Hello Friends! In This Short Tutorial, I will be showing my own Subdomain Takeover vulnerability scanner tool written in python3.
I Have collected fingerprints from various open source projects such as Aquatone, Subzy, Subjack & SubOver.
Also, I added my own 4-5 fingerprints & corresponding CNAME record in this tool.
So till now it no. 1 tool having largest collection of fingerprints & CNAME record.
I personally tested this tool against many targets in order to decrease the chances of False Positives.
For more detailed info, you can read these section below.
Subdover is a MultiThreaded Subdomain Takeover Vulnerability Scanner Written In Python3, Which has more than 55+ Fingerprints of potentially vulnerable serivces. Uses CNAME record for verfication of findings.
Built-in Subdomain Enumeration Feature & Auto HTTP prober [Uses Open Source Tool for Subdomain Enum & HTTP probing i.e. findomain & httpx]
Features
- More than 55+ Fingerprints of potentially vulnerable services
- Uses CNAME record for verification of findings
- Built-in Subdomain Enumeration Method [Used findomain for Subdomain Enum]
- Can Scan targets from subdomain list
- Can Test Single Target for Subdomain Takeover
- MultiThread, Extermely Fast Scanner [Default Threads: 10]
- You can choose number of threads
- You can save result in TXT file
- Extremely Clean Output
- OS Independent [Can be used on any OS which supports Python3]
Tested On
Kali Linux - ROLLING EDITION
Windows 8.1 - Pro
Prerequisite
- Python 3.X
- Few External Modules
How To Use in Linux
# Navigate to the /opt directory (optional)
$ cd /opt/
# Clone this repository
$ git clone https://github.com/Technowlogy-Pushpender/subdover.git
# Navigate to subdover folder
$ cd subdover
# Installing dependencies
$ apt-get update && apt-get install python3-pip
$ pip3 install -r requirements.txt
# If you want to enumerate subdomain using this script only, then you have to install findomain in your OS
$ # Check out this URL for Installtion Guide: https://github.com/Edu4rdSHL/findomain
# Giving Executable Permission & Checking Help Menu
$ chmod +x subdover.py
$ python3 subdover.py --help
# Testing Single Target [Running Without Giving Parameter]
$ python3 subdover.py
# Enumerating Subdomain & Testing them for Subdomain Takeover
$ python3 subdover.py -d target.com
# Testing targets for Subdomain Takeover from subdomain list
$ python3 subdover.py --list example_target.txt
# Changing Number of Threads
$ python3 subdover.py --thread 30 -d target.com
# Saving Result
$ python3 subdover.py -d target.com -o result.txt
# Show Fingerprints & Exit
$ python3 subdover.py -s
How To Use in Windows
# Download this project as zip
# Navigate to subdover folder
$ cd subdover
# Installing dependencies
$ python -m pip install -r requirements.txt
# Checking Help Menu
$ python subdover.py --help
# Testing Single Target [Running Without Giving Parameter]
$ python subdover.py
# Enumerating Subdomain & Testing them for Subdomain Takeover
$ python subdover.py -d target.com
# Testing targets for Subdomain Takeover from subdomain list
$ python subdover.py --list example_target.txt
# Changing Number of Threads
$ python subdover.py --thread 30 -d target.com
# Saving Result
$ python subdover.py -d target.com -o result.txt
# Show Fingerprints & Exit
$ python subdover.py -s
Available Arguments
- Optional Arguments
| Short Hand | Full Hand | Description |
|---|---|---|
| -h | –help | show this help message and exit |
| -t | –thread | Number of Threads to Used. Default=10 |
| -o | –output | Save Result in TXT file |
| -s | –fingerprints | Show Available Fingerprints & Exit |
- Required Arguments
| Short Hand | Full Hand | Description |
|---|---|---|
| -d | –domain | Target Wildcard Domain [For AutoSubdomainEnumeration], ex:- google.com |
| -l | –list | Target Subdomain List, ex:- google_subdomain.txt |
Available Fingerprints & CNAMES of potentially vulnerable servies
| No. | Service Name |
|---|---|
| 1. | Acquia |
| 2. | Activecampaign |
| 3. | AfterShip |
| 4. | Aha |
| 5. | Apigee |
| 6. | AWS/S3 |
| 7. | Bigcartel |
| 8. | Bitbucket |
| 9. | Brightcove |
| 10. | CampaignMonitor |
| 11. | Cargo |
| 12. | CargoCollective |
| 13. | Cloudfront |
| 14. | Desk |
| 15. | Fastly |
| 16. | Feedpress |
| 17. | Freshdesk |
| 18. | GetResponse |
| 19. | Ghost |
| 20. | Github |
| 21. | Help Juice |
| 22. | Help Scout |
| 23. | Heroku |
| 24. | Instapage |
| 25. | InterCom |
| 26. | JetBrains |
| 27. | Kajabi |
| 28. | Mashery |
| 29. | MicrosoftAzure |
| 30. | Pantheon |
| 31. | Pingdom |
| 32. | Proposify |
| 33. | Readme.io |
| 34. | Shopify |
| 35. | SimpleBooklet |
| 36. | Smartling |
| 37. | Smugmug |
| 38. | StatusPage |
| 39. | Strikingly |
| 40. | Surge.sh |
| 41. | Surveygizmo |
| 42. | Tave |
| 43. | Teamwork |
| 44. | Thinkific |
| 45. | Tictail |
| 46. | Tilda |
| 47. | Tumblr |
| 48. | Unbounce |
| 49. | UptimeRobot |
| 50. | UserVoice |
| 51. | Vend |
| 52. | WebFlow |
| 53. | WishPond |
| 54. | Wordpress |
| 55. | Zendesk |
