Subjack is a Hostile Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked. With Go's speed and efficiency, this tool really stands out when it comes to mass-testing. Always double check the results manually to rule out false positives.
New:
Subjack now has a subdomain discovery option that uses Jeff Foley's amass to discover subdomains and test them immediately.
Subjack uses amass integration to:
- enumerate subdomains of a specified domain or from a list of domains.
- brute force subdomains with a wordlist.
- enumerate subdomains recursively and/or with alterations.
- save subdomains enumerated with amass integration.
Also New: Subjack will check for subdomains attached to domains that don't exist (NXDOMAIN) and are available to be registered. No need for dig ever again! This is still cross-compatible too.
Requires Go >= 1.10.
go get -u github.com/haccer/subjack
Examples:
./subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl
./subjack -d example.com -brute -w subdomain_wordlist.txt
./subjack -dL domains.txt -alts -save subdomains.txt -o results.txt
Options:
-d domain.com
is a domain you want to gather subdomains for with amass.-w domains.txt
is your list of subdomains.-t
is the number of threads (Default: 10 threads).-timeout
is the seconds to wait before timeout connection (Default: 10 seconds).-o results.txt
where to save results to.-ssl
enforces HTTPS requests which may return a different set of results and increase accuracy.-a
skips CNAME check and sends requests to every URL.-save subdomains.txt
is to save subdomains enumerated with amass (Use with -d or -dL).-dL domains.txt
is a list of domains to enumerate subdomains using amass.-brute
enables subdomain brute forcing (Use with -d or -dL).-r
enables recursive subdomain brute forcing (Use with -d or -dL).-alts
enables subdomain alterations (Use with -d or -dL).
Currently checks for (44 Services):
Acquia Cloud Site Factory, ActiveCampaign, AfterShip, Aha!, Amazon S3 Bucket, Amazon Cloudfront, Big Cartel, Bitbucket, Brightcove, Campaign Monitor, Cargo Collective, Desk, Fastly, FeedPress, GetResponse, Ghost, Github, Helpjuice, Help Scout, Heroku, Intercom, JetBrains, Kajabi, MailerLite, Mashery, Microsoft Azure, Pantheon.io, Proposify, Shopify, simplebooklet, StatusPage, Surge, Táve, Teamwork, Thinkific, Tictail, Tumblr, Unbounce, UserVoice, Vend Ecommerce, Webflow, Wishpond, WordPress, Zendesk
You can use scanio.sh which is kind of a PoC script to mass-locate vulnerable subdomains using results from Rapid7's Project Sonar. This script parses and greps through the dump for desired CNAME records and makes a large list of subdomains to check with subjack if they're vulnerable to Hostile Subdomain Takeover. Of course this isn't the only method to get a large amount of data to test. Please use this responsibly ;)
docker run --name subjack --rm -v <path to wordlist or save dir>:/data c0dy/subjack
Q: What should my wordlist look like?
A: Your wordlist should include a list of subdomains you're checking and should look something like:
assets.cody.su
assets.github.com
b.cody.su
big.example.com
cdn.cody.su
dev.cody.su
dev2.twitter.com
Q: I ran my scan and nothing happened. What does this mean?
A: In most cases, this means that subjack didn't discover any vulnerable subdomains in your wordlist or your wordlist of is formatted weird.
Extra information about Hostile Subdomain Takeovers:
- https://cody.su/blog/Hostile-Subdomain-Takeovers/
- https://github.com/EdOverflow/can-i-take-over-xyz
- https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/
Shout me out on Twitter: @now