- Notifications
You must be signed in to change notification settings - Fork20
Subdosec is a fast, accurate subdomain takeover scanner with no false positives. It also offers a database of sites vulnerable to subdomain takeover (public results), along with detailed metadata like IP, CNAME, TITLE, and STATUS CODE for reconnaissance to identify potential new vulnerabilities.
License
xcapri/subdosec
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Subdosec
Subdomain takeover scanner & reconnaissance tool.
Install •Usage •Web Based •Contribution •Online scan •Acknowledgments
Subdosec is a fast and accurate subdomain takeover scanner with no false positives, featuring a public database of vulnerable subdomains and detailed non-vulnerable metadata (IP, CNAME, title, and status code) for reconnaissance.
Install or upgrade subdosec
pipx install git+https://github.com/xcapri/subdosec.gitpipx upgrade subdosecThen run this every time you start a new terminal session (until “server started successfully”).
$ subdosec -insStarting Node.js server...Node.js server started successfully.[WARNING]Do not takeover all subdomains in test.txt,let everyone use that for demos.
[INFO]Also check theRelease section.You can find interesting info.
$ subdosec -hExpand full help flags
_____ __ __/ ___/__ __/ /_ ____/ /___ ________ _____\__ \/ / / / __ \/ __ / __ \/ ___/ _ \/ ___/___/ / /_/ / /_/ / /_/ / /_/ (__ ) __/ /__/____/\__,_/_.___/\__,_/\____/____/\___/\___/usage:subdosec [-h] [-mode {private,public}] [-initkey INITKEY] [-vo] [-pe] [-ins] [-pf PF] [-subfng SUBFNG] [-lf LF] [-sfid] [-ks] [-o O] [-su] [-lu LU] [-lm] [-uf] [-unai UNAI] [-v] [-t THREADS]Subdomain takeover scanner.options:-h, --help show this help message and exit-mode {private,public}Mode of operation (private/public)-initkey INITKEY Initialize the API key -vo VULN Only:Hide UNDETECT messages -pe Print Error:When there are problems detecting your target-ins Prepar node & start server -pf PF Private Fingerprint:uses your local fingerprint. Example: -pf /path/to/tko.json -subfng SUBFNG Submit fingerprint:submit local fingerprint to admin. Example: -subfng localfinger.json -lf LF Fingerprint lock:to focus on one or multiple fingerprints. (-lf github.io,surge.sh) and leave this arg to scan all fingerprints-sfid To view all available fingerprint ids.-ks To shut down the server node if you want to not use subdosec for a long time. -o O Save result locally to the specified path. Example:-o /path/to/dir-su Skip undetect will not stored to server (https://subdosec.vulnshot.com/result/undetected) -lu LU Undetec stored localy to the specified path. Example:-lu /path/to/dir -lm Local Mode:Save vuln and undetect to default inside tools directory (auto -su)-uf Update Fingerprint -unai UNAI Analyze undetected subdomains using AI. Example:-unai /path/to/undetect.json-v, --verbose Show progress count (e.g. [1/10])-t THREADS, --threads THREADSNumber of threads to use for scanning (default:10)
Prepare list
Support without protocol
cat list https://careers.rotacloud.comhttp://creators.thinkorion.comhttps://docs.polygon-nightfall.technologya.anchorsawaytpt.comhelp.oceges.comCMD 1
Skip stored undetect to server & save localy
cat test.txt | subdosec -lmhttps://subdosec.vulnshot.com [UNDETECT]http://feedback.bazoom.com [sleekplan.com] [VULN] [SAVED]http://demodev.destinojet.co [meteor.com] [VULN] [SAVED]http://creators.thinkorion.com [UNDETECT]https://www.www.savillerow.status.lnt.cl [ohdear.app] [VULN] [SAVED]https://careers.rotacloud.com [gohire.io] [VULN] [SAVED]https://careers.rotacloud.com [gohire.io] [VULN] [SAVED]https://ai.yooture.com [UNDETECT]https://help.oceges.com [UNDETECT]http://ftp.thiagolima.com [surge.sh] [VULN] [SAVED]VULN DIRECTORY : /home/alice/.subdosec/vulnsUNDETECT FILE : /home/alice/.subdosec/undetect/undetect.jsonRead output
~$ ls /home/alice/.subdosec/vulnsgohire.io_tko.txt meteor.com_tko.txt ohdear.app_tko.txt sleekplan.com_tko.txt surge.sh_tko.txt~$ cat /home/alice/.subdosec/vulns/gohire.io_tko.txtcareers.rotacloud.comRead undetect & auto analys new potential vuln with -unai
