# Subdomain Takeover Tools
[](https://badge.fury.io/py/subdomain-takeover-tools)
[](https://pypi.python.org/pypi/subdomain_takeover_tools)
[](https://pypi.python.org/pypi/subdomain_takeover_tools)
A set of tools to validate the initial outcome of [subtake](https://github.com/jakejarvis/subtake).
## Installation
1. Install using pip:
``pip install subdomain_takeover_tools``
for windows:
``py -m pip install subdomain_takeover_tools``
Alternatively, you can download or clone this repo and call `pip install -e .`.
## Confirming takeovers
All scripts support the following two parameters:
- `--strict`: only report as vulnerable if the issue is not also applicable on `hostname.tld` and `www.hostname.tld`.
- `--inverse`: do inverse reporting, so report all subdomains that are not vulnerable
Some scripts require a config file to be present, the location is `.subdomain_takeover_tools.ini`, an example of the file can be found below:
```ini
[azure]
subscription_id=44713cf2-8656-11ec-a8a3-0242ac120002
[github]
username=martinvw
access_token=44713cf2-8656-11ec-a8a3-0242ac120002
repo=44713cf2-8656-11ec-a8a3-0242ac120002
[fastly]
api_token=44713cf2-8656-11ec-a8a3-0242ac120002
service=44713cf2-8656-11ec-a8a3-0242ac120002
version=3
```
## Confirming S3
Subtake has some false positives on Google Cloud buckets as S3 buckets, also some access denied's end up in the results.
The script `confirm-s3.py` will make sure that the bucket is actually vulnerable.
```bash
grep "\[s3 bucket: " subtake-output.txt | confirm_s3
```
### Confirming ELB
Some patterns of elb are vulnerable while others are not, to filter them we can use our script:
```bash
grep "\[elasticbeanstalk: " subtake-output.txt | confirm_elb
```
*Note:* the parameter `--strict` is accepted here but will not lead to expected results.
Please note that some regions are not enabled by default, when you receive the following error:
> botocore.exceptions.ClientError: An error occurred (InvalidClientTokenId) when calling the CheckDNSAvailability operation: The security token included in the request is invalid.
This could mean you have not yet enabled these, opt-in, regions, see https://console.aws.amazon.com/billing/home?#/account
### Confirming Shopify
It seems that all current shopify examples are vulnerable, the following check just validates the DNS.
```bash
grep "\[shopify: " subtake-output.txt | confirm_shopify
```
### Filtering Pantheon
Please note that for pantheon this repo currently only provides an initial check to eliminate some FALSE positives.
```bash
grep "\[pantheon: " subtake-output.txt | confirm_pantheon
```
### Filtering Cargo Collective
Please note that for Cargo Collective this repo currently only provides an initial check to eliminate some FALSE positives.
```bash
grep "\[cargo: " subtake-output.txt | confirm_cargo
```
## Separate tools
### Extracting domain names
As part of my process I want to know the domains involved in my findings.
Example usage:
```bash
cut -f3 < subtake-output.txt | extract_domain_names | sort -u > involved.domains
```
Note that `extract_domain_names` also support groups, such as `domain.(co.id|in.th|ph|vn)`, this will be expanded automatically.
### Resolving from the authoritative DNS authority
For validation of the results I want to validate whether the DNS record is still accurate.
To do this we fetch the authoritative result's step by step from the authoritative DNS servers.
