Anti-Takeover is a sub domain monitoring tool for (blue/purple) team / internal security team which uses cloud flare. Currently Anti-Takeover monitors more than a dozen third party services for dangling subdomain pointers.
Anti-Takeover is a subdomain takeover monitoring tool But for Blue team/internal security team who manages DNS config on cloudflare. Currently it has capability to check 15+ external services for possible dangling/takeover issues.
Monitors more than a dozen external service pointed CNAME records for subdomain takeover issues.
Capability to scan either a single cloudflare group or multiples one(single account).
Capability to monitor for newly added sub domains.
Integration with slack for realtime alerts/notification.
Rough high level Overview of the tool is shown below :
Requires Python 3
Runs on both Windows / Linux .
install dependencies :
pip3 install requestsexport CF_APIKEY="yourapikeyhere"Example Config File :
[Properties]
CF_EMAIL = <Your_cloudflare_registered_email> #REQUIRED
CF_MonitorSingleAccount = false #REQUIRED values : false / true ( true : monitors only single CF account. false : monitors every account associated with email ID )
CF_AccountID = <your_cloudflareAccountID> #REQUIRED if CF_MonitorSingleAccount set to true
Monitor_Mode = 1 #REQUIRED ( values : 1 or 2 ( 1 - complete notification , 2 - delta notification )
slack_integration = true #REQUIRED ( values : false / true (case sensitive) )
slack_Webhook = https://hooks.slack.com/services/yourslackwebhookurl #REQUIRED if slack_integration is true Values :
> true
> false
Description :
if set to false, one needs to provide cloud flare account ID specifically in ####CF_AccountID for which monitoring is required. By default , /its set to true. which monitors all accounts which are associated with the email.
Values: AccountID of the cloudflare which requires monitoring.
Description :
This needs to be provided if CF_MonitorSIngleAccount is set to true.
Values:
> 1
> 2
Description :
if set to '1', for each scan, all the dangling/ misconfigured cname results are notified to the user.
if set to '2', Only newly added cnames which are misconfigured which were not present in previous scans are notified / alerted. ( for base scan /first scan even if value is set to 2, it does a full scan.)
Values:
> true
> false
Description :
If value is set to 'true' slack alerts / notifications are trigerred.
if set to 'false' slack notifications are disabled.
Values : slack web hook URL.
Description : Slack web Hook URL generated for recieving incoming messages from anti-takeover.This is mandatory if slack_integration is set to value /'true'.
Now you are ready to run Auto-Takeover! Set it up as cron job for real time monitoring or run it as a standalone script.
>> Results are stored in files named "edgecases.json" and "vulnerable.json". ( Edge case scenarios are stored in edgecases.json.)
>> Removing both the files after the base scan / any scan , triggers in full scan .
Feel free to Fork the project, contribute, add new rules / notify for addition of new subdomains.( will be updated over the time.)
A big thanks to everyone who has contributed to https://github.com/EdOverflow/can-i-take-over-xyz :)