Skip to content
Takeover script extracts CNAME record of all subdomains at once. TakeOver saves researcher time and increase the chance of finding subdomain takeover vulnerability.
Branch: master
Clone or download
Latest commit 652470e Oct 10, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
53D457E2-57EC-4217-89EA-9A6DA84E1ACE.png Add files via upload Oct 5, 2018
LICENSE Initial commit Oct 5, 2018 Update Oct 10, 2018 Create Oct 5, 2018


What is Subdomain Takeover?

Subdomain takeover is a class of vulnerability where subdomain points to an external service that has been deleted. The external services are Github, Heroku, Gitlab, Tumblr and so on. Let’s assume we have a subdomain that points to an external service such as GitHub. If the Github page is removed by its owner and forgot to remove the DNS entry that points to GitHub service. An attacker can simply takeover subdomain by adding CNAME file containing the

Here is the command that checks CNAME record of a subdomain.

$dig CNAME -->

How Can Takeover script help bug bounty hunters?

There are a lot of sites having thousands of subdomain and it’s really hard to check each subdomain. Here we got a script that shows CNAME record for each domain. It takes a file name as an input and perform some action and finally produce it output, which shows CNAME record for each domain. The input file should contain a list of subdomains.

How can I recognise if the subdomain is vulnerable to subdomain takeover?

There are some fingerprints should be analysed when service is deleted and DNS entry remains as it is. The attacker get this error when visiting vulnerable subdomain such as “There isn’t a Github Pages site here.” or view below image for more detail.

Alt text

Security researcher @edoverflow has listed all services and their fingerprints. For more detail visit



You can’t perform that action at this time.