Subdomain Takeover Automation

I made a simple subdomain takeover bot and run it for 1 month. It sent many notifications for a month, but all of them were invalid. But it can still be improved and made really functional.
In summary, I built a bot that searches for subdomain takeover vulnerabilities on all websites that are in bug bounty programs.
I wrote a crontab command to run every 6 hours and it sends the domains it finds into the telegram channel.

What is Subdomain Takeover?

A subdomain takeover occurs when an attacker gains control over a subdomain of a target domain. Simply, We somehow take over a forgotten subdomain.

Subdomain Takeover: Basic

Subdomain Takeover Steps

1. Find Target Domains
2. Find All Subdomains (Subdomain Enumeration)
3. Check The Each Subdomains for Takeover

1.Find Target Domains:

We need to find a list of all the target domains from all the public bug bounty programs.
This repo provides us with all this data
bounty-targets-data

2. Subdomain Enumeration

Subdomain Enumeration is a deep and multi-layered field.
Since the process takes a long time, tools written in go work more efficiently than those written with python. So I used subfinder subdomain enumaration tool.

"Fast passive subdomain enumeration tool."

3. Subdomain Takeover

I used subjack for subdomain takeover. I use Subjack instead of SubOver because Subjack is more up to date.
But it still finds outdated vulnerabilities, We should filter them.

"Subjack is a Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked."

test.sh

rm /home/ubuntu/results.txt;
cd ~/subdomain_takeover/bounty-targets-data/;
git pull;
cd ~/subdomain_takeover;
cp ~/subdomain_takeover/bounty-targets-data/data/wildcards.txt ./;
echo "*.example.com" >> ~/subdomain_takeover/bounty-targets-data/data/wildcards.txt # You can add extra domains to your target list
cat wildcards.txt | sed 's/^*.//g' | grep -v '*' > wildcards_without_stars.txt;
while read host;
   do file=$host && file+="_subfinder.out";
   ~/go/bin/subfinder -t 100 -o $file -d $host;
done < ./wildcards_without_stars.txt;
cat ./*.out > all_subdomains.lst;
~/go/bin/subjack -c /home/ubuntu/src/github.com/haccer/subjack/fingerprints.json -w ./all_subdomains.lst -t 300 -timeout 5 -o /home/ubuntu/results.txt;
python3 /home/ubuntu/main.py;

main.py (telegram bot)

import telebot
import datetime
import os

from tempfile import mkstemp
from shutil import move, copymode
from os import fdopen, remove
def replace(file_path):
    #Create temp file
    fh, abs_path = mkstemp()
    some_list = ["[SHOPIFY]","[FASTLY]","[TUMBLR]"]
    with fdopen(fh,'w') as new_file:
        with open(file_path) as old_file:
            for line in old_file:

                list6 = []
                list6.append(line)
                durum =[x for x in some_list if any(x in item for item in list6)]
                if len(durum)==0:
                    new_file.write(line)
    copymode(file_path, abs_path)
    #Remove original file
    remove(file_path)
    #Move new file
    move(abs_path, file_path)
replace("/home/ubuntu/results.txt")

def tele( ):
    now =datetime.datetime.now().strftime("%m/%d/%Y, %H:%M")
    token = "YOUR-BOT-TOKEn"
    bot = telebot.TeleBot(token)
    #message = "{} \n {}".format(title, url)
    file= open("/home/ubuntu/results.txt","rb")
    bot.send_document(chat_id="YOUR-CHAT-ID", caption=now,data=file)

if os.stat("/home/ubuntu/results.txt").st_size > 0:
    tele()

Crontab Command (Runs every 6 hours)

0 */6 * * *  /home/ubuntu/test.sh

You can check this list for available vulnerability

References

Main inspiration: How To Setup an Automated Sub-domain Takeover Scanner for All Bug Bounty Programs in 5 Minutes
The Best Source Patrik Hudak
Link1
Link2
Link3
Link4
Link5