██████╗ ██████╗ ██████╗ ██╗████████╗ █████╗ ██╗
██╔═══██╗██╔══██╗██╔══██╗██║╚══██╔══╝██╔══██╗██║
██║ ██║██████╔╝██████╔╝██║ ██║ ███████║██║
██║ ██║██╔══██╗██╔══██╗██║ ██║ ██╔══██║██║
╚██████╔╝██║ ██║██████╔╝██║ ██║ ██║ ██║███████╗
╚═════╝ ╚═╝ ╚═╝╚═════╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝
passive subdomain-takeover scanner
Find subdomain takeovers without sending a single packet to the target.
orbital is a passive subdomain-takeover scanner. It pulls subdomains for a target from public certificate-transparency logs, resolves each via DNS, and flags any CNAME pointing at a dead third-party service — orphan S3 buckets, GitHub Pages projects that 404, retired Heroku apps, dangling Azure endpoints.
The whole tool is read-only: one DNS lookup and one HTTP GET per candidate. No probing, no fuzzing, no auth attempts. Safe to run against any apex domain you have a legitimate reason to assess.
$ orbital example.com --limit 50
[orbital] example.com: 2 candidate(s) found
▸ dead.example.com
CNAME : example.s3.us-west-2.amazonaws.com
service : AWS S3
status : 404
matched : "NoSuchBucket"
notes : Orphan S3 bucket — registerable by anyone.
▸ old-blog.example.com
CNAME : example-blog.herokuapp.com
service : Heroku
status : 404
matched : "No such app"
[!] Candidates are not confirmed takeovers. Verify manually before reporting.
Active takeover scanners hammer targets with hundreds of requests. orbital doesn't need to — every signal it relies on comes from public data: crt.sh certificate logs, public DNS, and the literal error page the abandoned service returns.
If your asset inventory has stale CNAMEs, orbital finds them faster than your blue team can.
pip install -r requirements.txtorbital example.com
orbital example.com --limit 500 --concurrency 20 --jsonCurrently fingerprinted for takeover candidates on:
- AWS S3 (
NoSuchBucket) - GitHub Pages (
There isn't a GitHub Pages site here) - Heroku (
No such app) - Bitbucket (
Repository not found) - Fastly (
Fastly error: unknown domain) - Pantheon (
The gods are wise) - Tumblr (
Whatever you were looking for doesn't currently exist) - Shopify (
Sorry, this shop is currently unavailable) - Cargo Collective (
The page you were looking for does not exist) - Ghost (
The thing you were looking for is no longer here) - Unbounce, Webflow, Surge.sh, Help Scout, Tilda
Adding a fingerprint is one entry in src/orbital/fingerprints.py.
Default: a human-readable summary printed to stdout. Use --json for machine-readable output suitable for piping into your inventory pipeline.
- A fingerprint match is a candidate, not a confirmed takeover. Always verify manually before declaring an issue.
- crt.sh is occasionally slow or unavailable. The scanner falls through gracefully and reports what it could collect.
- pentern — Autonomous code-writing recon agent
- brief — Daily CVE/advisory digest agent
- secmcp — MCP server for passive security tools
- vibe-init — One-command scaffolder for AI-coder configs
- agentlint — Linter for AI-agent config files
MIT. See LICENSE.