Some helper subdomain_takeover_tools to validate subdomain takeovers
Project description
Subdomain Takeover Tools
A set of tools to validate the initial outcome of subtake.
Installation
-
Install using pip:
pip install subdomain_takeover_toolsfor windows:
py -m pip install subdomain_takeover_toolsAlternatively, you can download or clone this repo and call
pip install -e ..
Confirming takeovers
All scripts support the following two parameters:
--strict: only report as vulnerable if the issue is not also applicable onhostname.tldandwww.hostname.tld.--inverse: do inverse reporting, so report all subdomains that are not vulnerable
Some scripts require a config file to be present, the location is .subdomain_takeover_tools.ini, an example of the file can be found below:
[azure]
subscription_id=44713cf2-8656-11ec-a8a3-0242ac120002
Confirming S3
Subtake has some false positives on Google Cloud buckets as S3 buckets, also some access denied's end up in the results.
The script confirm-s3.py will make sure that the bucket is actually vulnerable.
grep "\[s3 bucket: " subtake-output.txt | confirm_s3
Confirming ELB
Some patterns of elb are vulnerable while others are not, to filter them we can use our script:
grep "\[elasticbeanstalk: " subtake-output.txt | confirm_elb
Note: the parameter --strict is accepted here but will not lead to expected results.
Confirming Shopify
It seems that
grep "\[shopify: " subtake-output.txt | confirm_shopify
Separate tools
Extracting domain names
As part of my process I want to know the domains involved in my findings.
Example usage:
cut -f3 < subtake-output.txt | extract_domain_names | sort -u > involved.domains
Note that extract_domain_names also support groups, such as domain.(co.id|in.th|ph|vn), this will be expanded automatically.
Resolving from the authoritative DNS authority
For validation of the results I want to validate whether the DNS record is still accurate.
To do this we fetch the authoritative result's step by step from the authoritative DNS servers.
authoritative_resolve "github.com" "martinvw.nl"
Exporting and enriching
The subtake_enrich_and_export will split the existing output and add some additional columms:
- has a wildcard
- domain name
- tld
- still vulnerable
- authoritative results
subtake_enrich_and_export < subtakee-output.txt
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for subdomain_takeover_tools-0.13.0.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | b0924a648b9e1b37994a2daad0480a24e060932c9816378fe8482a9f34cd6b50 |
|
| MD5 | 370deac5b5b00f2b3e4cf3051b73d8cc |
|
| BLAKE2b-256 | da98b34b664bdcb3ca76ddbb263f00ec43f65a436767c110f26c63826a15aa9d |
Hashes for subdomain_takeover_tools-0.13.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 678dcf7451d2c9187caa1f11b3d752b2fa73aee4735621e20d860a2422c80626 |
|
| MD5 | 24a83143ae95ff6d594e1efc33ab1963 |
|
| BLAKE2b-256 | 305269db3f00db287f1567d6c502b41dbe5c5f9b486d555829c744591aa93bf5 |
