{"id":13539339,"url":"https://github.com/punk-security/dnsReaper","last_synced_at":"2025-04-02T06:30:46.997Z","repository":{"id":51612163,"uuid":"515495663","full_name":"punk-security/dnsReaper","owner":"punk-security","description":"dnsReaper - subdomain takeover tool for attackers, bug bounty hunters and the blue team!","archived":false,"fork":false,"pushed_at":"2024-10-23T11:08:37.000Z","size":340,"stargazers_count":2087,"open_issues_count":23,"forks_count":177,"subscribers_count":24,"default_branch":"main","last_synced_at":"2025-03-27T23:01:52.587Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/punk-security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/securitytrails.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-07-19T08:17:30.000Z","updated_at":"2025-03-27T08:24:58.000Z","dependencies_parsed_at":"2024-07-10T13:35:49.285Z","dependency_job_id":"41d0e924-6d30-4a58-9a49-cfc53853e123","html_url":"https://github.com/punk-security/dnsReaper","commit_stats":null,"previous_names":[],"tags_count":28,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/punk-security%2FdnsReaper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/punk-security%2FdnsReaper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/punk-security%2FdnsReaper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/punk-security%2FdnsReaper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/punk-security","download_url":"https://codeload.github.com/punk-security/dnsReaper/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246767642,"owners_count":20830528,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T09:01:23.683Z","updated_at":"2025-04-02T06:30:46.563Z","avatar_url":"https://github.com/punk-security.png","language":"Python","readme":"[![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://GitHub.com/punk-security/secret-magpie-cli/graphs/commit-activity)\n[![Maintainer](https://img.shields.io/badge/maintainer-PunkSecurity-blue)](https://www.punksecurity.co.uk)\n[![Docker Pulls](https://img.shields.io/docker/pulls/punksecurity/dnsreaper)](https://hub.docker.com/r/punksecurity/dnsreaper)\n[![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=punk-security_dnsReaper\u0026metric=ncloc)](https://sonarcloud.io/summary/new_code?id=punk-security_dnsReaper)\n[![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=punk-security_dnsReaper\u0026metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=punk-security_dnsReaper)\n[![Bugs](https://sonarcloud.io/api/project_badges/measure?project=punk-security_dnsReaper\u0026metric=bugs)](https://sonarcloud.io/summary/new_code?id=punk-security_dnsReaper)\n\n# DNS Reaper\n\nDNS Reaper is yet another sub-domain takeover tool, but with an emphasis on accuracy, speed and the number of signatures in our arsenal!\n\nWe can scan around 50 subdomains per second, testing each one with over 50 takeover signatures.\nThis means most organisations can scan their entire DNS estate in less than 10 seconds.\n\nTo make it easier to get started, we've built a cheeky little web version that will scan a dns zone file, a comma-separated list, or up to 100 subdomains we find from ProjectDiscovery. \n\nCheck it out: [dnsreaper web](https://punksecurity.co.uk/dnsreaper)\n\n\nOf course the CLI tool is much more EPIC, and its faster.\n\n![DNS Reaper detects a if domain has a broken cname record and can be taken over by registering the domain's cname](docs/reaper_detection.png \"DNS Reaper detects a if domain has a broken cname record and can be taken over by registering the domain's cname\")\n\n\n### You can use DNS Reaper as an attacker or bug hunter!\n\n You can run it by providing a list of domains in a file, or a single domain on the command line. DNS Reaper will then scan the domains with all of its signatures, producing a CSV file.\n\n### You can use DNS Reaper as a defender! \n\nYou can run it by letting it fetch your DNS records for you! Yes that's right, you can run it with credentials and test all your domain config quickly and easily. DNS Reaper will connect to the DNS provider and fetch all your records, and then test them.