Before go ahead to subjack tool, let’s take a brief about what is subdomain takeover
What is Sudomain takeover ?
Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, Cloudfront, Squarespace etc.) that has been removed or deleted. This allows an attacker to to register the subdomain on that third party and (effectively) hijack the subdomain. Easy to understand, right !!!
Subjack is a Hostile Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked. With Go’s speed and efficiency, this tool really stands out when it comes to mass-testing. Always double check the results manually to rule out false positives.
Requires Go >= 1.10.
go get -u github.com/haccer/subjack go buidl subjack.go
./subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl ./subjack -d example.com -brute -w subdomain_wordlist.txt ./subjack -dL domains.txt -alts -save subdomains.txt -o results.txt
./subjack -d vulnweb.com -save subdomain.txt
-d domain.com is a domain you want to gather subdomains for with amass. -w domains.txt is your list of subdomains. -t is the number of threads (Default: 10 threads). -timeout is the seconds to wait before timeout connection (Default: 10 seconds). -o results.txt where to save results to. -ssl enforces HTTPS requests which may return a different set of results and increase accuracy. -a skips CNAME check and sends requests to every URL. (Recommended) -v verbose. Display more information per each request. -save subdomains.txt is to save subdomains enumerated with amass (Use with -d or -dL). -dL domains.txt is a list of domains to enumerate subdomains using amass. -brute enables subdomain brute forcing (Use with -d or -dL). -r enables recursive subdomain brute forcing (Use with -d or -dL). -alts enables subdomain alterations (Use with -d or -dL).
Currently check for
Acquia Cloud Site Factory, ActiveCampaign, AfterShip, Aha!, Amazon S3 Bucket, Amazon Cloudfront, Big Cartel, Bitbucket, Brightcove, Campaign Monitor, Cargo Collective, Desk, Fastly, FeedPress, GetResponse, Ghost, Github, Helpjuice, Help Scout, Heroku, Intercom, JetBrains, Kajabi, MailerLite, Microsoft Azure, Pantheon.io, Proposify, Shopify, simplebooklet, StatusPage, Surge, Táve, Teamwork, Thinkific, Tictail, Tumblr, UserVoice, Vend Ecommerce, Webflow, Wishpond, WordPress, Zendesk
How is works
The tool uses Amass tool to identify existing subdomains for the target domain. Then it searches for CNAME DNS entries pointing to external services and it tries to visit the web pages at those locations. If the pages contain some specific keywords (depending on the external service), the subdomain is declared as vulnerable.
Based on the techniques behind find subdomain takeover you can sepreate it into 2 steps: first, find sudomains using tools like knock, Amass and sencond, check the fingerprint using like EyeWitness. Or combined theme in one like Subjack. Enjoy hacking 🙂