github.com/microphone-mathematics/subjack
Advanced tools
Subjack is a Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked. With Go's speed and efficiency, this tool really stands out when it comes to mass-testing. Always double check the results manually to rule out false positives.
Subjack will also check for subdomains attached to domains that don't exist (NXDOMAIN) and are available to be registered. No need for dig ever again! This is still cross-compatible too.
What's New? (Last Updated 09/17/18)
Requires Go
go get github.com/haccer/subjack
Examples:
./subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -sslOptions:
-d test.com if you want to test a single domain.-w domains.txt is your list of subdomains.-t is the number of threads (Default: 10 threads).-timeout is the seconds to wait before timeout connection (Default: 10 seconds).-o results.txt where to save results to. For JSON: -o results.json-ssl enforces HTTPS requests which may return a different set of results and increase accuracy.-a skips CNAME check and sends requests to every URL. (Recommended)-m flag the presence of a dead record, but valid CNAME entry.-v verbose. Display more information per each request.-c Path to configuration file.You can use scanio.sh which is kind of a PoC script to mass-locate vulnerable subdomains using results from Rapid7's Project Sonar. This script parses and greps through the dump for desired CNAME records and makes a large list of subdomains to check with subjack if they're vulnerable to Hostile Subdomain Takeover. Of course this isn't the only method to get a large amount of data to test. Please use this responsibly ;)
package main
import (
"fmt"
"encoding/json"
"io/ioutil"
"strings"
"github.com/haccer/subjack/subjack"
)
func main() {
var fingerprints []subjack.Fingerprints
config, _ := ioutil.ReadFile("custom_fingerprints.json")
json.Unmarshal(config, &fingerprints)
subdomain := "dead.cody.su"
/* Use subjack's advanced detection to identify
if the subdomain is able to be taken over. */
service := subjack.Identify(subdomain, false, false, 10, fingerprints)
if service != "" {
service = strings.ToLower(service)
fmt.Printf("%s is pointing to a vulnerable %s service.\n", subdomain, service)
}
}
See the godoc for more functions.
Q: What should my wordlist look like?
A: Your wordlist should include a list of subdomains you're checking and should look something like:
assets.cody.su
assets.github.com
b.cody.su
big.example.com
cdn.cody.su
dev.cody.su
dev2.twitter.com
Extra information about Hostile Subdomain Takeovers:
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub postponed a new billing model for self-hosted Actions after developer pushback, but moved forward with hosted runner price cuts on January 1.
Research
Destructive malware is rising across open source registries, using delays and kill switches to wipe code, break builds, and disrupt CI/CD.
Security News
Socket CTO Ahmad Nassri shares practical AI coding techniques, tools, and team workflows, plus what still feels noisy and why shipping remains human-led.