go build subjack.go
How To Use:
./subjack -w domains.txt -t 100 -timeout 30 -o results.txt -https
-w domains.txtis your list of subdomains. I recommend using
cname.sh(included in repository) to sift through your subdomain list for ones that have CNAME records attached and use that list to optimize and speed up testing.
-tis the number of threads (Default: 10 threads).
-timeoutis the seconds to wait before timeout connection (Default: 10 seconds).
-o results.txtwhere to save results to (Optional).
-httpsenforces https requests which may return a different set of results and increase accuracy (Optional).
Currently checks for:
- Amazon S3 Bucket
- Amazon Cloudfront
- Help Scout
- WP Engine
scanio.sh which is kind of a PoC script to mass-locate vulnerable subdomains using results from Rapid7’s Project Sonar. This script parses and greps through the dump for desired CNAME records and makes a large list of subdomains to check with subjack if they’re vulnerable to Hostile Subdomain Takeover. Of course this isn’t the only method to get a large amount of data to test. Please use this responsibly 😉