{"id":16651019,"url":"https://github.com/hash3lizer/subrake","last_synced_at":"2025-04-05T09:05:31.989Z","repository":{"id":43348040,"uuid":"153983914","full_name":"hash3liZer/Subrake","owner":"hash3liZer","description":"🚀 A DNS automated scanner and tool 🖱️ (Zone Transfer, DNS Zone Takeover, Subdomain Takeover).","archived":false,"fork":false,"pushed_at":"2024-05-21T21:49:24.000Z","size":1042,"stargazers_count":275,"open_issues_count":9,"forks_count":63,"subscribers_count":14,"default_branch":"master","last_synced_at":"2024-05-22T02:19:49.811Z","etag":null,"topics":["bugbountytips","dns-takeover","reconnaissance","subdomain-bruteforcing","subdomain-enumeration","subdomain-scanner","subdomain-takeover","zone-takeover","zone-transfers"],"latest_commit_sha":null,"homepage":"https://bit.ly/44onNOL","language":"CSS","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hash3liZer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-10-21T07:31:12.000Z","updated_at":"2024-05-30T02:50:51.369Z","dependencies_parsed_at":"2024-05-30T02:50:49.442Z","dependency_job_id":"81ece27c-4712-41ec-b0d5-3d326fe6295e","html_url":"https://github.com/hash3liZer/Subrake","commit_stats":{"total_commits":76,"total_committers":2,"mean_commits":38.0,"dds":"0.013157894736842146","last_synced_commit":"7842b5a814e45517461bde4b7324acd27f3bd15d"},"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hash3liZer%2FSubrake","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hash3liZer%2FSubrake/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hash3liZer%2FSubrake/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hash3liZer%2FSubrake/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hash3liZer","download_url":"https://codeload.github.com/hash3liZer/Subrake/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247312077,"owners_count":20918344,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bugbountytips","dns-takeover","reconnaissance","subdomain-bruteforcing","subdomain-enumeration","subdomain-scanner","subdomain-takeover","zone-takeover","zone-transfers"],"created_at":"2024-10-12T09:23:28.926Z","updated_at":"2025-04-05T09:05:31.941Z","avatar_url":"https://github.com/hash3liZer.png","language":"CSS","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003e\n    \u003cimg src=\"https://user-images.githubusercontent.com/29171692/57197739-5392b300-6f84-11e9-9191-4e38f3edc583.png\" alt=\"subrake\" /\u003e \u003cbr\u003e    \n    Subrake 🦅\n\u003c/h1\u003e\n\u003ch4 align=\"center\"\u003eA DNS automated scanner and tool (Zone Transfer, DNS Zone Takeover, Subdomain Takeover).\u003c/h4\u003e\n\u003cp align=\"center\"\u003e\n    \u003ca href=\"https://github.com/hash3liZer/Subrake/actions\"\u003e\u003cimg src=\"https://github.com/hash3liZer/subrake/actions/workflows/demo.yml/badge.svg\" alt=\"...\"\u003e\u003c/a\u003e\n    \u003ca href=\"https://www.linux.org/\" target=\"_blank\"\u003e\u003cimg src=\"https://img.shields.io/badge/platform-linux-important\" alt=\"platform: linux\" /\u003e\u003c/a\u003e\n    \u003ca href=\"https://www.python.org/\" target=\"_blank\"\u003e\u003cimg src=\"https://img.shields.io/badge/Python-3-yellow.svg?logo=python\" alt=\"Python: 3\" /\u003e\u003c/a\u003e\n    \u003ca href=\"https://www.gnu.org/licenses/gpl-3.0\" target=\"_blank\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-GPLv3-blue.svg\" alt=\"lisence\" /\u003e\u003c/a\u003e\n\u003c/p\u003e\n\u003c!--\u003cimg align=\"center\" src=\"https://github.com/hash3liZer/Subrake/assets/29171692/956c0174-b8ee-4817-ac56-370bb517c991\" alt=\"subrake\" /\u003e\u003chr\u003e\n\u003cimg align=\"center\" src=\"https://github.com/hash3liZer/Subrake/assets/29171692/41790ef9-3a46-48de-9d34-2728242716fd\" alt=\"subrake\" /\u003e--\u003e\n\u003c!