\n\nWe currently support AWS Route53, Cloudflare, and Azure. Documentation on adding your own provider can be found [here](/providers/readme.md)\n\n### You can use DNS Reaper as a DevSecOps Pro!\n[Punk Security](https://www.punksecurity.co.uk) are a DevSecOps company, and DNS Reaper has its roots in modern security best practice.\n\nYou can run DNS Reaper in a pipeline, feeding it a list of domains that you intend to provision, and it will exit Non-Zero if it detects a takeover is possible. You can prevent takeovers before they are even possible!\n\n## Usage \nTo run DNS Reaper, you can use the docker image or run it with Python 3.11.\n\n**Findings are returned in the output and more detail is provided in a local \"results.csv\" file. We also support json output as an option.**\n\n### Run it with docker\n\n```shell\n docker run punksecurity/dnsreaper --help \n```\n\n### Run it locally\n\u003e [!IMPORTANT]\n\u003e The minimum version of Python that dnsReaper supports is 3.9, but 3.11 is recommended. We attempt to maintain support for stable versions of Python that are not end-of-life.\nWe will not provide support or accept pull requests for issues that affect end-of-life versions of Python. See [Status of Python versions](https://devguide.python.org/versions/) for more information.\n\nWhen running locally, we recommend using a virtual environment (venv) to avoid dependency conflicts.\nInstructions available [Here](https://packaging.python.org/en/latest/guides/installing-using-pip-and-virtual-environments/#create-and-use-virtual-environments).\n\n```shell\npip install -r requirements.txt\npython main.py --help\n```\n\n### Common commands\n\n* Scan AWS account:\n\n ``` docker run punksecurity/dnsreaper aws --aws-access-key-id \u003ckey\u003e --aws-access-key-secret \u003csecret\u003e ```\n\n For more information, see [the documentation for the aws provider](/docs/aws.md)\n* Scan all domains from file:\n\n ``` docker run -it --rm -v $(pwd):/etc/dnsreaper punksecurity/dnsreaper file --filename /etc/dnsreaper/\u003cfilename\u003e ```\n* Scan single domain\n\n ``` docker run -it --rm punksecurity/dnsreaper single --domain \u003cdomain\u003e ```\n* Scan single domain and output to stdout:\n\n You should either redirect the stderr output or save stdout output with \u003e\n\n ``` docker run -it --rm punksecurity/dnsreaper single --domain \u003cdomain\u003e --out stdout --out-format=json \u003e output```\n### Full usage\n\n```\n ____ __ _____ _ __\n / __ \\__ ______ / /__/ ___/___ _______ _______(_) /___ __\n / /_/ / / / / __ \\/ //_/\\__ \\/ _ \\/ ___/ / / / ___/ / __/ / / /\n / ____/ /_/ / / / / ,\u003c ___/ / __/ /__/ /_/ / / / / /_/ /_/ /\n /_/ \\__,_/_/ /_/_/|_|/____/\\___/\\___/\\__,_/_/ /_/\\__/\\__, /\n PRESENTS /____/\n DNS Reaper ☠️\n\n Scan all your DNS records for subdomain takeovers!\n\nusage:\nmain.py provider [options]\n\noutput:\n findings output to screen and (by default) results.csv\n\nhelp:\nmain.py --help\n\nproviders:\n \u003e aws - Scan multiple domains by fetching them from AWS Route53\n \u003e azure - Scan multiple domains by fetching them from Azure DNS services\n \u003e bind - Read domains from a dns BIND zone file, or path to multiple\n \u003e cloudflare - Scan multiple domains by fetching them from Cloudflare\n \u003e digitalocean - Scan multiple domains by fetching them from Digital Ocean\n \u003e file - Read domains from a file (or folder of files), one per line\n \u003e godaddy - Scan multiple domains by fetching them from GoDaddy\n \u003e googlecloud - Scan multiple domains by fetching them from Google Cloud. Requires GOOGLE_APPLICATION_CREDENTIALS environment variable.