Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/pwnesia/dnstake
DNSTake — A fast tool to check missing hosted DNS zones that can lead to subdomain takeover
https://github.com/pwnesia/dnstake
dns go golang nameserver subdomain takeover vulnerability
Last synced: 4 days ago
JSON representation
DNSTake — A fast tool to check missing hosted DNS zones that can lead to subdomain takeover
- Host: GitHub
- URL: https://github.com/pwnesia/dnstake
- Owner: pwnesia
- License: mit
- Created: 2021-08-24T11:22:15.000Z (over 3 years ago)
- Default Branch: master
- Last Pushed: 2023-02-13T09:08:15.000Z (almost 2 years ago)
- Last Synced: 2024-07-31T19:24:37.413Z (4 months ago)
- Topics: dns, go, golang, nameserver, subdomain, takeover, vulnerability
- Language: Go
- Homepage:
- Size: 50.8 KB
- Stars: 817
- Watchers: 10
- Forks: 67
- Open Issues: 8
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: CODEOWNERS
Awesome Lists containing this project
- awesome-hacking-lists - pwnesia/dnstake - DNSTake — A fast tool to check missing hosted DNS zones that can lead to subdomain takeover (Go)
README
# DNSTake
A fast tool to check missing hosted DNS zones that can lead to subdomain takeover.
---
## What is a DNS takeover?
DNS takeover vulnerabilities occur when a subdomain (subdomain.example.com) or domain has its authoritative nameserver set to a provider (e.g. AWS Route 53, Akamai, Microsoft Azure, etc.) but the hosted zone has been removed or deleted. Consequently, when making a [request for DNS records](https://www.diggui.com/#type=A&hostname=github.technology&nameserver=public&public=8.8.8.8&specify=&clientsubnet=&tcp=def&transport=def&mapped=def&nssearch=def&trace=def&recurse=def&edns=def&dnssec=def&subnet=def&cookie=def&all=def&cmd=def&question=def&answer=def&authority=def&additional=def&comments=def&stats=def&multiline=def&short=def&colorize=on) the server responds with a `SERVFAIL` error. This allows an attacker to create the missing hosted zone on the service that was being used and thus control all DNS records for that (sub)domain.¹
## Installation
### from Binary
The ez way! You can download a pre-built binary from [releases page](https://github.com/pwnesia/dnstake/releases), just unpack and run!
### from Source
NOTE: Go 1.16+ compiler should be installed & configured!
Very quick & clean!
```bash
▶ go install github.com/pwnesia/dnstake/cmd/dnstake@latest
```#### — or
Manual building executable from source code:
```bash
▶ git clone https://github.com/pwnesia/dnstake
▶ cd dnstake/cmd/dnstake
▶ go build .
▶ (sudo) mv dnstake /usr/local/bin
```## Usage
```console
$ dnstake -h·▄▄▄▄ ▐ ▄ .▄▄ ·▄▄▄▄▄ ▄▄▄· ▄ •▄ ▄▄▄ .
██▪ ██ •█▌▐█▐█ ▀.•██ ▐█ ▀█ █▌▄▌▪▀▄.▀·
▐█· ▐█▌▐█▐▐▌▄▀▀▀█▄▐█.▪▄█▀▀█ ▐▀▀▄·▐▀▀▪▄
██. ██ ██▐█▌▐█▄▪▐█▐█▌·▐█ ▪▐▌▐█.█▌▐█▄▄▌
▀▀▀▀▀• ▀▀ █▪ ▀▀▀▀ ▀▀▀ ▀ ▀ ·▀ ▀ ▀▀▀(c) pwnesia.org — v0.0.1
Usage:
[stdin] | dnstake [options]
dnstake -t HOSTNAME [options]Options:
-t, --target Define single target host/list to check
-c, --concurrent Set the concurrency level (default: 25)
-s, --silent Suppress errors and/or clean output
-o, --output Save vulnerable hosts to FILE
-h, --help Display its helpExamples:
dnstake -t (sub.)domain.tld
dnstake -t hosts.txt
dnstake -t hosts.txt -o ./dnstake.out
cat hosts.txt | dnstake
subfinder -silent -d domain.tld | dnstake
```## Workflow
**DNSTake** use [RetryableDNS client library](https://github.com/projectdiscovery/retryabledns) to send DNS queries. Initial engagement using Google & Cloudflare DNS as the resolver, then check & fingerprinting the nameservers of target host — if there is one, it will resolving the target host again with its nameserver IPs as resolver, if it gets weird DNS status response (other than `NOERROR`/`NXDOMAIN`), then it's vulnerable to be taken over. More or less [like this](https://0xpatrik.com/content/images/2018/08/ns_automation-2.png) in form of a diagram.
Currently supported DNS providers, see [here](https://github.com/indianajson/can-i-take-over-dns/blob/97104102c8ce911fd978521c703f26e1c547c613/README.md#dns-providers).
## References
- [1] https://github.com/indianajson/can-i-take-over-dns#what-is-a-dns-takeover
- https://0xpatrik.com/subdomain-takeover-ns/## License
**DNSTake** is distributed under MIT. See `LICENSE`.