loading
loading
Vulnerabilities
Subdomain takeover tool for attackers, bug bounty hunters, and the blue team.
overview
dnsReaper checks subdomains for takeover, the case where a DNS record still points at a deprovisioned cloud service that someone else can re-register and control. It matches each candidate against a large signature set, so it recognizes the dangling-record fingerprints of many providers instead of a handful.
What sets it apart is how it sources domains. Read them from a file, scan a single domain, load a BIND zone file, pull records over a zone transfer, or fetch zones straight from AWS Route53, Azure, Cloudflare, or DigitalOcean with the right credentials. That fits both an external bug-bounty pass and an internal blue-team sweep of your own DNS.
On Trickest, dnsReaper is a Vulnerabilities node that takes domains and writes a file and a folder of findings as CSV or JSON. Run it after subdomain discovery and feed confirmed takeovers into your reporting or alerting path. The pipeline flag exits non-zero on detection, so it can gate a workflow step.
use cases
Scan discovered subdomains from a file against the full signature set to find dangling records pointing at deprovisioned services.
Fetch zones straight from Route53, Azure, Cloudflare, or DigitalOcean with credentials so the blue team audits live DNS, not a stale export.
Use the pipeline flag to exit non-zero when a takeover is found, failing a CI or workflow step on a real exposure.
Restrict to a single signature, exclude noisy ones, or toggle unlikely and probable checks to trade coverage against false positives.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| single-domain | STRING | --domain | Scan a single domain (with the single input set). |
| file-input | FILE | --filename | Scan a list of domains read from a file, one per line. |
| aws | BOOLEAN | aws | Fetch zones to scan straight from AWS Route53. |
| signature | STRING | --signature | Only scan with this signature. |
| exclude-signature | STRING | --exclude-signature | Skip a noisy signature. |
| out-format | STRING | --out-format | Write findings as csv or json. |
| pipeline | BOOLEAN | --pipeline | Exit non-zero on detection, to gate CI. |
| resolver | STRING | --resolver | Use a custom DNS resolver, or several comma-separated. |
Showing key inputs. dnsreaper exposes 33 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| aws | BOOLEAN | aws | Scan multiple domains fetched from AWS Route53 |
| bind | BOOLEAN | bind | Read domains from a DNS BIND zone file, or a path to multiple |
| file | BOOLEAN | file | Read domains from a file (or folder of files), one per line |
| azure | BOOLEAN | azure | Scan multiple domains fetched from Azure DNS services |
| single | BOOLEAN | single | Scan a single domain given on the command line |
| verbose | BOOLEAN | -v | Verbose output |
| nocolour | BOOLEAN | --nocolour | Turn off coloured text |
| pipeline | BOOLEAN | --pipeline | Exit non-zero on detection (used to fail a pipeline) |
| resolver | STRING | --resolver | Custom DNS resolver, or several comma-separated |
| signature | STRING | --signature | Only scan with this signature |
| cloudflare | BOOLEAN | cloudflare | Scan multiple domains fetched from Cloudflare |
| do-api-key | STRING | --do-api-key | DigitalOcean API key (requires the digitalocean input) |
| do-domains | STRING | --do-domains | Limit the scan to these domains (comma-separated) |
| file-input | FILE | --filename | List of domains to scan (requires the file input) |
| out-format | STRING | --out-format | Output format (csv or json) |
| parallelism | STRING | --parallelism | Number of domains to test in parallel; too high risks odd DNS results (default 30) |
| az-client-id | STRING | --az-client-id | Azure client ID (requires the azure input) |
| az-tenant-id | STRING | --az-tenant-id | Azure tenant ID (requires the azure input) |
| digitalocean | BOOLEAN | digitalocean | Scan multiple domains fetched from DigitalOcean |
| zonetransfer | BOOLEAN | zonetransfer | Scan multiple domains fetched via DNS zone transfer |
| extra-verbose | BOOLEAN | -vv | Extra verbose output |
| single-domain | STRING | --domain | Scan this one domain (requires the single input) |
| bind-zone-file | FILE | --bind-zone-file | BIND zone file (requires the bind input) |
| enable-unlikely | BOOLEAN | --enable-unlikely | Check more conditions, at a higher false-positive rate |
| az-client-secret | STRING | --az-client-secret | Azure client secret (requires the azure input) |
| cloudflare-token | STRING | --cloudflare-token | Cloudflare token (requires the cloudflare input) |
| disable-probable | BOOLEAN | --disable-probable | Do not check for probable conditions |
| aws-access-key-id | STRING | --aws-access-key-id | AWS access key ID (requires the aws input) |
| exclude-signature | STRING | --exclude-signature | Do not scan with this signature |
| az-subscription-id | STRING | --az-subscription-id | Azure subscription ID (requires the azure input) |
| zonetransfer-domain | STRING | --zonetransfer-domain | Root domain to scan for (requires the zonetransfer input) |
| aws-access-key-secret | STRING | --aws-access-key-secret | AWS access key secret (requires the aws input) |
| zonetransfer-nameserver | STRING | --zonetransfer-nameserver | DNS server FQDN (such as ns1.example.com) or IP address (requires the zonetransfer input) |
example
# scan a list of discovered subdomains as json and fail the run on any takeoverdnsreaper file --filename subdomains.txt --out-format json --pipeline🚀 Testing 42 domains with 54 signatures...100%|██████████████████████████████| 42/42 [00:07<00:00, 5.94it/s][CONFIRMED] app.example.com -> signature: aws_s3[CONFIRMED] cdn.example.com -> signature: azure_traffic_manager[POTENTIAL] docs.example.com -> signature: github[UNLIKELY] mail.example.com -> signature: fastly💥 We found 2 takeovers!!!Results written to output/ in csv and jsonguidance
Use dnsReaper to test subdomains for takeover after discovery, on either external targets or your own cloud DNS. For finding the subdomains in the first place, use subfinder or amass; for a CNAME-focused takeover check, subjack or tko-subs are lighter. Reach for dnsReaper when you want broad signature coverage and cloud-zone ingestion.
Fast CNAME-based takeover check. dnsReaper carries a larger signature set and can pull cloud zones.
Classic takeover scanner driven by a provider list. dnsReaper covers more services and input sources.
Lightweight takeover verifier. dnsReaper adds cloud-account ingestion and pipeline gating.
faq
related
A Go script for bypassing 403 forbidden responses.
An open-source tool that automates detecting and exploiting command injection.
Detect and abuse vulnerable implementations of stateless sessions.
A Python tool to find Cross-Origin Resource Sharing misconfigurations.
A tool to find HTTP splitting vulnerabilities.
Multi-threaded, IPv6-aware username enumeration via CVE-2018-15473.
subfinder enumerates a domain's subdomains, then dnsReaper scans them against its takeover signatures and writes confirmed takeovers as output.
Facts on this page come from the live Trickest tool library.