loading
loading
Misconfiguration
A Go subdomain takeover tool that scans subdomains concurrently to find hijackable ones.
overview
subjack hunts for subdomain takeover. It reads a list of subdomains, checks each one's CNAME and the response of the service it points to, and flags names whose target points at an unclaimed third-party service that an attacker could register and control. The check is fingerprint-driven, matching the tell-tale responses of takeover-prone providers.
Speed is its strength. Written in Go and run concurrently, it covers large subdomain lists, which makes it practical to test an entire enumerated surface rather than spot-checking a few names. A dead-record mode flags valid CNAMEs whose target no longer resolves, a common precursor to takeover.
On Trickest, subjack is a Misconfiguration node that takes a domain or wordlist and writes a file and a folder of results. Run it right after subdomain enumeration so every name you found is tested for takeover, then verify any hit manually to rule out false positives.
source github.com/haccer/subjack
use cases
Feed subjack the subdomains from your enumeration step so every name is checked for a dangling CNAME to an unclaimed service.
Run subjack concurrently across thousands of subdomains to cover a whole estate instead of spot-checking a handful.
Flag valid CNAMEs whose target no longer resolves, a state that often precedes a takeover opportunity.
Force HTTPS with -ssl and probe every URL with -a to reduce missed cases, then verify each flagged name by hand to drop false positives.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| domain | STRING | -d | Domain or single subdomain to test. |
| wordlist | FILE | -w | Wordlist file of subdomains to scan. |
| config-file | FILE | -c | Path to the fingerprint configuration file. |
| threads | STRING | -t | Number of concurrent threads (default 10). |
| timeout-sec | STRING | -timeout | Seconds to wait before connection timeout (default 10). |
| force-ssl | STRING | -ssl | Force HTTPS connections, which may increase accuracy. |
| find-hidden-gems | BOOLEAN | -a | Send requests to every URL, not only those with identified CNAMEs. |
| presence-of-dead-record | BOOLEAN | -m | Flag a dead record with a still-valid CNAME entry. |
Showing key inputs. subjack exposes 9 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| domain | STRING | -d | Domain |
| threads | STRING | -t | Number of concurrent threads (Default: 10). |
| verbose | BOOLEAN | -v | Display more information per each request. |
| wordlist | FILE | -w | Wordlist file. |
| force-ssl | STRING | -ssl | Force HTTPS connections (May increase accuracy (Default: http://). |
| config-file | FILE | -c | Path to configuration file. |
| timeout-sec | STRING | -timeout | Seconds to wait before connection timeout (Default: 10). |
| find-hidden-gems | BOOLEAN | -a | Find those hidden gems by sending requests to every URL. (Default: Requests are only sent to URLs with identified CNAMEs) |
| presence-of-dead-record | BOOLEAN | -m | Flag the presence of a dead record, but valid CNAME entry. |
example
# scan a subdomain list for takeover candidatessubjack -w hosts.txt -t 50 -timeout 10 -ssl -a -m -v[Vulnerable] cms.example.com[Vulnerable] status.example.com[Vulnerable] docs.example.com[Dead Record] old-cdn.example.com[Vulnerable] help.example.com[Vulnerable] blog-staging.example.com[Dead Record] legacy-api.example.com[Vulnerable] shop-dev.example.comguidance
Use subjack to test a list of subdomains for takeover right after enumeration. It needs names to check, so feed it subfinder or subbrute output. It reports candidates, not confirmed compromises, so always verify a flagged name manually before acting on it.
Another takeover scanner with an updatable fingerprint set. subjack is a fast, established Go option.
Template-based scanner with takeover templates among many checks. subjack is purpose-built for takeover at scale.
faq
related
A fast tool to scan for CRLF vulnerabilities, written in Go.
Leak git repositories from misconfigured sites and rebuild their contents.
A host header injection vulnerability checker for batches of URLs.
Find files on web servers that should not be public and can pose a security risk.
A domain feeds subfinder, whose subdomains subjack tests for dangling CNAMEs, writing takeover candidates as output.
Facts on this page come from the live Trickest tool library.