Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/pwnesia/dnstake

DNSTake — A fast tool to check missing hosted DNS zones that can lead to subdomain takeover
https://github.com/pwnesia/dnstake

dns go golang nameserver subdomain takeover vulnerability

Last synced: 4 days ago
JSON representation

DNSTake — A fast tool to check missing hosted DNS zones that can lead to subdomain takeover

Awesome Lists containing this project

README

        

# DNSTake

DNSTake

A fast tool to check missing hosted DNS zones that can lead to subdomain takeover.

---

## What is a DNS takeover?

DNS takeover vulnerabilities occur when a subdomain (subdomain.example.com) or domain has its authoritative nameserver set to a provider (e.g. AWS Route 53, Akamai, Microsoft Azure, etc.) but the hosted zone has been removed or deleted. Consequently, when making a [request for DNS records](https://www.diggui.com/#type=A&hostname=github.technology&nameserver=public&public=8.8.8.8&specify=&clientsubnet=&tcp=def&transport=def&mapped=def&nssearch=def&trace=def&recurse=def&edns=def&dnssec=def&subnet=def&cookie=def&all=def&cmd=def&question=def&answer=def&authority=def&additional=def&comments=def&stats=def&multiline=def&short=def&colorize=on) the server responds with a `SERVFAIL` error. This allows an attacker to create the missing hosted zone on the service that was being used and thus control all DNS records for that (sub)domain.¹

## Installation

### from Binary

The ez way! You can download a pre-built binary from [releases page](https://github.com/pwnesia/dnstake/releases), just unpack and run!

### from Source

NOTE: Go 1.16+ compiler should be installed & configured!

Very quick & clean!

```bash
▶ go install github.com/pwnesia/dnstake/cmd/dnstake@latest
```

#### — or

Manual building executable from source code:

```bash
▶ git clone https://github.com/pwnesia/dnstake
▶ cd dnstake/cmd/dnstake
▶ go build .
▶ (sudo) mv dnstake /usr/local/bin
```

## Usage

```console
$ dnstake -h

·▄▄▄▄ ▐ ▄ .▄▄ ·▄▄▄▄▄ ▄▄▄· ▄ •▄ ▄▄▄ .
██▪ ██ •█▌▐█▐█ ▀.•██ ▐█ ▀█ █▌▄▌▪▀▄.▀·
▐█· ▐█▌▐█▐▐▌▄▀▀▀█▄▐█.▪▄█▀▀█ ▐▀▀▄·▐▀▀▪▄
██. ██ ██▐█▌▐█▄▪▐█▐█▌·▐█ ▪▐▌▐█.█▌▐█▄▄▌
▀▀▀▀▀• ▀▀ █▪ ▀▀▀▀ ▀▀▀ ▀ ▀ ·▀ ▀ ▀▀▀

(c) pwnesia.org — v0.0.1

Usage:
[stdin] | dnstake [options]
dnstake -t HOSTNAME [options]

Options:
-t, --target Define single target host/list to check
-c, --concurrent Set the concurrency level (default: 25)
-s, --silent Suppress errors and/or clean output
-o, --output Save vulnerable hosts to FILE
-h, --help Display its help

Examples:
dnstake -t (sub.)domain.tld
dnstake -t hosts.txt
dnstake -t hosts.txt -o ./dnstake.out
cat hosts.txt | dnstake
subfinder -silent -d domain.tld | dnstake
```

## Workflow

**DNSTake** use [RetryableDNS client library](https://github.com/projectdiscovery/retryabledns) to send DNS queries. Initial engagement using Google & Cloudflare DNS as the resolver, then check & fingerprinting the nameservers of target host — if there is one, it will resolving the target host again with its nameserver IPs as resolver, if it gets weird DNS status response (other than `NOERROR`/`NXDOMAIN`), then it's vulnerable to be taken over. More or less [like this](https://0xpatrik.com/content/images/2018/08/ns_automation-2.png) in form of a diagram.

Currently supported DNS providers, see [here](https://github.com/indianajson/can-i-take-over-dns/blob/97104102c8ce911fd978521c703f26e1c547c613/README.md#dns-providers).

## References

- [1] https://github.com/indianajson/can-i-take-over-dns#what-is-a-dns-takeover
- https://0xpatrik.com/subdomain-takeover-ns/

## License

**DNSTake** is distributed under MIT. See `LICENSE`.