subjack is a Hostile Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked. With Go's speed and efficiency, this tool really stands out when it comes to mass-testing. Always double check the results manually to rule out false positives.
You need have Go installed. Full details of installation and set up can be found here.
go build subjack.go
./subjack -w domains.txt -t 100 -timeout 30 -o results.txt -https
-w domains.txtis your list of subdomains. I recommend usingcname.sh(included in repository) to sift through your subdomain list for ones that have CNAME records attached and use that list to optimize and speed up testing.-tis the number of threads (Default: 10 threads).-timeoutis the seconds to wait before timeout connection (Default: 10 seconds).-o results.txtwhere to save results to (Optional).-httpsenforces https requests which may return a different set of results and increase accuracy (Optional).-strictsends HTTP requests to every URL (Optional).
Currently checks for:
- Amazon S3 Bucket
- Amazon Cloudfront
- Bitbucket
- Cargo
- Fastly
- FeedPress
- Ghost
- Github
- Helpjuice
- Help Scout
- Heroku
- Mashery
- Pantheon.io
- Shopify
- Surge
- Tumblr
- UserVoice
- WordPress
- WP Engine
You can use scanio.sh which is kind of a PoC script to mass-locate vulnerable subdomains using results from Rapid7's Project Sonar. This script parses and greps through the dump for desired CNAME records and makes a large list of subdomains to check with subjack if they're vulnerable to Hostile Subdomain Takeover. Of course this isn't the only method to get a large amount of data to test. Please use this responsibly ;)
Q: What should my wordlist look like?
A: Your wordlist should include a list of subdomains you're checking and should look something like:
assets.cody.su
assets.github.com
b.cody.su
big.example.com
cdn.cody.su
dev.cody.su
dev2.twitter.com
Q: I ran my scan and nothing happened. What does this mean?
A: In most cases, this means that subjack didn't discover any vulnerable subdomains in your wordlist or your wordlist of is formatted weird.
Shout me out on Twitter: @now