “search” service which helps us to find more interesting details about a file hash or a URL. Leveraging this feature, we have an open source script called V1D0m!
What is V1D0m?
V1D0m is an open source script in Python that leverages the VirusTotal search engine to find sub-domains of a targeted domain. This saves you a lot of time and lets you remain anonymous while performing reconnaissance on the domain while bypassing any censorship if you live in one of “those” countries. It also acts like a “time-machine” for this information. I was pleasantly surprised to find information about an old domain name that I knew from 2012 to still figure on VirusTotal with some information.
The VirusTotal documentation mentions this – “VirusTotal runs its own passive DNS replication service, built by storing DNS resolutions performed when visiting URLs and executing malware samples submitted by users. In order to retrieve the information we have on a given domain you just have to use the domain: search modifier in the search box. This report includes other details such as all the incidents seen related to such domain: malware samples downloaded from the given domain, specimens communicating with it, etc.”
If you perform a search on the front page, the site directs you to a resource such as –
. For example, you were to check information about PenTestIT, you would go to
What V1D0m simply does is send search queries to VirusTotal and gets only the relevant results back to you. It accepts the domain name as an argument and returns a list of sub-domain names on the screen that VirusTotal has. The open source script returns that information. It also allows you to export these results in .xls or .json format. Very neat I must say!
However, therein lies a problem. That information can be (is!) stale and hasn’t been updated! This can lead to incorrect results. You would have to maintain two or more sources for this information. Another problem is that the VirusTotal documentation page also mentions this – No automations! This search feature should not be used as a programmatic interface to retrieve VirusTotal reports, we will ban any scripts using this interface as if it were an API. If you want to use VirusTotal’s dataset programmatically you should be looking at the VirusTotal Public API.
In the current version the script also misses the ReCaptcha check that the site throws up to avoid automation. I suggest the author to use the API in the next version of the tool.
Installating V1D0m version 1.0 is easy. Check out the repository from here and run:
pip install -r requirements.txt -U
However, remove the entries for Python 2.7, json and socket from the requirements.txt file as they are not meant to be installed using pip. You will see an error similar to:
Collecting json (from -r requirements.txt (line 5)) Using cached json-99.0.tar.gz Complete output from command python setup.py egg_info: Traceback (most recent call last): File "", line 1, in File "/tmp/pip-build-vQHTT2/json/setup.py", line 2, in raise RuntimeError("Package 'json' must not be downloaded from pypi") RuntimeError: Package 'json' must not be downloaded from pypi