```bash
authoritative_resolve "github.com" "martinvw.nl"
```
### Exporting and enriching
The `subtake_enrich_and_export` will split the existing output and add some additional columms:
- has a wildcard
- domain name
- tld
- still vulnerable
- authoritative results
```bash
subtake_enrich_and_export < subtakee-output.txt
```
Raw data
{
"_id": null,
"home_page": "https://github.com/martinvw/subdomain-takeover-tools",
"name": "subdomain-takeover-tools",
"maintainer": null,
"docs_url": null,
"requires_python": null,
"maintainer_email": null,
"keywords": "subdomain-takeover, subtake, elb, s3, shopify",
"author": "Martin van Wingerden",
"author_email": "info@martinvw.nl",
"download_url": "https://files.pythonhosted.org/packages/c8/97/d6204c23f2f80734a7517bc635c94c431e51d183ed76f5c4f851f3e89a68/subdomain_takeover_tools-0.41.0.tar.gz",
"platform": null,
"description": "# Subdomain Takeover Tools\n\n[](https://badge.fury.io/py/subdomain-takeover-tools)\n[](https://pypi.python.org/pypi/subdomain_takeover_tools)\n[](https://pypi.python.org/pypi/subdomain_takeover_tools)\n\nA set of tools to validate the initial outcome of [subtake](https://github.com/jakejarvis/subtake).\n\n## Installation\n\n1. Install using pip:\n\n ``pip install subdomain_takeover_tools``\n\n for windows:\n\n ``py -m pip install subdomain_takeover_tools``\n\n Alternatively, you can download or clone this repo and call `pip install -e .`.\n\n## Confirming takeovers\n\nAll scripts support the following two parameters:\n\n- `--strict`: only report as vulnerable if the issue is not also applicable on `hostname.tld` and `www.hostname.tld`.\n- `--inverse`: do inverse reporting, so report all subdomains that are not vulnerable\n\nSome scripts require a config file to be present, the location is `.subdomain_takeover_tools.ini`, an example of the file can be found below:\n\n```ini\n[azure]\nsubscription_id=44713cf2-8656-11ec-a8a3-0242ac120002\n[github]\nusername=martinvw\naccess_token=44713cf2-8656-11ec-a8a3-0242ac120002\nrepo=44713cf2-8656-11ec-a8a3-0242ac120002\n[fastly]\napi_token=44713cf2-8656-11ec-a8a3-0242ac120002\nservice=44713cf2-8656-11ec-a8a3-0242ac120002\nversion=3\n```\n\n## Confirming S3\n\nSubtake has some false positives on Google Cloud buckets as S3 buckets, also some access denied's end up in the results.\n\nThe script `confirm-s3.py` will make sure that the bucket is actually vulnerable.\n\n```bash\ngrep \"\\[s3 bucket: \" subtake-output.txt | confirm_s3\n```\n\n### Confirming ELB\n\nSome patterns of elb are vulnerable while others are not, to filter them we can use our script:\n\n```bash\ngrep \"\\[elasticbeanstalk: \" subtake-output.txt | confirm_elb\n```\n\n*Note:* the parameter `--strict` is accepted here but will not lead to expected results.\n\nPlease note that some regions are not enabled by default, when you receive the following error:\n\n> botocore.exceptions.ClientError: An error occurred (InvalidClientTokenId) when calling the CheckDNSAvailability operation: The security token included in the request is invalid.\n\nThis could mean you have not yet enabled these, opt-in, regions, see https://console.aws.amazon.com/billing/home?#/account\n\n### Confirming Shopify\n\nIt seems that all current shopify examples are vulnerable, the following check just validates the DNS.\n\n```bash\ngrep \"\\[shopify: \" subtake-output.txt | confirm_shopify\n```\n\n### Filtering Pantheon\n\nPlease note that for pantheon this repo currently only provides an initial check to eliminate some FALSE positives.\n\n```bash\ngrep \"\\[pantheon: \" subtake-output.txt | confirm_pantheon\n```\n\n### Filtering Cargo Collective\n\nPlease note that for Cargo Collective this repo currently only provides an initial check to eliminate some FALSE positives.