Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/haccer/subjack
Subdomain Takeover tool written in Go
https://github.com/haccer/subjack
bug-bounty bugbounty go golang hostile infosec pentesting security subdomain subdomain-takeover takeover
Last synced: about 1 month ago
JSON representation
Subdomain Takeover tool written in Go
- Host: GitHub
- URL: https://github.com/haccer/subjack
- Owner: haccer
- License: apache-2.0
- Archived: true
- Created: 2017-10-10T23:38:30.000Z (about 7 years ago)
- Default Branch: master
- Last Pushed: 2023-08-13T18:16:35.000Z (about 1 year ago)
- Last Synced: 2024-02-15T09:35:28.022Z (9 months ago)
- Topics: bug-bounty, bugbounty, go, golang, hostile, infosec, pentesting, security, subdomain, subdomain-takeover, takeover
- Language: Go
- Homepage:
- Size: 155 KB
- Stars: 1,822
- Watchers: 45
- Forks: 375
- Open Issues: 48
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-bbht - subjack - Subdomain Takeover tool written in Go (Exploitation / Subdomain Takeover)
- awesome-bbht - subjack - Subdomain Takeover tool written in Go (Exploitation / Subdomain Takeover)
- awesome-bugbounty-tools - subjack - Subdomain Takeover tool written in Go (Miscellaneous / Subdomain Takeover)
- cybersecurity-golang-security - subjack - Subdomain Takeover tool written in Go (Network Scanners)
- awesome-golang-repositories - subjack
- awesome-go-security - subjack - Subdomain Takeover tool written in Go (Network Scanners)
- WebHackersWeapons - subjack
- awesome-hacking-lists - haccer/subjack - Subdomain Takeover tool written in Go (Go)
README
# subjack
[![Build Status](https://api.travis-ci.org/haccer/subjack.svg?branch=master)](https://travis-ci.org/haccer/subjack)
[![Build status](https://ci.appveyor.com/api/projects/status/dm8f2yyjcbn3j1cm?svg=true&passingText=Windows%20-%20OK&failingText=Windows%20-%20failed&pendingText=Windows%20-%20pending)](https://ci.appveyor.com/project/haccer/subjack)
[![Go Report Card](https://goreportcard.com/badge/github.com/haccer/subjack)](https://goreportcard.com/report/github.com/haccer/subjack)
[![GoDoc](https://godoc.org/github.com/haccer/subjack/subjack?status.svg)](http://godoc.org/github.com/haccer/subjack/subjack)
[![GitHub license](https://img.shields.io/github/license/haccer/subjack.svg)](https://github.com/haccer/subjack/blob/master/LICENSE)Subjack is a Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked. With Go's speed and efficiency, this tool really stands out when it comes to mass-testing. Always double check the results manually to rule out false positives.
Subjack will also check for subdomains attached to domains that don't exist (NXDOMAIN) and are **available to be registered**. No need for dig ever again! This is still cross-compatible too.
**What's New? (Last Updated 09/17/18)**
- Custom fingerprint support
- New Services (Re-added Zendesk && Added Readme, Bitly, and more)
- Slight performance enhancements## Installing
Requires [Go](https://golang.org/dl/)
`go get github.com/haccer/subjack`
## How To Use:
Examples:
- `./subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl`Options:
- `-d test.com` if you want to test a single domain.
- `-w domains.txt` is your list of subdomains.
- `-t` is the number of threads (Default: 10 threads).
- `-timeout` is the seconds to wait before timeout connection (Default: 10 seconds).
- `-o results.txt` where to save results to. For JSON: `-o results.json`
- `-ssl` enforces HTTPS requests which may return a different set of results and increase accuracy.
- `-a` skips CNAME check and sends requests to every URL. **(Recommended)**
- `-m` flag the presence of a dead record, but valid CNAME entry.
- `-v` verbose. Display more information per each request.
- `-c` Path to configuration file.## Practical Use
You can use [scanio.sh](https://gist.github.com/haccer/3698ff6927fc00c8fe533fc977f850f8) which is kind of a PoC script to mass-locate vulnerable subdomains using results from Rapid7's Project Sonar. This script parses and greps through the dump for desired CNAME records and makes a large list of subdomains to check with subjack if they're vulnerable to Hostile Subdomain Takeover. Of course this isn't the only method to get a large amount of data to test. **Please use this responsibly ;)**
## Adding subjack to your workflow
```go
package mainimport (
"fmt"
"encoding/json"
"io/ioutil"
"strings""github.com/haccer/subjack/subjack"
)
func main() {
var fingerprints []subjack.Fingerprints
config, _ := ioutil.ReadFile("custom_fingerprints.json")
json.Unmarshal(config, &fingerprints)subdomain := "dead.cody.su"
/* Use subjack's advanced detection to identify
if the subdomain is able to be taken over. */
service := subjack.Identify(subdomain, false, false, 10, fingerprints)if service != "" {
service = strings.ToLower(service)
fmt.Printf("%s is pointing to a vulnerable %s service.\n", subdomain, service)
}
}
```See the [godoc](https://godoc.org/github.com/haccer/subjack/subjack) for more functions.
## FAQ
**Q:** What should my wordlist look like?**A:** Your wordlist should include a list of subdomains you're checking and should look something like:
```
assets.cody.su
assets.github.com
b.cody.su
big.example.com
cdn.cody.su
dev.cody.su
dev2.twitter.com
```## References
Extra information about Hostile Subdomain Takeovers:- [https://github.com/EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz)
- [https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/](https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/)