dnscheck
is a tool that reads a list of domains from a file and checks them for the following issues:
- CNAME records pointing to an unclaimed resource (e.g. S3 bucket, GitHub pages, Azure CloudApp, etc.)
- CNAME records pointing to an unregistered domain
- Zone delegations poiting to an unclaimed zone
Detection of CNAMEs pointing to unclaimed resources is based on the information available in can-i-takeover-xyz.
Yes! Because:
- I wanted to understand these vulnerabilities better, and what's better for that than writing a tool to detect them?
- I couldn't find a tool that I liked enough and that would check both dangling CNAMEs and zone takeovers. (which doesn't mean such a tool doesn't exist!)
If you like this tool, use it (I'll be happy if you do), if you want to improve it, please open an issue, or even better, submit a PR, and if you don't like it, a list of alternatives is provided below.
Clone the repository and build the application:
git clone https://github.com/mdeous/dnscheck
cd dnscheck
make
You can then use the dnscheck
binary that has been generated in the repository folder.
or
Install the application directly with Go:
go install https://github.com/mdeous/dnscheck@latest
You should then have dnscheck
available in your PATH
(assuming you have a properly configured Go environment).
Pre-built binaries for the most common architectures can be downloaded from the project's latest release page. After downloading it, simply make the file executable and run it as described below.
Domains to be checked can be provided either in bulk via a file passed to the -D
/--domains-file
argument, or as a single domain passed to the -d
/--domain
argument. For nore control over the scan
behavior, please refer to the other arguments as described below.
Help:
❯ ./dnscheck -h
Subdomain takeover assessment tool
Usage:
dnscheck [flags]
dnscheck [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
help Help about any command
version Show program version
Flags:
-d, --domain string single domain to check
-D, --domains-file string file containing domains to check (default "domains.txt")
-e, --edge-cases include edge-case fingerprints (might cause false positives)
-f, --fingerprints string custom service fingerprints file
-h, --help help for dnscheck
-o, --output string file to write findings to
-s, --summary show summary at the end of the scan
-t, --timeout uint timeout for HTTP requests (default 10)
-v, --verbose increase application verbosity
-w, --workers int amount of concurrent workers (default 10)
Use "dnscheck [command] --help" for more information about a command.
Example output:
❯ ./dnscheck -D domains.txt -e
2023/07/31 22:43:01 - INFO - Multi domains mode (domains.txt)
2023/07/31 22:43:01 - INFO - Edge-case rules enabled
2023/07/31 22:43:01 - INFO - Checking vuln-beanstalk.something.io
2023/07/31 22:43:01 - INFO - Checking vuln-airee.something.io
2023/07/31 22:43:01 - INFO - Checking vuln-s3.something.io
2023/07/31 22:43:01 - INFO - Checking vuln-unregistered.something.io
2023/07/31 22:43:01 - INFO - Checking vuln-smartjobboard.something.io
2023/07/31 22:43:01 - INFO - Checking vuln-createsend.something.io
2023/07/31 22:43:01 - VULNERABLE DOMAIN - [service: AWS/Elastic Beanstalk] vuln-beanstalk.something.io -> dkfjbgdf.us-east-1.elasticbeanstalk.com [type=dangling_cname_record method=cname_nxdomain] (confidence: high)
2023/07/31 22:43:01 - VULNERABLE DOMAIN - [service: SmartJobBoard] vuln-smartjobboard.something.io -> 52.16.160.97 [type=dangling_cname_record method=a_body_pattern] (confidence: high)
2023/07/31 22:43:01 - VULNERABLE DOMAIN - [service: n/a] vuln-unregistered.something.io -> fhjxbgisfubvgbgfusf.io [type=unregistered_domain method=soa_check] (confidence: unknown)
2023/07/31 22:43:02 - VULNERABLE DOMAIN - [service: Campaign Monitor] vuln-createsend.something.io -> 13.52.43.40,54.183.0.47,13.52.43.40,54.183.0.47,54.183.0.47,13.52.43.40 [type=dangling_cname_record method=body_pattern] (confidence: medium)
2023/07/31 22:43:02 - VULNERABLE DOMAIN - [service: Airee.ru] vuln-airee.something.io -> mdeous.airee.ru [type=dangling_cname_record method=cname_body_pattern] (confidence: high)
2023/07/31 22:43:04 - VULNERABLE DOMAIN - [service: AWS/S3] vuln-s3.something.io -> skhjfgbidkfgbisdkfghb.s3.amazonaws.com [type=dangling_cname_record method=cname_body_pattern] (confidence: high)
2023/07/31 22:43:04 - INFO - Scan complete
This project is licensed under the terms of the MIT License.