Skip to content

avhadpooja/subjack

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

65 Commits
.travis.yml
.travis.yml
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
subjack.go
subjack.go
 
 

Repository files navigation

subjack

Build Status Go Report Card GitHub license

subjack is a Hostile Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked. With Go's speed and efficiency, this tool really stands out when it comes to mass-testing. Always double check the results manually to rule out false positives.

Installing

You need have Go installed. Full details of installation and set up can be found here.

go build subjack.go

How To Use:

./subjack -w domains.txt -t 100 -timeout 30 -o results.txt -https

  • -w domains.txt is your list of subdomains. I recommend using cname.sh (included in repository) to sift through your subdomain list for ones that have CNAME records attached and use that list to optimize and speed up testing.
  • -t is the number of threads (Default: 10 threads).
  • -timeout is the seconds to wait before timeout connection (Default: 10 seconds).
  • -o results.txt where to save results to (Optional).
  • -https enforces https requests which may return a different set of results and increase accuracy (Optional).
  • -strict sends HTTP requests to every URL (Optional).

Currently checks for:

  • Amazon S3 Bucket
  • Amazon Cloudfront
  • Bitbucket
  • Cargo
  • Fastly
  • FeedPress
  • Ghost
  • Github
  • Helpjuice
  • Help Scout
  • Heroku
  • Mashery
  • Pantheon.io
  • Shopify
  • Surge
  • Tumblr
  • UserVoice
  • WordPress
  • WP Engine

In Action

realtime

Practical Use

You can use scanio.sh which is kind of a PoC script to mass-locate vulnerable subdomains using results from Rapid7's Project Sonar. This script parses and greps through the dump for desired CNAME records and makes a large list of subdomains to check with subjack if they're vulnerable to Hostile Subdomain Takeover. Of course this isn't the only method to get a large amount of data to test. Please use this responsibly ;)

FAQ

Q: What should my wordlist look like?

A: Your wordlist should include a list of subdomains you're checking and should look something like:

assets.cody.su
assets.github.com
b.cody.su
big.example.com
cdn.cody.su
dev.cody.su
dev2.twitter.com

Q: I ran my scan and nothing happened. What does this mean?

A: In most cases, this means that subjack didn't discover any vulnerable subdomains in your wordlist or your wordlist of is formatted weird.

Contact

Shout me out on Twitter: @now

About

Hostile Subdomain Takeover tool written in Go

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages

  • Go 100.0%