subdomain takeover - tripmine253/pentest-book GitHub Wiki
- Domain name (sub.example.com) uses a CNAME record for another domain (sub.example.com CNAME anotherdomain.com).
- At some point, anotherdomain.com expires and is available for anyone's registration.
- Since the CNAME record is not removed from the DNS zone of example.com, anyone who records anotherdomain.com has full control over sub.example.com until the DNS record is present.
{% embed url="https://0xpatrik.com/takeover-proofs/" %}
{% embed url="https://github.com/EdOverflow/can-i-take-over-xyz" %}
{% embed url="https://blog.initd.sh/others-attacks/mis-configuration/subdomain-takeover-explained/" %}
# https://github.com/LukaSikic/subzy
subzy -targets list.txt
subzy -concurrency 100 -hide_fails -targets subs.txt
# https://github.com/CoffeeJunkiee/Subvenkon
python subvenkon.py -d subdomains.txt
# https://github.com/Ice3man543/SubOver
SubOver -l /root/subdomains.txt -t 100 # Subdomains generated with subgen
# https://github.com/JordyZomer/autoSubTakeover
pip install autosubtakeover
autosubtakeover --wordlist domains.txt
# https://github.com/haccer/subjack
subjack -w /root/subdomain.txt -a -v -t 100 -timeout 30 -o results.txt -ssl # Subdomains generated with subgen
# https://github.com/antichown/subdomain-takeover
python takeover.py -d domain.com -w /root/Repos/SecLists/Discovery/DNS/clean-jhaddix-dns.txt -t 100
# https://github.com/pry0cc/subgen
go get -u github.com/pry0cc/subgen
cat wordlist.txt | subgen -d "uber.com"
cat /home/user/Escritorio/tools/SecLists/Discovery/DNS/clean-jhaddix-dns.txt | subgen -d domain.com | massdns -r /usr/share/wordlists/dns.txt -t A -o S -w results.txt
Check for results.txt
# https://github.com/guptabless/unclaim-s3-finder
bucket-takeover.py -u https://qweqwe.asasdasdad.com