Based on @haccer's subjack script for subdomain takeover recon.
Requires Go.
go get github.com/jakejarvis/subtake
-f to-check.txtis the path to your list of subdomains to check. One subdomain per line. Required.-tis the number of threads to use. (Default: 10)-timeoutis the number seconds to wait before timing out a check (Default: 10).-o results.txtis a filename to output results to. If the file ends with.json, subtake will automatically switch to JSON format.-venables verbose mode. Displays all checks including not vulnerable URLs.-cPath to file containing JSON fingerprint configuration. (Default:./fingerprints.json)-sslenforces HTTPS requests which may return a different set of results and increase accuracy.
sonar.sh can be used first to gather a list of CNAMEs collected by Rapid7/scan.io's Project Sonar. This list can then be passed into subtake to return subdomains not in use. sonar.sh is based off of scanio.sh.
fingerprints.json can be modified to add or remove hosted platforms to probe for. Many obscure platforms are included, and removing fingerprints for services that are uninteresting to you can speed up the scan.
If you plan on using a high number of threads to speed the process up, you may need to temporarily raise the ulimit of your shell:
ulimit -a # show current limit (usually 1024)
ulimit -n 10000 # set waaaaay higher
ulimit -a # check new limit
After generating a list of all vulnerable subdomains, you can use my collection of domains invoked in bug bounty programs to narrow down valuable targets and possibly get some ca$h monie$$$.
./sonar.sh 2018-10-27-1540655191 sonar_all_cnames.txt
subtake -f sonar_all_cnames.txt -t 50 -ssl -a -o vulnerable.txt
- A great explanation of the risks of takeovers and steps to responsibly disclose takeovers to companies: https://0xpatrik.com/subdomain-takeover/
- A comprehensive list of what services are vulnerable (and the basis of
fingerprints.json), and how to proceed once finding them: https://github.com/EdOverflow/can-i-take-over-xyz
- Acquia
- Airee.ru
Amazon CloudFront(no longer vulnerable?)- Anima
- Apigee
- AWS/S3
- Big Cartel
- Bitbucket
- Brightcove
- Campaign Monitor
- Canny.io
- Cargo Collective
- Fastly
- Feedpress
- Fly.io
- Frontify
- Ghost
- GitHub
- HatenaBlog
- Helprace
- Help Juice
- Help Scout
- Heroku
- Intercom
- JetBrains
- Kinsta
- LaunchRock
- Landingi
- Mashery
- MaxCDN
- Microsoft Azure
- Ngrok
- Pantheon
- Readme.io
- Shopify
- SmartJobBoard
- Smugmug
- Statuspage
- Strikingly
- Surge.sh
- Tumblr
- Tilda
- Unbounce
- Uptimerobot
- UserVoice
- Webflow
- WordPress
- Zendesk
- Add a check for NS subdomains (https://0xpatrik.com/subdomain-takeover-ns/)
- Add Digital Ocean to the list