--\u003cimg align=\"center\" src=\"https://user-images.githubusercontent.com/29171692/206875533-0ac3ca1c-e183-4c4a-9bb2-b7206d1cfc50.png\" alt=\"subrake\" /\u003e\n\u003cimg align=\"center\" src=\"https://user-images.githubusercontent.com/29171692/206875554-1f09c82a-d82d-4285-b30f-d84c67d99a9d.png\" alt=\"subrake\" /\u003e--\u003e\n\u003cimg align=\"center\" src=\"https://github.com/hash3liZer/Subrake/assets/29171692/75abd71e-7765-4da0-8b08-1cc5e1e069c7\" alt=\"subrake\"/\u003e\n\n# Background 📈\nSubrake, initially started as a personal project of mine for subdomain enumeration is a now a detailed DNS scanning tool that can help you identify **Zone Transfers**, **DNS Zone Takeover** and **Subdomain Takeovers** all in a single go. \n\nZone Transfers have been there for years now and if enabled for some reason on a domain can allow another party to `enumerate` all the records from the Zone. They are actually used when the owner is to tranfer domain from one provider to another. \n\nSubdomain Takeover unlike it sounds is the **takeover of the service** that the subdomain is pointing to. The service needs to be stale or not in use. \n\nDNS Zone Takeover as compared to Subdomain Takeover can be more severe if exploited. It is the takeover of one of the zones of the domain. This allows much more than just creating the service on the backend. You can actually setup your own DNS records and play with them as you line\n\nFor more in-depth detail, you can read my blog here: [A Guide to Zone Transfer, DNS Zone Takeover and Subdomain Takeover](https://blog.shameerkashif.me/blog/2023/subrake-a-dns-automated-scanner/)\n\n# About Subrake 💰\nSubrake is DNS Assessment tool (mostly automated) with both a UI and CLI goes trough various phases in order to cover DNS issues. The tool is continuously undergoing changes and development and everybody is welcome to contribute to the project. \n\nIt was designed primarily for bug bounty and infosec industry but can be leveraged for blue teaming and internal pentests as well. It supports both a CLI and Web Based GUI Interface and supports multiple installation modes. The key features are: \n\n### Features ⚖️\n* ⚙️ All in one automated solution. Its working cycle is:\n    * 🪙 DNS Enumeration (DNS Records)\n    * 🪜 **Zone Transfer Detection** and enumerate records if enabled\n    * 💲 **DNS Zone Takeover Detection**\n    * 💴 False Positive Detection (Wildcard subdomains)\n    * 💶 Getting results from other tools (Sublist3r, Knock.py)\n    * 💷 Bruteforce using wordlists (Can work with multiple wordlists)\n    * 💵 Get 5 parameters for each subdomain (HTTP Codes, Resolution, Headers, CNAME, Ports)\n    * 💰 **Detect Subdomain Takeover**\n* 🛒 Support for external tools. You can add your own functions.\n* 🛍️ Automated and Manual Mode.\n* 🗄️ Can run concurrent sessions.\n* 🖼️ UI for Reports and results available in `csv` format.\n* 🛎️ Flexible and Fast.\n\n## Execution\n[Subrake Execution](https://github.com/hash3liZer/Subrake/assets/29171692/994d8f80-efad-49ab-bcc4-69a9ac04c05a)\n\n# Installation 💾\nYou can setup subrake by an automated mode or by manually cloning the repo and install through `setuptools`. The first provides more control and is flexible with a UI. But if you prefer a simple CLI mode or on `windows`, go through the `manual` section. \n\nClone the repo and jump into it: \n```bash\n$ git clone https://github.com/hash3liZer/Subrake.git\n$ cd ./Subrake\n```\n\n## Automated Setup 🛠️\nYou can setup `subrake` through vagrant (with KVM) where a machine will be spawned and everything will be automatically setup. Install the requirements first: \n```python\n$ apt update\n$ apt install -y qemu qemu-kvm libvirt-daemon libvirt-clients bridge-utils virt-manager vagrant vagrant-libvirt\n```\n\nThen inside the repo, run `vagrant` up:\n```python\n$ vagrant up\n```\n\nThis will take a while to provision the server. After done, you will receive the URL: `http://127.0.0.1:9090`\n\n\u003cimg width=\"1162\" alt=\"image\" src=\"https://github.com/hash3liZer/Subrake/assets/29171692/a03f9b61-6842-49b2-8015-202c20d6104f\"\u003e\n\nThe default credentials are: `subrake/password`. You can change them during provisioning as well: \n```python\n$ SUBRAKE_USERNAME=\"username\" SUBRAKE_PASSWORD=\"password\" vagrant up\n```\n\nAfter done, you can manage the state of your newly created machine through these commands: \n```python\n# See the machine status\n$ vagrant status\n\n# Suspend the machine\n$ vagrant suspend\n\n# Resume machine\n$ vagrant resume\n\n# Shutdown machine\n$ vagrant halt\n\n# Start back\n$ vagrant up\n\n# Delete the machine\n$ vagrant destroy\n```\n\n## Manual Setup 🪛\nWith the manual setup, you can directly jump into directory and the `setuptools` for installation\n\nInstall the requirements and run `setup.py`:\n```bash\n$ pip3 install -r requirements.txt\n$ python3 setup.py install\n```\n\nVerify if subrake is installed or not: \n```bash\nsubrake --help\n```\n\n## Docker 🐳\nYou can also build the docker image from `Dockerfile`:\n```bash\n$ docker build -t subrake:latest .