Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/martinvw/subdomain-takeover-tools

Some helper tools to validate subdomain takeovers
https://github.com/martinvw/subdomain-takeover-tools

python python3 subdomain-takeover

Last synced: 3 months ago
JSON representation

Some helper tools to validate subdomain takeovers

Awesome Lists containing this project

README 

          
# Subdomain Takeover Tools



[![Latest Package version](https://badge.fury.io/py/subdomain-takeover-tools.svg)](https://badge.fury.io/py/subdomain-takeover-tools)

[![Build status](https://img.shields.io/pypi/status/subdomain_takeover_tools.svg?maxAge=2592000)](https://pypi.python.org/pypi/subdomain_takeover_tools)

[![Supported versions](https://img.shields.io/pypi/pyversions/subdomain_takeover_tools.svg?maxAge=2592000)](https://pypi.python.org/pypi/subdomain_takeover_tools)



A set of tools to validate the initial outcome of [subtake](https://github.com/jakejarvis/subtake).



## Installation



1. Install using pip:



   ``pip install subdomain_takeover_tools``



   for windows:



   ``py -m pip install subdomain_takeover_tools``



   Alternatively, you can download or clone this repo and call `pip install -e .`.



## Confirming takeovers



All scripts support the following two parameters:



- `--strict`:  only report as vulnerable if the issue is not also applicable on `hostname.tld` and `www.hostname.tld`.

- `--inverse`: do inverse reporting, so report all subdomains that are not vulnerable



Some scripts require a config file to be present, the location is `.subdomain_takeover_tools.ini`, an example of the file can be found below:



```ini

[azure]

subscription_id=44713cf2-8656-11ec-a8a3-0242ac120002

[github]

username=martinvw

access_token=44713cf2-8656-11ec-a8a3-0242ac120002

repo=44713cf2-8656-11ec-a8a3-0242ac120002

[fastly]

api_token=44713cf2-8656-11ec-a8a3-0242ac120002

service=44713cf2-8656-11ec-a8a3-0242ac120002

version=3

```



## Confirming S3



Subtake has some false positives on Google Cloud buckets as S3 buckets, also some access denied's end up in the results.



The script `confirm-s3.py` will make sure that the bucket is actually vulnerable.



```bash

grep "\[s3 bucket: " subtake-output.txt | confirm_s3

```



### Confirming ELB



Some patterns of elb are vulnerable while others are not, to filter them we can use our script:



```bash

grep "\[elasticbeanstalk: " subtake-output.txt | confirm_elb

```



*Note:* the parameter `--strict` is accepted here but will not lead to expected results.



Please note that some regions are not enabled by default, when you receive the following error:



> botocore.exceptions.ClientError: An error occurred (InvalidClientTokenId) when calling the CheckDNSAvailability operation: The security token included in the request is invalid.



This could mean you have not yet enabled these, opt-in, regions, see https://console.aws.amazon.com/billing/home?#/account



### Confirming Shopify



It seems that all current shopify examples are vulnerable, the following check just validates the DNS.



```bash

grep "\[shopify: " subtake-output.txt | confirm_shopify

```



### Filtering Pantheon



Please note that for pantheon this repo currently only provides an initial check to eliminate some FALSE positives.



```bash

grep "\[pantheon: " subtake-output.txt | confirm_pantheon

```



### Filtering Cargo Collective



Please note that for Cargo Collective this repo currently only provides an initial check to eliminate some FALSE positives.



```bash

grep "\[cargo: " subtake-output.txt | confirm_cargo

```



## Separate tools



### Extracting domain names



As part of my process I want to know the domains involved in my findings.



Example usage:



```bash

cut -f3 < subtake-output.txt | extract_domain_names | sort -u > involved.domains

```



Note that `extract_domain_names` also support groups, such as `domain.(co.id|in.th|ph|vn)`, this will be expanded automatically.



### Resolving from the authoritative DNS authority



For validation of the results I want to validate whether the DNS record is still accurate.



To do this we fetch the authoritative result's step by step from the authoritative DNS servers.



```bash

authoritative_resolve "github.com" "martinvw.nl"

```



### Exporting and enriching



The `subtake_enrich_and_export` will split the existing output and add some additional columms:



- has a wildcard

- domain name

- tld

- still vulnerable

- authoritative results



```bash

subtake_enrich_and_export < subtakee-output.txt

```