Pentest & Bug Bounty Resources and Techniques
  • Pentest & Bug Bounty Resources and Techniques
    • Introduction
    • Tests Checklist
    • OSINT
    • Communications Security
      • SSL/TLS
    • Networking
      • Subdomains Discovery
        • DNS & OSINT
        • DNS Brute force
          • Second DNS Brute-Force Round
      • Subdomain Takeover
      • Network Host Scan/Discovery
        • External/Internal
        • Internal only
      • Network Vulnerability Scanning
      • Network Hacking
      • Parsing
      • Reporting
    • Brute Force
      • Wordlists
      • Databases
      • SSH
    • Web
      • Endpoint Discovery
      • Infrastructure & Configuration
        • Headers
        • WAF Detection/ Evasion
      • Injection
        • GraphQL
        • Cross-Site Scripting (XSS)
        • SQL Injection
        • Payloads
      • SSRF & XXE
        • Labs & Resources
        • Tools
        • SVG SSRF Cheatsheet
        • XXE - XEE - XML External Entity
      • JWT Vulnerabilities (Json Web Tokens)
      • HTTP/S DoS
    • Mobile
      • Both
        • SAST
          • MobSF
        • DAST
          • Installing Frida and Objection
      • Android
        • Create a Lab
          • Rooting Android Emulator
          • Rooting Android Emulator Cheat Sheet
        • APK Certificates
        • SAST
          • APKs
            • Get Information from APK
            • GDA (GJoy Dex Analysizer)
            • Scanning APK for URIs, endpoints & secrets
            • Google Maps API Scanner
        • DAST
          • Rooting the Android Studio AVDs
          • non-Rooted devices
            • Bypass SSL Pinning - non-rooted devices
              • Method 1: apk-mitm
              • Instrumentation with Frida and Objection
                • Bypass SSL Pinning - Method 2: With Objection Explore
                • Bypass SSL Pinning - Method 3: With root_bypass.js
          • Rooted Devices
            • Run frida-server in the emulator or device
            • Inject Frida
            • Bypass SSL Pinning - rooted devices
              • Install Burp CA as a system-level CA on the device
      • iOS
        • SAST
          • Building a reverse iOS engineering environment for free
          • Test Vulnerabilities
  • Lets Practice
    • Virtual Machines
    • Vulnerable App
    • Guided Labs
    • CTFs
  • Group 1
    • AI
Powered by GitBook
On this page
  1. Pentest & Bug Bounty Resources and Techniques
  2. Networking

Subdomain Takeover

PreviousSecond DNS Brute-Force RoundNextNetwork Host Scan/Discovery

Last updated 9 months ago

tko-subs

Repo:

Info: This tool allows:

  • To check whether a subdomain has a dangling CNAME pointing to a CMS provider (Heroku, Github, Shopify, Amazon S3, Amazon CloudFront, etc.) that can be taken over.

  • To actually take over those subdomain by providing a flag -takeover. Currently, take over is only supported for Github Pages and Heroku Apps and by default the take over functionality is off.

  • To specify your own CMS providers and check for them via the providers-data.csv file. In that file, you would mention the CMS name, their CNAME value, their string that you want to look for and whether it only works over HTTP or not. Check it out for some examples.

# Installation
go install github.com/anshumanbh/tko-subs@latest

#Execution
~/go/bin/./tko-subs -takeover -domains=domains.txt -output=subdomaintakeovers.csv

To actually take over those subdomain by providing a flag -takeover. Currently, take over is only supported for Github Pages and Heroku Apps and by default the take over functionality is off.

https://github.com/anshumanbh/tko-subs