MultiThreaded Subdomain Takeover Tool With 55+ Fingerprints & CNAME | Written in Python3

Hello Friends! In This Short Tutorial, I will be showing my own Subdomain Takeover vulnerability scanner tool written in python3.

I Have collected fingerprints from various open source projects such as Aquatone, Subzy, Subjack & SubOver.

Also, I added my own 4-5 fingerprints & corresponding CNAME record in this tool.

So till now it no. 1 tool having largest collection of fingerprints & CNAME record.

I personally tested this tool against many targets in order to decrease the chances of False Positives.

For more detailed info, you can read these section below.

Subdover is a MultiThreaded Subdomain Takeover Vulnerability Scanner Written In Python3, Which has more than 55+ Fingerprints of potentially vulnerable serivces. Uses CNAME record for verfication of findings.

Built-in Subdomain Enumeration Feature & Auto HTTP prober [Uses Open Source Tool for Subdomain Enum & HTTP probing i.e. findomain & httpx]

Features

  • More than 55+ Fingerprints of potentially vulnerable services
  • Uses CNAME record for verification of findings
  • Built-in Subdomain Enumeration Method [Used findomain for Subdomain Enum]
  • Can Scan targets from subdomain list
  • Can Test Single Target for Subdomain Takeover
  • MultiThread, Extermely Fast Scanner [Default Threads: 10]
  • You can choose number of threads
  • You can save result in TXT file
  • Extremely Clean Output
  • OS Independent [Can be used on any OS which supports Python3]

Tested On

Kali) Kali Linux - ROLLING EDITION

Windows) Windows 8.1 - Pro

Prerequisite

  • Python 3.X
  • Few External Modules

How To Use in Linux

# Navigate to the /opt directory (optional)
$ cd /opt/

# Clone this repository
$ git clone https://github.com/Technowlogy-Pushpender/subdover.git

# Navigate to subdover folder
$ cd subdover

# Installing dependencies
$ apt-get update && apt-get install python3-pip
$ pip3 install -r requirements.txt

# If you want to enumerate subdomain using this script only, then you have to install findomain in your OS
$ # Check out this URL for Installtion Guide: https://github.com/Edu4rdSHL/findomain

# Giving Executable Permission & Checking Help Menu
$ chmod +x subdover.py
$ python3 subdover.py --help

# Testing Single Target [Running Without Giving Parameter]
$ python3 subdover.py

# Enumerating Subdomain & Testing them for Subdomain Takeover
$ python3 subdover.py -d target.com 

# Testing targets for Subdomain Takeover from subdomain list
$ python3 subdover.py --list example_target.txt 

# Changing Number of Threads
$ python3 subdover.py --thread 30 -d target.com

# Saving Result
$ python3 subdover.py -d target.com -o result.txt

# Show Fingerprints & Exit
$ python3 subdover.py -s

How To Use in Windows

# Download this project as zip

# Navigate to subdover folder
$ cd subdover

# Installing dependencies
$ python -m pip install -r requirements.txt

# Checking Help Menu
$ python subdover.py --help

# Testing Single Target [Running Without Giving Parameter]
$ python subdover.py

# Enumerating Subdomain & Testing them for Subdomain Takeover
$ python subdover.py -d target.com 

# Testing targets for Subdomain Takeover from subdomain list
$ python subdover.py --list example_target.txt 

# Changing Number of Threads
$ python subdover.py --thread 30 -d target.com

# Saving Result
$ python subdover.py -d target.com -o result.txt

# Show Fingerprints & Exit
$ python subdover.py -s

Available Arguments

  • Optional Arguments
Short Hand Full Hand Description
-h –help show this help message and exit
-t –thread Number of Threads to Used. Default=10
-o –output Save Result in TXT file
-s –fingerprints Show Available Fingerprints & Exit
  • Required Arguments
Short Hand Full Hand Description
-d –domain Target Wildcard Domain [For AutoSubdomainEnumeration], ex:- google.com
-l –list Target Subdomain List, ex:- google_subdomain.txt

Available Fingerprints & CNAMES of potentially vulnerable servies

No. Service Name
1. Acquia
2. Activecampaign
3. AfterShip
4. Aha
5. Apigee
6. AWS/S3
7. Bigcartel
8. Bitbucket
9. Brightcove
10. CampaignMonitor
11. Cargo
12. CargoCollective
13. Cloudfront
14. Desk
15. Fastly
16. Feedpress
17. Freshdesk
18. GetResponse
19. Ghost
20. Github
21. Help Juice
22. Help Scout
23. Heroku
24. Instapage
25. InterCom
26. JetBrains
27. Kajabi
28. Mashery
29. MicrosoftAzure
30. Pantheon
31. Pingdom
32. Proposify
33. Readme.io
34. Shopify
35. SimpleBooklet
36. Smartling
37. Smugmug
38. StatusPage
39. Strikingly
40. Surge.sh
41. Surveygizmo
42. Tave
43. Teamwork
44. Thinkific
45. Tictail
46. Tilda
47. Tumblr
48. Unbounce
49. UptimeRobot
50. UserVoice
51. Vend
52. WebFlow
53. WishPond
54. Wordpress
55. Zendesk

Screenshots

Help Menu

Scan Single Target

Enumerate Subdomaun & Scan

Scan Targets from SubdomainList

Saving Result

Result of Scan

Official Download Link