# Subdomain Takeover Tools
[](https://badge.fury.io/py/subdomain-takeover-tools)
[](https://pypi.python.org/pypi/subdomain_takeover_tools)
[](https://pypi.python.org/pypi/subdomain_takeover_tools)
A set of tools to validate the initial outcome of [subtake](https://github.com/jakejarvis/subtake).
## Installation
1. Install using pip:
``pip install subdomain_takeover_tools``
for windows:
``py -m pip install subdomain_takeover_tools``
Alternatively, you can download or clone this repo and call `pip install -e .`.
## Confirming takeovers
All scripts support the following two parameters:
- `--strict`: only report as vulnerable if the issue is not also applicable on `hostname.tld` and `www.hostname.tld`.
- `--inverse`: do inverse reporting, so report all subdomains that are not vulnerable
Some scripts require a config file to be present, the location is `.subdomain_takeover_tools.ini`, an example of the file can be found below:
```ini
[azure]
subscription_id=44713cf2-8656-11ec-a8a3-0242ac120002
[github]
username=martinvw
access_token=44713cf2-8656-11ec-a8a3-0242ac120002
repo=44713cf2-8656-11ec-a8a3-0242ac120002
[fastly]
api_token=44713cf2-8656-11ec-a8a3-0242ac120002
service=44713cf2-8656-11ec-a8a3-0242ac120002
version=3
```
## Confirming S3
Subtake has some false positives on Google Cloud buckets as S3 buckets, also some access denied's end up in the results.
The script `confirm-s3.py` will make sure that the bucket is actually vulnerable.
```bash
grep "\[s3 bucket: " subtake-output.txt | confirm_s3
```
### Confirming ELB
Some patterns of elb are vulnerable while others are not, to filter them we can use our script:
```bash
grep "\[elasticbeanstalk: " subtake-output.txt | confirm_elb
```
*Note:* the parameter `--strict` is accepted here but will not lead to expected results.
Please note that some regions are not enabled by default, when you receive the following error:
> botocore.exceptions.ClientError: An error occurred (InvalidClientTokenId) when calling the CheckDNSAvailability operation: The security token included in the request is invalid.
This could mean you have not yet enabled these, opt-in, regions, see https://console.aws.amazon.com/billing/home?#/account
### Confirming Shopify
It seems that all current shopify examples are vulnerable, the following check just validates the DNS.
```bash
grep "\[shopify: " subtake-output.txt | confirm_shopify
```
### Filtering Pantheon
Please note that for pantheon this repo currently only provides an initial check to eliminate some FALSE positives.
```bash
grep "\[pantheon: " subtake-output.txt | confirm_pantheon
```
### Filtering Cargo Collective
Please note that for Cargo Collective this repo currently only provides an initial check to eliminate some FALSE positives.
```bash
grep "\[cargo: " subtake-output.txt | confirm_cargo
```
## Separate tools
### Extracting domain names
As part of my process I want to know the domains involved in my findings.
Example usage:
```bash
cut -f3 < subtake-output.txt | extract_domain_names | sort -u > involved.domains
```
Note that `extract_domain_names` also support groups, such as `domain.(co.id|in.th|ph|vn)`, this will be expanded automatically.
### Resolving from the authoritative DNS authority
For validation of the results I want to validate whether the DNS record is still accurate.
To do this we fetch the authoritative result's step by step from the authoritative DNS servers.
```bash
authoritative_resolve "github.com" "martinvw.nl"
```
### Exporting and enriching
The `subtake_enrich_and_export` will split the existing output and add some additional columms:
- has a wildcard
- domain name
- tld
- still vulnerable
- authoritative results
```bash
subtake_enrich_and_export < subtakee-output.txt
```
Raw data
{
"_id": null,
"home_page": "https://github.com/martinvw/subdomain-takeover-tools",
"name": "subdomain-takeover-tools",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "subdomain-takeover,subtake,elb,s3,shopify",
"author": "Martin van Wingerden",
"author_email": "info@martinvw.nl",
"download_url": "https://files.pythonhosted.org/packages/d1/95/d3606ded55d71f59fa5451ec52fc1970ca56ab18b5e4b360aa95e3657892/subdomain_takeover_tools-0.39.0.tar.gz",
"platform": null,
"description": "# Subdomain Takeover Tools\n\n[](https://badge.fury.io/py/subdomain-takeover-tools)\n[](https://pypi.python.org/pypi/subdomain_takeover_tools)\n[](https://pypi.python.org/pypi/subdomain_takeover_tools)\n\nA set of tools to validate the initial outcome of [subtake](https://github.com/jakejarvis/subtake).\n\n## Installation\n\n1. Install using pip:\n\n ``pip install subdomain_takeover_tools``\n\n for windows:\n\n ``py -m pip install subdomain_takeover_tools``\n\n Alternatively, you can download or clone this repo and call `pip install -e .`.\n\n## Confirming takeovers\n\nAll scripts support the following two parameters:\n\n- `--strict`: only report as vulnerable if the issue is not also applicable on `hostname.tld` and `www.hostname.tld`.