Skip to content
This repository was archived by the owner on Aug 27, 2021. It is now read-only.

Files

Latest commit

adiffpirateadiffpirate
Added usage info
Jul 20, 2020
2795c82 · Jul 20, 2020

History

History
64 lines (36 loc) · 2.97 KB

README.md

File metadata and controls

64 lines (36 loc) · 2.97 KB

SubTko24h

A 24/7 subdomain takeovers finder that glues together some open source tools using bash.

Subdomain takeover is a type of vulnerability where the attacker gains total control of a subdomain. It can be used to chain other vulns (like XSS), for mass phishing campaigns (that's almost impossible for the user to detect), and some other things. You can read more about it here.

Content

This script is running in cloud using a basic droplet from digital ocean.

It costs me only $5 per month, checking a few tens subdomains per second (it can do more, but I don't think it's necessary since the same subdomain is checked about 3 times a day).

Adrecon

Does subdomain enumeration. Currently using:

Subtko

Checks for possible subdomain takeovers using:

Aliases

To keep things simple.

Doing that, I can run my tools in a much effective way by avoid typing the full command (e.g. cat subs-list | massdns -q -r $resolvers -s 1000 -o S | awk '{print $1}' | sed 's/\.$//g' | sort -u turns into cat subs-list | massdns).

Database

To organize and making it easy to acess/read the data, a mysql database (named "recon") is used with the following tables:

targets

(program VARCHAR(255) NOT NULL, domain VARCHAR(255) PRIMARY KEY)

Domains to perform subdomain enumeration.

data

(domain VARCHAR(255), subdomain VARCHAR(255) PRIMARY KEY, alive BOOLEAN DEFAULT 0, source VARCHAR(255) NOT NULL, modified TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, created TIMESTAMP DEFAULT CURRENT_TIMESTAMP)

Subdomains that will be tested for takeover.

takeovers

(url VARCHAR(255) PRIMARY KEY, service VARCHAR(255) NOT NULL, modified TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, created TIMESTAMP DEFAULT CURRENT_TIMESTAMP)

Possible takeovers found.

Usage

What I do it's running adrecon24h [quick|medium|full] alongside subtko24h to continuous enumerate subdomains and test them. (A friendly tip here, you can use screen to run more than one script at the same time with only one terminal)

If you don't want to use adrecon, you can enumerate subdomains in your way and add them to db with
cat {yourSubdomainsList} | addtodb subs.
But be aware that your list MUST have the following format each line: subdomain source [alive|dead]