# Subdomain Takeover

A subdomain takeover occurs if a subdomain is configured to a 3rd party service but is no longer registered. If we are able to create an account in the identified 3rd party and register the domain, we can potentially host content on the subdomain.

### Can I Take Over XYZ

This repository should be a goto for anyone attempting a subdomain takeover. This repository will identify is the service you have identified is vulnerable to a subdomain takeover and if so, provide detailed steps on how to exploit it and potentially host content.&#x20;

{% embed url="<https://github.com/EdOverflow/can-i-take-over-xyz>" %}

### dnsReaper

DNSReaper is an automated subdomain takeover tool that tests with known takeover signatures. While you shouldn't rely on a tool to do the job, this tool does a pretty good job and I'd highly recommend it if performing a quick sweep.&#x20;

```bash
# Run with Python against a single domain
python3 main.py single --domain $domain

# Run with Python against multiple domains
python3 main.py file --filename $domains

# Run with Docker against a single domain
docker run punksecurity/dnsreaper single --domain $domain
```

{% embed url="<https://github.com/punk-security/dnsReaper>" %}

### Subjack

Subjack is a subndomain takeover tool written in Go.&#x20;

```bash
# Identify subdomains with a tool such as subfinder
subfinder -dL subdomains.txt --silent | tee -a subdomains.out

# Run subjack against list
subjack -w subdomains.out -ssl | tee -a takeover | grep -V "Vulnerable"
```

{% embed url="<https://github.com/haccer/subjack>" %}

### References

{% embed url="<https://www.hackerone.com/application-security/guide-subdomain-takeovers>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ttp.parzival.sh/pentesting/fortress/subdomain-takeovers.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.