jakejarvis / Subtake
Licence: apache-2.0
Automatic finder for subdomains vulnerable to takeover. Written in Go, based on @haccer's subjack.
Stars: ✭ 104
Projects that are alternatives of or similar to Subtake
Subjack
Subdomain Takeover tool written in Go
Stars: ✭ 1,194 (+1048.08%)
Mutual labels: subdomain, pentesting, infosec, bug-bounty
Rengine
reNgine is an automated reconnaissance framework for web applications with a focus on highly configurable streamlined recon process via Engines, recon data correlation and organization, continuous monitoring, backed by a database, and simple yet intuitive User Interface. reNgine makes it easy for penetration testers to gather reconnaissance with…
Stars: ✭ 3,439 (+3206.73%)
Mutual labels: bug-bounty, infosec, pentesting
Hawkeye
Hawkeye filesystem analysis tool
Stars: ✭ 202 (+94.23%)
Mutual labels: pentesting, infosec, bug-bounty
Security Tools
Collection of small security tools, mostly in Bash and Python. CTFs, Bug Bounty and other stuff.
Stars: ✭ 509 (+389.42%)
Mutual labels: pentesting, infosec, bug-bounty
sub404
A python tool to check subdomain takeover vulnerability
Stars: ✭ 205 (+97.12%)
Mutual labels: subdomain, bug-bounty, pentesting
Getaltname
Extract subdomains from SSL certificates in HTTPS sites.
Stars: ✭ 320 (+207.69%)
Mutual labels: subdomain, pentesting, infosec
Subover
A Powerful Subdomain Takeover Tool
Stars: ✭ 607 (+483.65%)
Mutual labels: subdomain, pentesting, bug-bounty
Dumpsterfire
"Security Incidents In A Box!" A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events. Easily create custom event chains for Blue- & Red Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.
Stars: ✭ 775 (+645.19%)
Mutual labels: pentesting, infosec
Sn0int
Semi-automatic OSINT framework and package manager
Stars: ✭ 814 (+682.69%)
Mutual labels: pentesting, bug-bounty
Gorsair
Gorsair hacks its way into remote docker containers that expose their APIs
Stars: ✭ 678 (+551.92%)
Mutual labels: pentesting, infosec
Active Directory Exploitation Cheat Sheet
A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.
Stars: ✭ 870 (+736.54%)
Mutual labels: pentesting, infosec
Spellbook
Micro-framework for rapid development of reusable security tools
Stars: ✭ 53 (-49.04%)
Mutual labels: pentesting, bug-bounty
Ssrfmap
Simple Server Side Request Forgery services enumeration tool.
Stars: ✭ 50 (-51.92%)
Mutual labels: pentesting, bug-bounty
Spiderfoot
SpiderFoot automates OSINT for threat intelligence and mapping your attack surface.
Stars: ✭ 6,882 (+6517.31%)
Mutual labels: infosec, pentesting
31 Days Of Api Security Tips
This challenge is Inon Shkedy's 31 days API Security Tips.
Stars: ✭ 1,038 (+898.08%)
Mutual labels: infosec, bug-bounty
Resources
A Storehouse of resources related to Bug Bounty Hunting collected from different sources. Latest guides, tools, methodology, platforms tips, and tricks curated by us.
Stars: ✭ 62 (-40.38%)
Mutual labels: pentesting, infosec
Red Team Curation List
A list to discover work of red team tooling and methodology for penetration testing and security assessment
Stars: ✭ 68 (-34.62%)
Mutual labels: pentesting, infosec
subtake
Based on @haccer's subjack script for subdomain takeover recon.
Installation
Requires Go.
go get github.com/jakejarvis/subtake
Usage
Options
-
-f to-check.txtis the path to your list of subdomains to check. One subdomain per line. Required. -
-tis the number of threads to use. (Default: 10) -
-askips CNAME check and sends requests to every URL. (Default: false, but Highly recommended.) -
-timeoutis the number seconds to wait before timing out a check (Default: 10). -
-o results.txtis a filename to output results to. If the file ends with.json, subtake will automatically switch to JSON format. -
-venables verbose mode. Displays all checks including not vulnerable URLs. -
-cPath to file containing JSON fingerprint configuration. (Default:./fingerprints.json) -
-sslenforces HTTPS requests which may return a different set of results and increase accuracy.
Resources
sonar.sh can be used first to gather a list of CNAMEs collected by Rapid7/scan.io's Project Sonar. This list can then be passed into subtake to return subdomains not in use. sonar.sh is based off of scanio.sh.
fingerprints.json can be modified to add or remove hosted platforms to probe for. Many obscure platforms are included, and removing fingerprints for services that are uninteresting to you can speed up the scan.
If you plan on using a high number of threads to speed the process up, you may need to temporarily raise the ulimit of your shell:
ulimit -a # show current limit (usually 1024)
ulimit -n 10000 # set waaaaay higher
ulimit -a # check new limit
After generating a list of all vulnerable subdomains, you can use my collection of domains invoked in bug bounty programs to narrow down valuable targets and possibly get some ca$h monie$$$.
Examples
./sonar.sh 2018-10-27-1540655191 sonar_all_cnames.txt
subtake -f sonar_all_cnames.txt -t 50 -ssl -a -o vulnerable.txt
Subdomain Takeover Tips
- A great explanation of the risks of takeovers and steps to responsibly disclose takeovers to companies: https://0xpatrik.com/subdomain-takeover/
- A comprehensive list of what services are vulnerable (and the basis of
fingerprints.json), and how to proceed once finding them: https://github.com/EdOverflow/can-i-take-over-xyz
Services Checked
- Amazon S3
-
Amazon CloudFront(no longer vulnerable?) - Microsoft Azure
- Heroku
- GitHub Pages
- Fastly
- Pantheon.io
- Shopify
- Tumblr
- WordPress.com
- Ghost
- Surge
- Statuspage
- Bitbucket Pages
- UserVoice
- Zendesk
- Brightcove
- Big Cartel
- Acquia
- ReadMe.io
- MaxCDN
- Apigee
- Smugmug
To-Do
- Integrate
sonar.shinto the main Go script as an option instead of input file. - All-in-one Docker image to automatically download the latest FDNS Project Sonar file and check for takeover possibilities.
- Have
sonar.shpull domains to check for fromfingerprints.json, instead of hard-coding them.
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].