Subdomain Takeover

MITRE ATT&CK, Resource Development, Sub-technique T1584.001

A subdomain takeover occurs if a subdomain is configured to a 3rd party service but is no longer registered. If we are able to create an account in the identified 3rd party and register the domain, we can potentially host content on the subdomain.

Can I Take Over XYZ

This repository should be a goto for anyone attempting a subdomain takeover. This repository will identify is the service you have identified is vulnerable to a subdomain takeover and if so, provide detailed steps on how to exploit it and potentially host content.


DNSReaper is an automated subdomain takeover tool that tests with known takeover signatures. While you shouldn't rely on a tool to do the job, this tool does a pretty good job and I'd highly recommend it if performing a quick sweep.

# Run with Python against a single domain
python3 single --domain $domain

# Run with Python against multiple domains
python3 file --filename $domains

# Run with Docker against a single domain
docker run punksecurity/dnsreaper single --domain $domain


Subjack is a subndomain takeover tool written in Go.

# Identify subdomains with a tool such as subfinder
subfinder -dL subdomains.txt --silent | tee -a subdomains.out

# Run subjack against list
subjack -w subdomains.out -ssl | tee -a takeover | grep -V "Vulnerable"


Last updated