\n- `--inverse`: do inverse reporting, so report all subdomains that are not vulnerable\n\nSome scripts require a config file to be present, the location is `.subdomain_takeover_tools.ini`, an example of the file can be found below:\n\n```ini\n[azure]\nsubscription_id=44713cf2-8656-11ec-a8a3-0242ac120002\n[github]\nusername=martinvw\naccess_token=44713cf2-8656-11ec-a8a3-0242ac120002\nrepo=44713cf2-8656-11ec-a8a3-0242ac120002\n[fastly]\napi_token=44713cf2-8656-11ec-a8a3-0242ac120002\nservice=44713cf2-8656-11ec-a8a3-0242ac120002\nversion=3\n```\n\n## Confirming S3\n\nSubtake has some false positives on Google Cloud buckets as S3 buckets, also some access denied's end up in the results.\n\nThe script `confirm-s3.py` will make sure that the bucket is actually vulnerable.\n\n```bash\ngrep \"\\[s3 bucket: \" subtake-output.txt | confirm_s3\n```\n\n### Confirming ELB\n\nSome patterns of elb are vulnerable while others are not, to filter them we can use our script:\n\n```bash\ngrep \"\\[elasticbeanstalk: \" subtake-output.txt | confirm_elb\n```\n\n*Note:* the parameter `--strict` is accepted here but will not lead to expected results.\n\nPlease note that some regions are not enabled by default, when you receive the following error:\n\n> botocore.exceptions.ClientError: An error occurred (InvalidClientTokenId) when calling the CheckDNSAvailability operation: The security token included in the request is invalid.\n\nThis could mean you have not yet enabled these, opt-in, regions, see https://console.aws.amazon.com/billing/home?#/account\n\n### Confirming Shopify\n\nIt seems that all current shopify examples are vulnerable, the following check just validates the DNS.\n\n```bash\ngrep \"\\[shopify: \" subtake-output.txt | confirm_shopify\n```\n\n### Filtering Pantheon\n\nPlease note that for pantheon this repo currently only provides an initial check to eliminate some FALSE positives.\n\n```bash\ngrep \"\\[pantheon: \" subtake-output.txt | confirm_pantheon\n```\n\n### Filtering Cargo Collective\n\nPlease note that for Cargo Collective this repo currently only provides an initial check to eliminate some FALSE positives.\n\n```bash\ngrep \"\\[cargo: \" subtake-output.txt | confirm_cargo\n```\n\n## Separate tools\n\n### Extracting domain names\n\nAs part of my process I want to know the domains involved in my findings.\n\nExample usage:\n\n```bash\ncut -f3 < subtake-output.txt | extract_domain_names | sort -u > involved.domains\n```\n\nNote that `extract_domain_names` also support groups, such as `domain.(co.id|in.th|ph|vn)`, this will be expanded automatically.\n\n### Resolving from the authoritative DNS authority\n\nFor validation of the results I want to validate whether the DNS record is still accurate.\n\nTo do this we fetch the authoritative result's step by step from the authoritative DNS servers.\n\n```bash\nauthoritative_resolve \"github.com\" \"martinvw.nl\"\n```\n\n### Exporting and enriching\n\nThe `subtake_enrich_and_export` will split the existing output and add some additional columms:\n\n- has a wildcard\n- domain name\n- tld\n- still vulnerable\n- authoritative results\n\n```bash\nsubtake_enrich_and_export < subtakee-output.txt\n```\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "Some helper subdomain_takeover_tools to validate subdomain takeovers",
"version": "0.39.0",
"project_urls": {
"Homepage": "https://github.com/martinvw/subdomain-takeover-tools"
},
"split_keywords": [
"subdomain-takeover",
"subtake",
"elb",
"s3",
"shopify"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "b783097d509c7b0ae1222d3155cebe1b545b5877dd7896ae0f82df7ebdaabb99",
"md5": "d60f5ecf54256e9bb8194c754bfbe5fd",
"sha256": "d09fb7b190cdf31f2f0fe99817264ff3cc45b27c623f0ab7c22f7cac247f14f0"
},
"downloads": -1,
"filename": "subdomain_takeover_tools-0.39.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "d60f5ecf54256e9bb8194c754bfbe5fd",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 21461,
"upload_time": "2023-09-23T13:29:06",
"upload_time_iso_8601": "2023-09-23T13:29:06.093379Z",
"url": "https://files.pythonhosted.org/packages/b7/83/097d509c7b0ae1222d3155cebe1b545b5877dd7896ae0f82df7ebdaabb99/subdomain_takeover_tools-0.39.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "d195d3606ded55d71f59fa5451ec52fc1970ca56ab18b5e4b360aa95e3657892",
"md5": "84f1c41b990cb15c512fb61cb6ec3c82",
"sha256": "a099b815de7f35bb622c95a534b1dc7634adc2a996487bcb077672235353a00f"
},
"downloads": -1,
"filename": "subdomain_takeover_tools-0.39.0.tar.gz",
"has_sig": false,
"md5_digest": "84f1c41b990cb15c512fb61cb6ec3c82",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 14925,
"upload_time": "2023-09-23T13:29:07",
"upload_time_iso_8601": "2023-09-23T13:29:07.479543Z",
"url": "https://files.pythonhosted.org/packages/d1/95/d3606ded55d71f59fa5451ec52fc1970ca56ab18b5e4b360aa95e3657892/subdomain_takeover_tools-0.39.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-09-23 13:29:07",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "martinvw",
"github_project": "subdomain-takeover-tools",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [],
"lcname": "subdomain-takeover-tools"
}
JSON
