jakejarvis / subtake

Automatic finder for subdomains vulnerable to takeover. Written in Go, based on @haccer's subjack.
Apache License 2.0
145 stars 30 forks source link
bug-bounty go golang infosec pentesting security subdomain subdomain-takeovers takeover

subtake

Build Status

Based on @haccer's subjack script for subdomain takeover recon.

Installation

Requires Go.

go get github.com/jakejarvis/subtake

Usage

Options

Resources

sonar.sh can be used first to gather a list of CNAMEs collected by Rapid7/scan.io's Project Sonar. This list can then be passed into subtake to return subdomains not in use. sonar.sh is based off of scanio.sh.

fingerprints.json can be modified to add or remove hosted platforms to probe for. Many obscure platforms are included, and removing fingerprints for services that are uninteresting to you can speed up the scan.

If you plan on using a high number of threads to speed the process up, you may need to temporarily raise the ulimit of your shell:

ulimit -a          # show current limit (usually 1024)
ulimit -n 10000    # set waaaaay higher
ulimit -a          # check new limit

After generating a list of all vulnerable subdomains, you can use my collection of domains invoked in bug bounty programs to narrow down valuable targets and possibly get some ca$h monie$$$.

Examples

./sonar.sh 2018-10-27-1540655191 sonar_all_cnames.txt

subtake -f sonar_all_cnames.txt -t 50 -ssl -a -o vulnerable.txt

Subdomain Takeover Tips

Services Checked

To-Do