Subdomain takeover using subjack

Before go ahead to subjack tool, let’s take a brief about what is subdomain takeover

What is Sudomain takeover ?

Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, Cloudfront, Squarespace etc.) that has been removed or deleted. This allows an attacker to to register the subdomain on that third party and (effectively) hijack the subdomain. Easy to understand, right !!!

Subjack tool

Subjack is a Hostile Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked. With Go’s speed and efficiency, this tool really stands out when it comes to mass-testing. Always double check the results manually to rule out false positives.

Installing

Requires Go >= 1.10.

go get -u github.com/haccer/subjack  
go buidl subjack.go  

Usage

Example:

  ./subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl
  ./subjack -d example.com -brute -w subdomain_wordlist.txt
  ./subjack -dL domains.txt -alts -save subdomains.txt -o results.txt

./subjack -d vulnweb.com -save subdomain.txt  

Options:

    -d domain.com is a domain you want to gather subdomains for with amass.  
    -w domains.txt is your list of subdomains.
    -t is the number of threads (Default: 10 threads).
    -timeout is the seconds to wait before timeout connection (Default: 10 seconds).
    -o results.txt where to save results to.
    -ssl enforces HTTPS requests which may return a different set of results and increase accuracy.
    -a skips CNAME check and sends requests to every URL. (Recommended)
    -v verbose. Display more information per each request.
    -save subdomains.txt is to save subdomains enumerated with amass (Use with -d or -dL).
    -dL domains.txt is a list of domains to enumerate subdomains using amass.
    -brute enables subdomain brute forcing (Use with -d or -dL).
    -r enables recursive subdomain brute forcing (Use with -d or -dL).
    -alts enables subdomain alterations (Use with -d or -dL).

Currently check for

Acquia Cloud Site Factory, ActiveCampaign, AfterShip, Aha!,  
Amazon S3 Bucket, Amazon Cloudfront, Big Cartel, Bitbucket,  
Brightcove, Campaign Monitor, Cargo Collective, Desk, Fastly,   
FeedPress, GetResponse, Ghost, Github, Helpjuice, Help Scout,  
Heroku, Intercom, JetBrains, Kajabi, MailerLite, Microsoft Azure,   
Pantheon.io, Proposify, Shopify, simplebooklet, StatusPage,   
Surge, Táve, Teamwork, Thinkific, Tictail, Tumblr, UserVoice,   
Vend Ecommerce, Webflow, Wishpond, WordPress, Zendesk  

How is works

The tool uses Amass tool to identify existing subdomains for the target domain. Then it searches for CNAME DNS entries pointing to external services and it tries to visit the web pages at those locations. If the pages contain some specific keywords (depending on the external service), the subdomain is declared as vulnerable.

Based on the techniques behind find subdomain takeover you can sepreate it into 2 steps: first, find sudomains using tools like knock, Amass and sencond, check the fingerprint using like EyeWitness. Or combined theme in one like Subjack. Enjoy hacking 🙂

References

https://www.hacker101.com/vulnerabilities/subdomain_takeover.html
https://github.com/haccer/subjack

Leave a Reply