{"id":13845780,"url":"https://github.com/gwen001/dnspy","last_synced_at":"2025-07-23T00:03:55.766Z","repository":{"id":74163370,"uuid":"282389963","full_name":"gwen001/dnspy","owner":"gwen001","description":"Find subdomains and takeovers.","archived":false,"fork":false,"pushed_at":"2022-12-02T08:17:22.000Z","size":30693,"stargazers_count":85,"open_issues_count":0,"forks_count":22,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-05-09T01:37:27.986Z","etag":null,"topics":["bash","bugbounty","dns","pentesting","python","security-tools","shell","subdomain-takeover","subdomains"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gwen001.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["gwen001"],"patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"custom":null}},"created_at":"2020-07-25T06:59:49.000Z","updated_at":"2025-05-06T22:15:51.000Z","dependencies_parsed_at":null,"dependency_job_id":"cdcccfd0-dce7-4b8d-8aff-41d0fc27d94a","html_url":"https://github.com/gwen001/dnspy","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/gwen001/dnspy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gwen001%2Fdnspy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gwen001%2Fdnspy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gwen001%2Fdnspy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gwen001%2Fdnspy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gwen001","download_url":"https://codeload.github.com/gwen001/dnspy/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gwen001%2Fdnspy/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266592136,"owners_count":23953107,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-22T02:00:09.085Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bash","bugbounty","dns","pentesting","python","security-tools","shell","subdomain-takeover","subdomains"],"created_at":"2024-08-04T17:03:35.876Z","updated_at":"2025-07-23T00:03:55.738Z","avatar_url":"https://github.com/gwen001.png","language":"Python","funding_links":["https://github.com/sponsors/gwen001"],"categories":["Python"],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003ednspy\u003c/h1\u003e\n\n\u003ch4 align=\"center\"\u003eFind subdomain takeovers.\u003c/h4\u003e\n\n\u003cp align=\"center\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/-bash-gray\" alt=\"bash badge\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/python-v3-blue\" alt=\"python badge\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/license-MIT-green\" alt=\"MIT license badge\"\u003e\n    \u003ca href=\"https://twitter.com/intent/tweet?text=https%3a%2f%2fgithub.com%2fgwen001%2fdnspy%2f\" target=\"_blank\"\u003e\u003cimg src=\"https://img.shields.io/twitter/url?style=social\u0026url=https%3A%2F%2Fgithub.com%2Fgwen001%2Fdnspy\" alt=\"twitter badge\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003c!-- \u003cp align=\"center\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/stars/gwen001/dnspy?style=social\" alt=\"github stars badge\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/watchers/gwen001/dnspy?style=social\" alt=\"github watchers badge\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/forks/gwen001/dnspy?style=social\" alt=\"github forks badge\"\u003e\n\u003c/p\u003e --\u003e\n\n---\n\n# Install\n\n```\ngit clone https://github.com/gwen001/dnspy\ncd dnspy\npip3 install -r requirements.txt\n```\n\n# How does it work\n\nThis tool is basically composed of 3 parts:\n\n- grabber\n- resolver\n- interperter\n\nEach part has a daemon and a queue file. To run a daemon do the following:\n\n```\ncd dnspy\n./daemon_xxx.py\n```\n\nThe daemon will run by itself and forever.\nThen, as soon as a domain name is entered in the corresponding queue file, the daemon will process it.\n\nThe ```daemon_grabber.py``` basically run ```grabber_host.sh``` and feed the resolver queue file.\nIt's my current bash script to grab subdomains using many external tools.\nFeel free to customize it or write your own.  \n\nThe ```daemon_resolver.py``` basically run ```massdns``` (so you better have it installed in your system) and feed the interpreter queue file.  \n\nThe ```daemon_interpreter.py``` will read the massdns output file and check for subdomains takeover by running ```interpreter.py```.\nThis script is **strongly** inspired of ```subjack``` but I added some features like the ignore list and also improved the fingerprints with regexp.\nFeel free to add your own signatures.  \n\n```\nusage: interpreter.py [-h] [-s SOURCE] [-f FINGERPRINTS] [-r] [-v VERBOSE]\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -s SOURCE, --source SOURCE\n                        source file (masscan output using format: -o Sqnr)\n  -f FINGERPRINTS, --fingerprints FINGERPRINTS\n                        fingerprints file\n  -r, --reresolve       force reresolve\n  -v VERBOSE, --verbose VERBOSE\n                        verbose mode, 0:only vulnerable (default), 1:include\n                        unknown services and doubt, 2:include ignored and not\n                        vulnerable, 3:debug\n```\n\n# Output legend\n\n(screenshots after holidays)  \n\n[?] - unknown service  \n[YELLOW] - there is something weird (doubt) but mostly not takeoverable  \n[GREEN] - possible takeover  \n[PINK] - takeover confirmed with an additional check  \n[RED] - warning, this service deserve a manual check (like S3 bucket permissions)  \n\nWhatever the color, manual check is always a good idea and should always be performed before sending a report.  \n\n# Recommandations\n\nUse this script on a dedicated server with a good connection.\nUse screen or tmux so even if you're disconnected the daemons will still run in the background.\n\nManually launch the interpreter using ```qinterpreter2.sh``` so the ouput will be nicely displayed and you will be able to customize the fingerprints the way you like.\n\n# Takover cases\n\n1/ subdomain points to a 3rd party service app but the app is not created on the service  \nresolution response: most of the time CNAME but sometimes NXDOMAIN  \nex: xxxxxx.azurewebsites.com, xxxx.s3.amazonaws.com, xxxx.herokuapp.com...  \n\n2.1/ subdomain uses 3rd party service but the domain isn't claimed on the service  \nresolution response: ?  \nex: cloudfront...\n\n2.2/ subdomain uses 3rd party DNS but the domain isn't claimed on the service  \nresolution response: ?  \nex: fastly...  \n\n3/ subdomain points to a 3rd party service but is a A or AAAA record  \nresolution response: ipv4 or ipv6  \nex: ?  \n\n4/ subdomain is an alias to a domain which doesn't belong to anyone, buy it!  \nresolution response: NXDOMAIN  \n\n# Todo\n\n- http requests to solve case 3/\n- screenshots\n- find a more appropriate name\n- ?\n\n---\n\nFeel free to [open an issue](/../../issues/) if you have any problem with the script.  \n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgwen001%2Fdnspy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgwen001%2Fdnspy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgwen001%2Fdnspy/lists"}