{"id":15634158,"url":"https://github.com/jakejarvis/subtake","last_synced_at":"2025-09-04T00:43:58.387Z","repository":{"id":57494826,"uuid":"158003840","full_name":"jakejarvis/subtake","owner":"jakejarvis","description":"Automatic finder for subdomains vulnerable to takeover. Written in Go, based on @haccer's subjack.","archived":false,"fork":false,"pushed_at":"2020-06-29T15:18:09.000Z","size":26,"stargazers_count":149,"open_issues_count":2,"forks_count":29,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-08-28T09:18:00.242Z","etag":null,"topics":["bug-bounty","go","golang","infosec","pentesting","security","subdomain","subdomain-takeovers","takeover"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jakejarvis.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-11-17T16:37:36.000Z","updated_at":"2025-08-03T01:31:16.000Z","dependencies_parsed_at":"2022-08-28T15:11:26.405Z","dependency_job_id":null,"html_url":"https://github.com/jakejarvis/subtake","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/jakejarvis/subtake","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jakejarvis%2Fsubtake","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jakejarvis%2Fsubtake/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jakejarvis%2Fsubtake/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jakejarvis%2Fsubtake/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jakejarvis","download_url":"https://codeload.github.com/jakejarvis/subtake/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jakejarvis%2Fsubtake/sbom","scorecard":{"id":502557,"data":{"date":"2025-08-11","repo":{"name":"github.com/jakejarvis/subtake","commit":"8d1112fe1fd679b0300b6a92ad0dddfc848b8292"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.6,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Code-Review","score":0,"reason":"Found 0/13 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/go.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Pinned-Dependencies","score":2,"reason":"dependency not pinned by hash detected -- score normalized to 2","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/jakejarvis/subtake/go.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/jakejarvis/subtake/go.yml/main?enable=pin","Warn: downloadThenRun not pinned by hash: .github/workflows/go.yml:23","Info:   0 out of   2 GitHub-owned GitHubAction dependencies pinned","Info:   1 out of   1 goCommand dependencies pinned","Info:   0 out of   1 downloadThenRun dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}}]},"last_synced_at":"2025-08-19T22:20:31.206Z","repository_id":57494826,"created_at":"2025-08-19T22:20:31.206Z","updated_at":"2025-08-19T22:20:31.206Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273534472,"owners_count":25122676,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-03T02:00:09.631Z","response_time":76,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bug-bounty","go","golang","infosec","pentesting","security","subdomain","subdomain-takeovers","takeover"],"created_at":"2024-10-03T10:51:31.567Z","updated_at":"2025-09-04T00:43:58.336Z","avatar_url":"https://github.com/jakejarvis.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# subtake\n\n[![Build Status](https://travis-ci.org/jakejarvis/subtake.svg?branch=master)](https://travis-ci.org/jakejarvis/subtake)\n\nBased on [@haccer](https://github.com/haccer)'s [subjack](https://github.com/haccer/subjack) script for subdomain takeover recon.\n\n## Installation\n\nRequires [Go](https://golang.org/dl/).\n\n`go get github.com/jakejarvis/subtake`\n\n## Usage\n\n### Options\n\n- `-f to-check.txt` is the path to your list of subdomains to check. One subdomain per line. **Required.**\n- `-t` is the number of threads to use. (Default: 10)\n- `-a` skips CNAME check and sends requests to every URL. (Default: false, but **Highly recommended.**) \n- `-timeout` is the number seconds to wait before timing out a check (Default: 10).\n- `-o results.txt` is a filename to output results to. If the file ends with `.json`, subtake will automatically switch to JSON format.\n- `-v` enables verbose mode. Displays all checks including not vulnerable URLs.\n- `-c` Path to file containing JSON fingerprint configuration. (Default: `./fingerprints.json`)\n- `-ssl` enforces HTTPS requests which may return a different set of results and increase accuracy.\n\n### Resources\n\n`sonar.sh` can be used first to gather a list of CNAMEs collected by Rapid7/scan.io's [Project Sonar](https://opendata.rapid7.com/sonar.fdns_v2/). This list can then be passed into subtake to return subdomains not in use. `sonar.sh` is based off of [`scanio.sh`](https://gist.github.com/haccer/3698ff6927fc00c8fe533fc977f850f8).\n\n`fingerprints.json` can be modified to add or remove hosted platforms to probe for. Many obscure platforms are included, and removing fingerprints for services that are uninteresting to you can speed up the scan.\n\nIf you plan on using a high number of threads to speed the process up, you may need to [temporarily raise the `ulimit` of your shell](http://posidev.com/blog/2009/06/04/set-ulimit-parameters-on-ubuntu/):\n\n```\nulimit -a          # show current limit (usually 1024)\nulimit -n 10000    # set waaaaay higher\nulimit -a          # check new limit\n```\n\nAfter generating a list of all vulnerable subdomains, you can use my [collection of domains invoked in bug bounty programs](https://github.com/jakejarvis/bounty-domains/blob/master/domains.txt) to narrow down valuable targets and possibly get some ca$h monie$$$.\n\n### Examples\n\n`./sonar.sh 2018-10-27-1540655191 sonar_all_cnames.txt`\n\n`subtake -f sonar_all_cnames.txt -t 50 -ssl -a -o vulnerable.txt`\n\n## Subdomain Takeover Tips\n\n- A great explanation of the risks of takeovers and steps to responsibly disclose takeovers to companies: https://0xpatrik.com/subdomain-takeover/\n- A comprehensive list of what services are vulnerable (and the basis of `fingerprints.json`), and how to proceed once finding them: https://github.com/EdOverflow/can-i-take-over-xyz\n\n## Services Checked\n\n- Amazon S3\n- ~~Amazon CloudFront~~ [(no longer vulnerable?)](https://github.com/EdOverflow/can-i-take-over-xyz/issues/29)\n- Microsoft Azure\n- Heroku\n- GitHub Pages\n- Fastly\n- Pantheon.io\n- Shopify\n- Tumblr\n- WordPress.com\n- Ghost\n- Surge\n- Statuspage\n- Bitbucket Pages\n- UserVoice\n- Zendesk\n- Brightcove\n- Big Cartel\n- Acquia\n- ReadMe.io\n- MaxCDN\n- Apigee\n- Smugmug\n\n## To-Do\n\n- Integrate `sonar.sh` into the main Go script as an option instead of input file.\n- All-in-one Docker image to automatically download the latest FDNS Project Sonar file and check for takeover possibilities. \n- Have `sonar.sh` pull domains to check for from `fingerprints.json`, instead of hard-coding them.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjakejarvis%2Fsubtake","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjakejarvis%2Fsubtake","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjakejarvis%2Fsubtake/lists"}