Some helper subdomain_takeover_tools to validate subdomain takeovers
Project description
Subdomain Takeover Tools
A set of tools to validate the initial outcome of subtake.
Installation
-
Install using pip:
pip install subdomain_takeover_tools
for windows:
py -m pip install subdomain_takeover_tools
Alternatively, you can download or clone this repo and call
pip install -e .
.
Confirming takeovers
All scripts support the following two parameters:
--strict
: only report as vulnerable if the issue is not also applicable onhostname.tld
andwww.hostname.tld
.--inverse
: do inverse reporting, so report all subdomains that are not vulnerable
Some scripts require a config file to be present, the location is .subdomain_takeover_tools.ini
, an example of the file can be found below:
[azure]
subscription_id=44713cf2-8656-11ec-a8a3-0242ac120002
[github]
username=martinvw
access_token=44713cf2-8656-11ec-a8a3-0242ac120002
repo=44713cf2-8656-11ec-a8a3-0242ac120002
[fastly]
api_token=44713cf2-8656-11ec-a8a3-0242ac120002
service=44713cf2-8656-11ec-a8a3-0242ac120002
version=3
Confirming S3
Subtake has some false positives on Google Cloud buckets as S3 buckets, also some access denied's end up in the results.
The script confirm-s3.py
will make sure that the bucket is actually vulnerable.
grep "\[s3 bucket: " subtake-output.txt | confirm_s3
Confirming ELB
Some patterns of elb are vulnerable while others are not, to filter them we can use our script:
grep "\[elasticbeanstalk: " subtake-output.txt | confirm_elb
Note: the parameter --strict
is accepted here but will not lead to expected results.
Please note that some regions are not enabled by default, when you receive the following error:
botocore.exceptions.ClientError: An error occurred (InvalidClientTokenId) when calling the CheckDNSAvailability operation: The security token included in the request is invalid.
This could mean you have not yet enabled these, opt-in, regions, see https://console.aws.amazon.com/billing/home?#/account
Confirming GitHub
TODO
grep "\[github: " subtake-output.txt | confirm_github
Confirming Fastly
TODO
grep "\[github: " subtake-output.txt | confirm_github
Confirming Shopify
It seems that all current shopify examples are vulnerable, the following check just validates the DNS.
grep "\[shopify: " subtake-output.txt | confirm_shopify
Filtering Pantheon
Please note that for pantheon this repo currently only provides an initial check to eliminate some FALSE positives.
grep "\[pantheon: " subtake-output.txt | confirm_pantheon
Filtering Cargo Collective
Please note that for Cargo Collective this repo currently only provides an initial check to eliminate some FALSE positives.
grep "\[cargo: " subtake-output.txt | confirm_cargo
Separate tools
Extracting domain names
As part of my process I want to know the domains involved in my findings.
Example usage:
cut -f3 < subtake-output.txt | extract_domain_names | sort -u > involved.domains
Note that extract_domain_names
also support groups, such as domain.(co.id|in.th|ph|vn)
, this will be expanded automatically.
Resolving from the authoritative DNS authority
For validation of the results I want to validate whether the DNS record is still accurate.
To do this we fetch the authoritative result's step by step from the authoritative DNS servers.
authoritative_resolve "github.com" "martinvw.nl"
Exporting and enriching
The subtake_enrich_and_export
will split the existing output and add some additional columms:
- has a wildcard
- domain name
- tld
- still vulnerable
- authoritative results
subtake_enrich_and_export < subtakee-output.txt
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for subdomain_takeover_tools-0.22.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 75a3af25cb1cb2e789cbb630ce0ce629844a1009b986d6ff44e531241af19a36 |
|
MD5 | b5aa41606e8f76563e36517ce410a8b0 |
|
BLAKE2b-256 | 69090eb3f6fc2668de89f860964e698e61ccf212a59dbf41bb010ce5aa4bdc0e |
Hashes for subdomain_takeover_tools-0.22.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | f56dcffe53a9a32e86442c332316dbb3063f059cf63b7dddf65c21c6be04437d |
|
MD5 | cb0dbd49236c7c8badf35ba1fad339b8 |
|
BLAKE2b-256 | bdb9e11e4ac8ad946391dda9e91e45c947252d5aab5b96440e70801196ad6ef8 |