Subdomain Takeover

MITRE ATT&CK, Resource Development, Sub-technique T1584.001

A subdomain takeover occurs if a subdomain is configured to a 3rd party service but is no longer registered. If we are able to create an account in the identified 3rd party and register the domain, we can potentially host content on the subdomain.

Can I Take Over XYZ

This repository should be a goto for anyone attempting a subdomain takeover. This repository will identify is the service you have identified is vulnerable to a subdomain takeover and if so, provide detailed steps on how to exploit it and potentially host content.

GitHub - EdOverflow/can-i-take-over-xyz: "Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.GitHub

dnsReaper

DNSReaper is an automated subdomain takeover tool that tests with known takeover signatures. While you shouldn't rely on a tool to do the job, this tool does a pretty good job and I'd highly recommend it if performing a quick sweep.

# Run with Python against a single domain
python3 main.py single --domain $domain

# Run with Python against multiple domains
python3 main.py file --filename $domains

# Run with Docker against a single domain
docker run punksecurity/dnsreaper single --domain $domain

GitHub - punk-security/dnsReaper: dnsReaper - subdomain takeover tool for attackers, bug bounty hunters and the blue team!GitHub

Subjack

Subjack is a subndomain takeover tool written in Go.

# Identify subdomains with a tool such as subfinder
subfinder -dL subdomains.txt --silent | tee -a subdomains.out

# Run subjack against list
subjack -w subdomains.out -ssl | tee -a takeover | grep -V "Vulnerable"

GitHub - haccer/subjack: Subdomain Takeover tool written in GoGitHub