Subdomain Takeover Tools

A set of tools to validate the initial outcome of subtake.

Installation

1. Install using pip:

   pip install subdomain_takeover_tools

   for windows:

   py -m pip install subdomain_takeover_tools

   Alternatively, you can download or clone this repo and call pip install -e ..

Confirming takeovers

All scripts support the following two parameters:

• --strict: only report as vulnerable if the issue is not also applicable on hostname.tld and www.hostname.tld.
• --inverse: do inverse reporting, so report all subdomains that are not vulnerable

Some scripts require a config file to be present, the location is .subdomain_takeover_tools.ini, an example of the file can be found below:

[azure]
subscription_id=44713cf2-8656-11ec-a8a3-0242ac120002
[github]
username=martinvw
access_token=44713cf2-8656-11ec-a8a3-0242ac120002
repo=44713cf2-8656-11ec-a8a3-0242ac120002
[fastly]
api_token=44713cf2-8656-11ec-a8a3-0242ac120002
service=44713cf2-8656-11ec-a8a3-0242ac120002
version=3

Confirming S3

Subtake has some false positives on Google Cloud buckets as S3 buckets, also some access denied's end up in the results.

The script confirm-s3.py will make sure that the bucket is actually vulnerable.

grep "\[s3 bucket: " subtake-output.txt | confirm_s3

Confirming ELB

Some patterns of elb are vulnerable while others are not, to filter them we can use our script:

grep "\[elasticbeanstalk: " subtake-output.txt | confirm_elb

Note: the parameter --strict is accepted here but will not lead to expected results.

Please note that some regions are not enabled by default, when you receive the following error:

botocore.exceptions.ClientError: An error occurred (InvalidClientTokenId) when calling the CheckDNSAvailability operation: The security token included in the request is invalid.

This could mean you have not yet enabled these, opt-in, regions, see https://console.aws.amazon.com/billing/home?#/account

Confirming Shopify

It seems that all current shopify examples are vulnerable, the following check just validates the DNS.

grep "\[shopify: " subtake-output.txt | confirm_shopify

Filtering Pantheon

Please note that for pantheon this repo currently only provides an initial check to eliminate some FALSE positives.

grep "\[pantheon: " subtake-output.txt | confirm_pantheon

Filtering Cargo Collective

Please note that for Cargo Collective this repo currently only provides an initial check to eliminate some FALSE positives.

grep "\[cargo: " subtake-output.txt | confirm_cargo

Separate tools

Extracting domain names

As part of my process I want to know the domains involved in my findings.

Example usage:

cut -f3 < subtake-output.txt | extract_domain_names | sort -u > involved.domains

Note that extract_domain_names also support groups, such as domain.(co.id|in.th|ph|vn), this will be expanded automatically.

Resolving from the authoritative DNS authority

For validation of the results I want to validate whether the DNS record is still accurate.

To do this we fetch the authoritative result's step by step from the authoritative DNS servers.

authoritative_resolve "github.com" "martinvw.nl"

Exporting and enriching

The subtake_enrich_and_export will split the existing output and add some additional columms:

• has a wildcard
• domain name
• tld
• still vulnerable
• authoritative results

subtake_enrich_and_export < subtakee-output.txt