Skip to content

Subdomain takeover assessment tool.

License

Notifications You must be signed in to change notification settings

mdeous/dnscheck

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Build

dnscheck

Introduction

dnscheck is a tool that reads a list of domains from a file and checks them for the following issues:

  • CNAME records pointing to an unclaimed resource (e.g. S3 bucket, GitHub pages, Azure CloudApp, etc.)
  • CNAME records pointing to an unregistered domain
  • Zone delegations poiting to an unclaimed zone

Detection of CNAMEs pointing to unclaimed resources is based on the information available in can-i-takeover-xyz.

Yet another DNS takeover tool?

Yes! Because:

  1. I wanted to understand these vulnerabilities better, and what's better for that than writing a tool to detect them?
  2. I couldn't find a tool that I liked enough and that would check both dangling CNAMEs and zone takeovers. (which doesn't mean such a tool doesn't exist!)

If you like this tool, use it (I'll be happy if you do), if you want to improve it, please open an issue, or even better, submit a PR, and if you don't like it, a list of alternatives is provided below.

Usage

Installation

From sources

Clone the repository and build the application:

git clone https://github.com/mdeous/dnscheck
cd dnscheck
make

You can then use the dnscheck binary that has been generated in the repository folder.

or

Install the application directly with Go:

go install https://github.com/mdeous/dnscheck@latest

You should then have dnscheck available in your PATH (assuming you have a properly configured Go environment).

Pre-built binaries

Pre-built binaries for the most common architectures can be downloaded from the project's latest release page. After downloading it, simply make the file executable and run it as described below.

Checking domains for vulnerabilities

Domains to be checked can be provided either in bulk via a file passed to the -D/--domains-file argument, or as a single domain passed to the -d/--domain argument. For nore control over the scan behavior, please refer to the other arguments as described below.

Help:

❯ ./dnscheck -h
Subdomain takeover assessment tool

Usage:
  dnscheck [flags]
  dnscheck [command]

Available Commands:
  completion  Generate the autocompletion script for the specified shell
  help        Help about any command
  version     Show program version

Flags:
  -d, --domain string         single domain to check
  -D, --domains-file string   file containing domains to check (default "domains.txt")
  -e, --edge-cases            include edge-case fingerprints (might cause false positives)
  -f, --fingerprints string   custom service fingerprints file
  -h, --help                  help for dnscheck
  -o, --output string         file to write findings to
  -s, --summary               show summary at the end of the scan
  -t, --timeout uint          timeout for HTTP requests (default 10)
  -v, --verbose               increase application verbosity
  -w, --workers int           amount of concurrent workers (default 10)

Use "dnscheck [command] --help" for more information about a command.

Example output:

❯ ./dnscheck -D domains.txt -e
2023/07/31 22:43:01 - INFO - Multi domains mode (domains.txt)
2023/07/31 22:43:01 - INFO - Edge-case rules enabled
2023/07/31 22:43:01 - INFO - Checking vuln-beanstalk.something.io
2023/07/31 22:43:01 - INFO - Checking vuln-airee.something.io
2023/07/31 22:43:01 - INFO - Checking vuln-s3.something.io
2023/07/31 22:43:01 - INFO - Checking vuln-unregistered.something.io
2023/07/31 22:43:01 - INFO - Checking vuln-smartjobboard.something.io
2023/07/31 22:43:01 - INFO - Checking vuln-createsend.something.io
2023/07/31 22:43:01 - VULNERABLE DOMAIN - [service: AWS/Elastic Beanstalk] vuln-beanstalk.something.io -> dkfjbgdf.us-east-1.elasticbeanstalk.com [type=dangling_cname_record method=cname_nxdomain] (confidence: high)
2023/07/31 22:43:01 - VULNERABLE DOMAIN - [service: SmartJobBoard] vuln-smartjobboard.something.io -> 52.16.160.97 [type=dangling_cname_record method=a_body_pattern] (confidence: high)
2023/07/31 22:43:01 - VULNERABLE DOMAIN - [service: n/a] vuln-unregistered.something.io -> fhjxbgisfubvgbgfusf.io [type=unregistered_domain method=soa_check] (confidence: unknown)
2023/07/31 22:43:02 - VULNERABLE DOMAIN - [service: Campaign Monitor] vuln-createsend.something.io -> 13.52.43.40,54.183.0.47,13.52.43.40,54.183.0.47,54.183.0.47,13.52.43.40 [type=dangling_cname_record method=body_pattern] (confidence: medium)
2023/07/31 22:43:02 - VULNERABLE DOMAIN - [service: Airee.ru] vuln-airee.something.io -> mdeous.airee.ru [type=dangling_cname_record method=cname_body_pattern] (confidence: high)
2023/07/31 22:43:04 - VULNERABLE DOMAIN - [service: AWS/S3] vuln-s3.something.io -> skhjfgbidkfgbisdkfghb.s3.amazonaws.com [type=dangling_cname_record method=cname_body_pattern] (confidence: high)
2023/07/31 22:43:04 - INFO - Scan complete

Alternatives

License

This project is licensed under the terms of the MIT License.