\n \u003e projectdiscovery - Scan multiple domains by fetching them from ProjectDiscovery\n \u003e securitytrails - Scan multiple domains by fetching them from Security Trails\n \u003e single - Scan a single domain by providing a domain on the commandline\n \u003e zonetransfer - Scan multiple domains by fetching records via DNS zone transfer\n\npositional arguments:\n {aws,azure,bind,cloudflare,digitalocean,file,godaddy,googlecloud,projectdiscovery,securitytrails,single,zonetransfer}\n\noptions:\n -h, --help Show this help message and exit\n --out OUT Output file (default: results) - use 'stdout' to stream out\n --out-format {csv,json}\n --resolver RESOLVER Provide a custom DNS resolver\n --parallelism PARALLELISM\n Number of domains to test in parallel - too high and you may see odd DNS results (default: 30)\n --disable-probable Do not check for probable conditions\n --enable-unlikely Check for more conditions, but with a high false positive rate\n --signature SIGNATURE\n Only scan with this signature (multiple accepted)\n --exclude-signature EXCLUDE_SIGNATURE\n Do not scan with this signature (multiple accepted)\n --pipeline Exit Non-Zero on detection (used to fail a pipeline)\n -v, --verbose -v for verbose, -vv for extra verbose\n --nocolour Turns off coloured text\n\naws:\n Scan multiple domains by fetching them from AWS Route53\n\n --aws-access-key-id AWS_ACCESS_KEY_ID\n Optional\n --aws-access-key-secret AWS_ACCESS_KEY_SECRET\n Optional\n --aws-session-token AWS_SESSION_TOKEN\n Optional\n\nazure:\n Scan multiple domains by fetching them from Azure DNS services\n\n --az-subscription-id AZ_SUBSCRIPTION_ID\n Required\n --az-tenant-id AZ_TENANT_ID\n Required\n --az-client-id AZ_CLIENT_ID\n Required\n --az-client-secret AZ_CLIENT_SECRET\n Required\n\nbind:\n Read domains from a dns BIND zone file, or path to multiple\n\n --bind-zone-file BIND_ZONE_FILE\n Required\n\ncloudflare:\n Scan multiple domains by fetching them from Cloudflare\n\n --cloudflare-token CLOUDFLARE_TOKEN\n Required\n\ndigitalocean:\n Scan multiple domains by fetching them from Digital Ocean\n\n --do-api-key DO_API_KEY\n Required\n --do-domains DO_DOMAINS\n Optional\n\nfile:\n Read domains from a file (or folder of files), one per line\n\n --filename FILENAME Required\n\nprojectdiscovery:\n Scan multiple domains by fetching them from ProjectDiscovery\n\n --pd-api-key PD_API_KEY\n Required\n --pd-domains PD_DOMAINS\n Required\n\ngodaddy:\n Scan multiple domains by fetching them from GoDaddy\n \n --gd-api-key GD_API_KEY\n Required\n --gd-api-secret GD_API_SECRET\n Required\n --gd-domains GD_DOMAINS\n Optional\n\ngooglecloud:\n Scan multiple domains by fetching them from Google Cloud. Requires GOOGLE_APPLICATION_CREDENTIALS environment variable.\n\n --project-id PROJECT_ID\n Required\n\nprojectdiscovery:\n Scan multiple domains by fetching them from ProjectDiscovery\n\n --pd-api-key PD_API_KEY\n Required\n --pd-domains PD_DOMAINS\n Required\n\nsecuritytrails:\n Scan multiple domains by fetching them from Security Trails\n\n --st-api-key ST_API_KEY\n Required\n --st-domains ST_DOMAINS\n Required\n\ngooglecloud:\n Scan multiple domains by fetching them from Google Cloud\n\n --project-id PROJECT_ID\n Required\n\nprojectdiscovery:\n Scan multiple domains by fetching them from ProjectDiscovery\n\n --pd-api-key PD_API_KEY\n Required\n --pd-domains PD_DOMAINS\n Optional\n\nsecuritytrails:\n Scan multiple domains by fetching them from Security Trails\n\n --st-api-key ST_API_KEY\n Required\n --st-domains ST_DOMAINS\n Optional\n\nsingle:\n Scan a single domain by providing a domain on the commandline\n\n --domain DOMAIN Required\n\nzonetransfer:\n Scan multiple domains by fetching records via DNS zone transfer\n\n --zonetransfer-nameserver ZONETRANSFER_NAMESERVER\n Required\n --zonetransfer-domain ZONETRANSFER_DOMAIN\n Required\n```\n","funding_links":[],"categories":["Python","Miscellaneous","扫描器、资产收集、子域名","[](#table-of-contents) Table of contents"],"sub_categories":["Subdomain Takeover","网络服务_其他","[](#subdomains-scanbrute)Subdomains scan/brute"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpunk-security%2FdnsReaper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpunk-security%2FdnsReaper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpunk-security%2FdnsReaper/lists"}