\n```\n\nVerify the docker container:\n```bash\n$ docker run --rm subrake --help\n```\n\n# Deployment 🚩\nYou can deploy the script on a baremetal server as well. To do so, get a fresh `ubuntu 20.04` server up and running and run the following command:\n```python\n$ chmod +x ./installer.sh\n$ ./installer.sh --deploy\n```\n\nThe server is then accessible at: `0.0.0.0:9090`. You can setup an `nginx` service and use it s a reverse proxy. \n\n# Usage 💬\n## User Interface 🔳\nWith the UI, you can directly jump to the `Subtap a Domain` page and run a scan. Expect a couple questions for the scan: \n\n\u003cimg width=\"1198\" alt=\"image\" src=\"https://github.com/hash3liZer/Subrake/assets/29171692/ebf2a0b7-b02e-425a-8dbf-922d68ca886c\"\u003e\n\nThe scan is launched inside a `tmux` session. You can press `CTRL+E =\u003e d` to exit the running screen and launch a new scan. Also, to pause the screen and move up and down, you can press `CTRL+E =\u003e [`. Its just TMUX shortcuts with the global bind key changed to `CTRL+E`.  \n\nYou can also jump back to a running screen by entering its name again: \n\n\u003cimg width=\"1198\" alt=\"image\" src=\"https://github.com/hash3liZer/Subrake/assets/29171692/a48e3fa3-08fe-4f7a-86df-c73418b4dbe2\"\u003e\n\n### Reports\n\n\u003cimg width=\"1240\" alt=\"image\" src=\"https://github.com/hash3liZer/Subrake/assets/29171692/03f90a82-54a9-4e5c-857b-128665f11756\"\u003e\n\n### Scan Results\n\n\u003cimg width=\"1240\" alt=\"image\" src=\"https://github.com/hash3liZer/Subrake/assets/29171692/b1344469-85c5-406e-8152-176b45cdfc41\"\u003e\n\n## Command line 🟰\nOn command line, you an directly access the tool by typing `subrake`. Here are a couple example of using subrake: \n\nA simple run with default options:\n```python\n$ subrake -d google.com\n```\n\nSubrake with Multiple Threads:\n```python\n$ subtake -d google.com -t 50\n```\n\nSubrake with modules and a wordlist:\n```python\n$ subrake -d google.com --wordlists SecLists/Discovery/DNS/namelist.txt\n```\n\nSubrake with OSINT results + Multiple SecLists subdomains list: \n\n**Note: Subdomains with similar names will automatically be filtered and counted as 1**\n\n```python\n$ subrake -d google.com --wordlists SecLists/Discovery/DNS/namelist.txt,SecLists/Discovery/DNS/dns-Jhaddix.txt\n```\n\nSubrake without search engine + Output from multiple tools combined + IP Filtering (Note that you can integrate your tools into subrake):\n```python\n$ domain=\"google.com\"\n$ subfinder -d $domain -nW -o $domain/1.txt \u0026\u0026 sublist3r -d $domain -o $domain/2.txt \u0026\u0026 cat $domain/* \u003e\u003e /tmp/output.txt\n$ subrake -d $domain -w tmp/output.txt --filter --skip-search\n```\n\nSubrake with Port Scanning: \u003cbr\u003e\n**NOTE: The port 80,443 will be scanned by default for every host under HTTP/HTTPS banner. So, there's no need to specify them here**\n```python\n$ subrake -d google.com --ports 8080,8443,8000,23,445\n```\n\n## Manual 📑\n\u003cimg width=\"899\" alt=\"image\" src=\"https://github.com/hash3liZer/Subrake/assets/29171692/a34c6783-b5ef-4fdc-ba63-d6cabdb02d73\"\u003e\n\n# ToDo LIST 📜\nFeel free to open pull requests and a feature. You can contribute by:\n\n- [ ] Add more vulnerable services. Currently 10\n- [ ] Improve Insatllation script.\n- [x] Add GUI Mode\n- [x] Add Docker support. \n\n## Get me at ☎️\n* Email: \u003ca href=\"mailto:me@shameerkashif.me\"\u003eme@shameerkashif.me\u003c/a\u003e\n* Discord: \u003ca href=\"#\"\u003ehash3liZer#5786\u003c/a\u003e\n* Blog: \u003ca href=\"https://blog.shameerkashif.me\"\u003ehttps://blog.shameerkashif.me\u003c/a\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhash3lizer%2Fsubrake","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhash3lizer%2Fsubrake","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhash3lizer%2Fsubrake/lists"}