loading
loading
Vulnerabilities
Detect and take over subdomains with dead DNS records.
overview
tko-subs scans subdomains for dangling DNS records, the CNAMEs that still point at a cloud service or CMS that has been deprovisioned. It resolves each name, compares the answer against a CSV of provider fingerprints, and flags hosts whose record now leads to a claimable resource. Those are the conditions behind a subdomain takeover, where an attacker registers the abandoned resource and serves content from a domain you own.
It goes a step past detection. With the -takeover flag and provider credentials, it can claim the dangling resource for you, which is useful for confirming a finding or for defenders reclaiming their own records. The provider data lives in a CSV you can extend, and you control the DNS server, port, and thread count to tune resolution behavior at scale.
In a Trickest Vulnerabilities workflow, tko-subs takes a domain list and a providers CSV and writes a file and a folder of results. Place it after subdomain enumeration so discovery produces the names and tko-subs confirms which ones resolve to claimable services.
use cases
Feed a subdomain list and let tko-subs resolve each name and match it against the provider CSV, flagging the records that point at deprovisioned services.
Supply provider credentials and set the -takeover flag to claim a dangling resource, proving the finding rather than leaving it theoretical.
Point queries at a specific DNS server with -server and raise -threads so a large host list resolves quickly without overwhelming a single resolver.
Edit the CMS providers CSV passed via -data to add fingerprints for services the default set misses, keeping detection current as platforms change their error pages.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| domains | FILE | -domains | List of domains to check. |
| domain | STRING | -domain | Domains to check, separated by commas. |
| server | STRING | -server | DNS server to direct queries to (default 8.8.8.8). |
| threads | STRING | -threads | Number of threads to run in parallel (default 5). |
| takeover | BOOLEAN | -takeover | Take over a vulnerable domain rather than only detecting it. |
| cms-providers-csv | FILE | -data | CSV of CMS provider strings used for identification. |
| github-token | STRING | -githubtoken | GitHub personal access token for claiming GitHub Pages records. |
| heroku-api-key | STRING | -herokuapikey | Heroku API key for claiming Heroku records. |
Showing key inputs. tko-subs exposes 11 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| port | STRING | -port | The DNS server port (you shouldn't have to change this) (default: "53"). |
| domain | STRING | -domain | Domains separated by ",". |
| server | STRING | -server | A DNS server to direct queries to (default: "8.8.8.8"). |
| domains | FILE | -domains | List of domains to check |
| threads | STRING | -threads | Number of threads to run parallel (default: 5). |
| takeover | BOOLEAN | -takeover | Flag to denote if a vulnerable domain needs to be taken over or not (default: false). |
| github-token | STRING | -githubtoken | Github personal access token. |
| heroku-api-key | STRING | -herokuapikey | Heroku API key. |
| heroku-app-name | STRING | -herokuappname | Heroku app name. |
| heroku-username | STRING | -herokuusername | Heroku username. |
| cms-providers-csv | FILE | -data | CSV file containing CMS providers' string for identification (default: "providers-data.csv"). |
example
# detect dangling DNS records across a subdomain listtko-subs -domains subdomains.txt -data providers-data.csv -server 8.8.8.8 -threads 10cdn.example.com [CNAME] github.com - VULNERABLEassets.example.com [CNAME] s3.amazonaws.com - VULNERABLEapi.example.com [CNAME] app.example.net - NOT VULNERABLEapp.example.com [A] 198.51.100.10 - NOT VULNERABLEstaging.example.com [CNAME] pages.github.com - VULNERABLEdev.example.com [A] 203.0.113.20 - NOT VULNERABLEwww.example.com [A] 192.0.2.15 - NOT VULNERABLEguidance
Reach for tko-subs when you want to both detect dangling records and optionally claim them. It matches against an editable provider CSV and can act on GitHub and Heroku records with credentials. For detection only against the can-i-take-over-xyz fingerprint set, subzy is a fast alternative.
Detection only, driven by the can-i-take-over-xyz fingerprints. Faster for a quick pass; tko-subs can also claim the resource.
Finds the subdomains to check. Run it before tko-subs to produce the domain list.
Has takeover templates alongside thousands of other checks. tko-subs is purpose-built and can perform the takeover.
faq
related
A Go script for bypassing 403 forbidden responses.
An open-source tool that automates detecting and exploiting command injection.
Detect and abuse vulnerable implementations of stateless sessions.
A Python tool to find Cross-Origin Resource Sharing misconfigurations.
A tool to find HTTP splitting vulnerabilities.
Multi-threaded, IPv6-aware username enumeration via CVE-2018-15473.
A subdomain list feeds tko-subs, which resolves each name, flags the dangling records, and writes the takeover candidates as an output.
Facts on this page come from the live Trickest tool library.