Go
Switch branches/tags
Clone or download
Latest commit 690ea0f Jul 29, 2018
Permalink
Failed to load latest commit information.
subjack Removed mailerlite Jul 29, 2018
.appveyor.yml Changes to README.md for Godoc Jun 24, 2018
.gitignore Create .gitignore May 31, 2018
.travis.yml Create .travis.yml Jan 19, 2018
LICENSE Initial commit Oct 10, 2017
README.md Edit example code Jun 25, 2018
main.go Readd missing output flag Jun 25, 2018

README.md

subjack

Build Status Build status Go Report Card GoDoc GitHub license

Subjack is a Hostile Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked. With Go's speed and efficiency, this tool really stands out when it comes to mass-testing. Always double check the results manually to rule out false positives.

New: Subjack will check for subdomains attached to domains that don't exist (NXDOMAIN) and are available to be registered. No need for dig ever again! This is still cross-compatible too.

Installing

Requires Go

go get github.com/haccer/subjack

How To Use:

Examples:

  • ./subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl

Options:

  • -w domains.txt is your list of subdomains.
  • -t is the number of threads (Default: 10 threads).
  • -timeout is the seconds to wait before timeout connection (Default: 10 seconds).
  • -o results.txt where to save results to.
  • -ssl enforces HTTPS requests which may return a different set of results and increase accuracy.
  • -a skips CNAME check and sends requests to every URL. (Recommended)
  • -v verbose. Display more information per each request.

Currently checks for:

Acquia Cloud Site Factory, ActiveCampaign, AfterShip, Aha!, Amazon S3 Bucket, Amazon Cloudfront, Big Cartel, Bitbucket, Brightcove, Campaign Monitor, Cargo Collective, Desk, Fastly, FeedPress, GetResponse, Ghost, Github, Helpjuice, Help Scout, Heroku, Intercom, JetBrains, Kajabi, MailerLite, Microsoft Azure, Pantheon.io, Proposify, Shopify, simplebooklet, StatusPage, Surge, Táve, Teamwork, Thinkific, Tictail, Tumblr, UserVoice, Vend Ecommerce, Webflow, Wishpond, WordPress, Zendesk

Practical Use

You can use scanio.sh which is kind of a PoC script to mass-locate vulnerable subdomains using results from Rapid7's Project Sonar. This script parses and greps through the dump for desired CNAME records and makes a large list of subdomains to check with subjack if they're vulnerable to Hostile Subdomain Takeover. Of course this isn't the only method to get a large amount of data to test. Please use this responsibly ;)

Adding subjack to your workflow

package main

import (
	"fmt"
	"github.com/haccer/subjack/subjack"
	"strings"
)

func main() {
	subdomain := "dead.cody.su"
	/* Use subjack's advanced detection to identify 
	if the subdomain is able to be taken over. */
	service := subjack.Identify(subdomain, false, 10)

	if service != "" {
		service = strings.ToLower(service)
		fmt.Printf("%s is pointing to a vulnerable %s service.\n", subdomain, service)
	}
}

See the godoc for more functions.

FAQ

Q: What should my wordlist look like?

A: Your wordlist should include a list of subdomains you're checking and should look something like:

assets.cody.su
assets.github.com
b.cody.su
big.example.com
cdn.cody.su
dev.cody.su
dev2.twitter.com

References

Extra information about Hostile Subdomain Takeovers:

Contact

Shout me out on Twitter: @now