\n\n```bash\ngrep \"\\[cargo: \" subtake-output.txt | confirm_cargo\n```\n\n## Separate tools\n\n### Extracting domain names\n\nAs part of my process I want to know the domains involved in my findings.\n\nExample usage:\n\n```bash\ncut -f3 < subtake-output.txt | extract_domain_names | sort -u > involved.domains\n```\n\nNote that `extract_domain_names` also support groups, such as `domain.(co.id|in.th|ph|vn)`, this will be expanded automatically.\n\n### Resolving from the authoritative DNS authority\n\nFor validation of the results I want to validate whether the DNS record is still accurate.\n\nTo do this we fetch the authoritative result's step by step from the authoritative DNS servers.\n\n```bash\nauthoritative_resolve \"github.com\" \"martinvw.nl\"\n```\n\n### Exporting and enriching\n\nThe `subtake_enrich_and_export` will split the existing output and add some additional columms:\n\n- has a wildcard\n- domain name\n- tld\n- still vulnerable\n- authoritative results\n\n```bash\nsubtake_enrich_and_export < subtakee-output.txt\n```\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "Some helper subdomain_takeover_tools to validate subdomain takeovers",
"version": "0.41.0",
"project_urls": {
"Homepage": "https://github.com/martinvw/subdomain-takeover-tools"
},
"split_keywords": [
"subdomain-takeover",
" subtake",
" elb",
" s3",
" shopify"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "b1b6efc67b8772e7d2228a275ce55b9a50da986cbd8c901b2fe7681ae0aeef82",
"md5": "ec7a3758187eb43aec46ae28ccf32f13",
"sha256": "0663782cd56a945606f8493ab7fcc51ebfbeb43c38338f42c15a84f7d6bc90b0"
},
"downloads": -1,
"filename": "subdomain_takeover_tools-0.41.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "ec7a3758187eb43aec46ae28ccf32f13",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 21468,
"upload_time": "2024-07-26T14:19:26",
"upload_time_iso_8601": "2024-07-26T14:19:26.573891Z",
"url": "https://files.pythonhosted.org/packages/b1/b6/efc67b8772e7d2228a275ce55b9a50da986cbd8c901b2fe7681ae0aeef82/subdomain_takeover_tools-0.41.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "c897d6204c23f2f80734a7517bc635c94c431e51d183ed76f5c4f851f3e89a68",
"md5": "b261837ae669ad0669da95d25b273ae6",
"sha256": "6c556ca4eaefb452c943ec53304ea97877ac4630e9d6e10693518ab316c61490"
},
"downloads": -1,
"filename": "subdomain_takeover_tools-0.41.0.tar.gz",
"has_sig": false,
"md5_digest": "b261837ae669ad0669da95d25b273ae6",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 14940,
"upload_time": "2024-07-26T14:19:28",
"upload_time_iso_8601": "2024-07-26T14:19:28.384153Z",
"url": "https://files.pythonhosted.org/packages/c8/97/d6204c23f2f80734a7517bc635c94c431e51d183ed76f5c4f851f3e89a68/subdomain_takeover_tools-0.41.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-07-26 14:19:28",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "martinvw",
"github_project": "subdomain-takeover-tools",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [
{
"name": "setuptools",
"specs": [
[
"==",
"71.1.0"
]
]
},
{
"name": "tldextract",
"specs": [
[
"==",
"5.1.2"
]
]
},
{
"name": "boto3",
"specs": [
[
"==",
"1.34.149"
]
]
},
{
"name": "dnspython",
"specs": [
[
"==",
"2.6.1"
]
]
},
{
"name": "azure-identity",
"specs": [
[
"==",
"1.17.1"
]
]
},
{
"name": "azure-mgmt-trafficmanager",
"specs": [
[
"==",
"1.1.0"
]
]
},
{
"name": "python-dotenv",
"specs": [
[
"==",
"1.0.1"
]
]
},
{
"name": "bump",
"specs": [
[
"==",
"1.3.2"
]
]
},
{
"name": "requests",
"specs": [
[
"==",
"2.32.3"
]
]
},
{
"name": "msrest",
"specs": [
[
"==",
"0.7.1"
]
]
},
{
"name": "botocore",
"specs": [
[
"==",
"1.34.149"
]
]
},
{
"name": "urllib3",
"specs": [
[
"==",
"2.2.2"
]
]
},
{
"name": "fastly",
"specs": [
[
"==",
"5.5.0"
]
]
}
],
"lcname": "subdomain-takeover-tools"
}
JSON