cat /home/alice/.subdosec/undetect/undetect.json[ { "title": "No title found", "status_code": 404, "redirect_url": "No redirects", "cname_records": [ "cname.redacted.com" ], "a_records": [ "76.76.21.98", "76.76.21.241" ], "subdomain": "try.redacted.com", "rootdomain": "redacted.com" }, { "title": "No title found", "status_code": 200, "redirect_url": "No redirects", "cname_records": [ "cname.fermat.shop" ], "a_records": [ "216.150.16.129", "216.150.1.129" ], "subdomain": "get.redacted.com", "rootdomain": "redacted.com" }]subdosec -unai /home/pd/.subdosec/undetect/undetect.json[INFO] PURE UNDETECTED 0 | Subdomains are not detected as vulnerable even though they have passed the subdosec scan..[INFO] Analyzing 8 items in 2 batches.[INFO] Progress: 5/8 data analyzed.NEW POTENTIAL :Domain : try.redacted.com CNAME : cname.redacted-service.com A Record : 76.76.21.98, 76.76.21.241 Takeover : NOT Reason : The redacted-service custom domain setup guide explicitly states the requirement of adding a TXT record (e.g., 'redacted-service-verification=<your_site_id>') for domain ownership verification. The presence of a TXT record verification step makes it not vulnerable. Reference: https://www.redacted-service.com/blog/how-to-setup-custom-domain/================================================================================Domain : get.redacted.com CNAME : cname.fermat.shop A Record : 216.150.16.129, 216.150.1.129 Takeover : POSSIBLE Reason : The service uses a static CNAME (cname.fermat.shop) for custom domain setup. Publicly available documentation for Fermat's custom domain setup does not clearly specify a requirement for a TXT record or any dynamic verification method for domain ownership. Without such verification, a static CNAME makes the subdomain potentially vulnerable if the corresponding Fermat account is deleted or becomes unlinked. Reference: https://fermat.shop/================================================================================CMD 2
Using root domain & pipeline subdomain finder tool like (subfinder, assetfinder, amass, etc)
cat listexample.comcat list | subfinder -silent | subdosec -lmhttps://subdosec.vulnshot.com [UNDETECT]http://feedback.bazoom.com [sleekplan.com] [VULN] [SAVED]http://demodev.destinojet.co [meteor.com] [VULN] [SAVED]http://creators.thinkorion.com [UNDETECT]https://www.www.savillerow.status.lnt.cl [ohdear.app] [VULN] [SAVED]https://careers.rotacloud.com [gohire.io] [VULN] [SAVED]https://careers.rotacloud.com [gohire.io] [VULN] [SAVED]https://ai.yooture.com [UNDETECT]https://help.oceges.com [UNDETECT]http://ftp.thiagolima.com [surge.sh] [VULN] [SAVED]VULN DIRECTORY : /home/alice/.subdosec/vulnsUNDETECT FILE : /home/alice/.subdosec/undetect/undetect.jsonCMD 3
(Forward result to notify)
cat list | subdosec -lm -vo | notify -silent https://careers.rotacloud.com [100.00%] [gohire.io] [VULN] [SAVED]Knowing the function of the subdosec web, here you can use thehttps://subdosec.vulnshot.com/result/undetected feature as a reconnaissance, to find out IP, CNAME, TITLE, STATUS CODE, etc. as further information or even to find new takeover subdomains
It has the same function as undetect.json, the difference is that you and other people share it with each other.
For example, you search for a site that is not detected as vulnerable by subdosec with the keyword404, and there is information on cname.gohire.io and the title GoHire, which if you search on Google, there is no article information about subdomain takeover on the gohire service.
After you find a new subdomain takeover, either manually or automatically (using -unai), you can submit the data to us using the subdosec -subfng command.
Dynamically you can use this element for rules :
title, cname, status_code, in_body, a_record, redirect
cat newvuln.json{ "name": "Subdomain takeover - GoHire", "rules": { "cname": "custom.gohire.io", "in_body": "Page not found", "status_code": "404" }, "status_fingerprint": 0, "reference": "https://help.gohire.io/en/articles/3385288-setting-up-a-custom-domain", "service": "gohire.io", "logo_service": "https://gohire-website.s3.amazonaws.com/img/logos/gh-logo-main.gif"}subdosec -subfng newvuln.json[Info] Submitting fingerprint ...Imported fingerprint data successfullyIf you are not a person with a security background, maybe a web-dev/programmer and not familiar with cli tools. you can use the web version to scan all your subdomains with a max of 10 subdomains per scan.
The predecessor tools that inspired the creation of subdosec tools.
- can-i-take-over-xyz
- can-i-take-over-dns
- SubOver
- subjack
- nuclei-templates/http/takeovers
- The bug bounty community for inspiration and feedback.
subdosec is distributed underMIT License
About
Subdosec is a fast, accurate subdomain takeover scanner with no false positives. It also offers a database of sites vulnerable to subdomain takeover (public results), along with detailed metadata like IP, CNAME, TITLE, and STATUS CODE for reconnaissance to identify potential new vulnerabilities.
Topics
Resources
License
Uh oh!
There was an error while loading.Please reload this page.
Stars
Watchers
Forks
Packages0
Uh oh!
There was an error while loading.Please reload this page.