Coder Social home page Coder Social logo

submergenc3 / subjack Goto Github PK

View Code? Open in Web Editor NEW

This project forked from haccer/subjack

0.0 2.0 0.0 104 KB

Hostile Subdomain Takeover tool written in Go featuring self-reliant subdomain discovery with amass integration, allowing for simultaneous checking for subdomain takeovers while enumerating DNS.

License: Apache License 2.0

Go 100.00%

subjack's Introduction

subjack

Build Status Build status Go Report Card GitHub license

Subjack is a Hostile Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked. With Go's speed and efficiency, this tool really stands out when it comes to mass-testing. Always double check the results manually to rule out false positives.

New:

Subjack now has a subdomain discovery option that uses Jeff Foley's amass to discover subdomains and test them immediately.

Subjack uses amass integration to:

  • enumerate subdomains of a specified domain or from a list of domains.
  • brute force subdomains with a wordlist.
  • enumerate subdomains recursively and/or with alterations.
  • save subdomains enumerated with amass integration.

Also New: Subjack will check for subdomains attached to domains that don't exist (NXDOMAIN) and are available to be registered. No need for dig ever again! This is still cross-compatible too.

Installing

Requires Go >= 1.10.

go get -u github.com/haccer/subjack

How To Use:

Examples:

  • ./subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl
  • ./subjack -d example.com -brute -w subdomain_wordlist.txt
  • ./subjack -dL domains.txt -alts -save subdomains.txt -o results.txt

Options:

  • -d domain.com is a domain you want to gather subdomains for with amass.
  • -w domains.txt is your list of subdomains.
  • -t is the number of threads (Default: 10 threads).
  • -timeout is the seconds to wait before timeout connection (Default: 10 seconds).
  • -o results.txt where to save results to.
  • -ssl enforces HTTPS requests which may return a different set of results and increase accuracy.
  • -a skips CNAME check and sends requests to every URL.
  • -save subdomains.txt is to save subdomains enumerated with amass (Use with -d or -dL).
  • -dL domains.txt is a list of domains to enumerate subdomains using amass.
  • -brute enables subdomain brute forcing (Use with -d or -dL).
  • -r enables recursive subdomain brute forcing (Use with -d or -dL).
  • -alts enables subdomain alterations (Use with -d or -dL).

Currently checks for (44 Services):

Acquia Cloud Site Factory, ActiveCampaign, AfterShip, Aha!, Amazon S3 Bucket, Amazon Cloudfront, Big Cartel, Bitbucket, Brightcove, Campaign Monitor, Cargo Collective, Desk, Fastly, FeedPress, GetResponse, Ghost, Github, Helpjuice, Help Scout, Heroku, Intercom, JetBrains, Kajabi, MailerLite, Mashery, Microsoft Azure, Pantheon.io, Proposify, Shopify, simplebooklet, StatusPage, Surge, Táve, Teamwork, Thinkific, Tictail, Tumblr, Unbounce, UserVoice, Vend Ecommerce, Webflow, Wishpond, WordPress, Zendesk

In Action

realtime

Practical Use

You can use scanio.sh which is kind of a PoC script to mass-locate vulnerable subdomains using results from Rapid7's Project Sonar. This script parses and greps through the dump for desired CNAME records and makes a large list of subdomains to check with subjack if they're vulnerable to Hostile Subdomain Takeover. Of course this isn't the only method to get a large amount of data to test. Please use this responsibly ;)

Docker

docker run --name subjack --rm -v <path to wordlist or save dir>:/data c0dy/subjack

FAQ

Q: What should my wordlist look like?

A: Your wordlist should include a list of subdomains you're checking and should look something like:

assets.cody.su
assets.github.com
b.cody.su
big.example.com
cdn.cody.su
dev.cody.su
dev2.twitter.com

Q: I ran my scan and nothing happened. What does this mean?

A: In most cases, this means that subjack didn't discover any vulnerable subdomains in your wordlist or your wordlist of is formatted weird.

References

Extra information about Hostile Subdomain Takeovers:

Contact

Shout me out on Twitter: @now

subjack's People

Contributors

haccer avatar

Watchers

 avatar  avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.