Clarification on URL Schema Handling and S3 Subdomain Identification

ifconfig-me / subowner

SubOwner - A Simple tool check for subdomain takeovers.

92 stars 22 forks source link

Clarification on URL Schema Handling and S3 Subdomain Identification #2

Closed Dark-Aura closed 6 days ago

Dark-Aura commented 6 days ago

python3 subowner.py -f list.txt

In list.txt, the URLs contain either with or without a schema. Please let me know.

For example:

cat list.txt https://github.com

cat list.txt github.com

Moreover, which tool are you using to identify and get s3.amazonaws.com as a subdomain list?

If I run subfinder, amass, findomain, etc. I didn't get that. How did you get s3.amazonaws.com in list.txt?

ifconfig-me commented 6 days ago

Use the list without the schema. I have already added this function to the check_service_takeover function. The following loop adds the protocols (https:// and http://) to the subdomains before it start the scanning.

def check_service_takeover(subdomain, cname, service, output_file):
    try:
        for protocol in ['https://', 'http://']:
            url = f"{protocol}{subdomain}"
            print(f"Trying {url}")
....

Regarding s3.amazonaws.com, its the script discovers the AWS buckets by resolving the CNAME record for the subdomain using the get_cname function. This function makes a DNS query to retrieve the CNAME record associated with the subdomain.