├── Demo.gif
├── Subdominator.Tests
    ├── GlobalUsings.cs
    ├── ThreadValidationTests.cs
    ├── Subdominator.Tests.csproj
    ├── ValidatorTests.cs
    ├── FingerprintTests.cs
    └── CoverageTests.cs
├── Subdominator
    ├── Models
    │   ├── MatchedRecord.cs
    │   ├── MatchedLocation.cs
    │   ├── CnameResolutionResult.cs
    │   ├── Options.cs
    │   ├── TakeoverResult.cs
    │   └── Fingerprint.cs
    ├── Validators
    │   ├── IValidator.cs
    │   ├── AWSElasticBeanstalkValidator.cs
    │   └── MicrosoftAzureValidator.cs
    ├── Properties
    │   └── launchSettings.json
    ├── JsonSerializerContext.cs
    ├── Utils
    │   └── ValidatorUtils.cs
    ├── SingleOrArrayConverter.cs
    ├── OptionsBinder.cs
    ├── Subdominator.csproj
    ├── Scanner.cs
    ├── Program.cs
    ├── custom_fingerprints.json
    └── SubdomainHijack.cs
├── .github
    └── workflows
    │   ├── dotnet-core.yml
    │   └── release.yml
├── LICENSE.md
├── Subdominator.sln
├── .gitattributes
├── .gitignore
└── ReadMe.md


/Demo.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Stratus-Security/Subdominator/HEAD/Demo.gif


--------------------------------------------------------------------------------
/Subdominator.Tests/GlobalUsings.cs:
--------------------------------------------------------------------------------
1 | global using Microsoft.VisualStudio.TestTools.UnitTesting;


--------------------------------------------------------------------------------
/Subdominator/Models/MatchedRecord.cs:
--------------------------------------------------------------------------------
1 | namespace Subdominator.Models;
2 | 
3 | public enum MatchedRecord
4 | {
5 |     None,
6 |     CNAME,
7 |     A,
8 |     AAAA
9 | }


--------------------------------------------------------------------------------
/Subdominator/Validators/IValidator.cs:
--------------------------------------------------------------------------------
1 | namespace Subdominator.Validators;
2 | 
3 | public interface IValidator
4 | {
5 |     Task<bool?> Execute(IEnumerable<string> cnames);
6 | }
7 | 


--------------------------------------------------------------------------------
/Subdominator/Properties/launchSettings.json:
--------------------------------------------------------------------------------
1 | {
2 |   "profiles": {
3 |     "Subdominator": {
4 |       "commandName": "Project",
5 |       "commandLineArgs": "-l subs.txt"
6 |     }
7 |   }
8 | }


--------------------------------------------------------------------------------
/Subdominator/Models/MatchedLocation.cs:
--------------------------------------------------------------------------------
 1 | namespace Subdominator.Models;
 2 | 
 3 | public enum MatchedLocation
 4 | {
 5 |     None,
 6 |     HttpStatus,
 7 |     HttpBody,
 8 |     NXDomain,
 9 |     DomainAvailable
10 | }
11 | 


--------------------------------------------------------------------------------
/Subdominator/JsonSerializerContext.cs:
--------------------------------------------------------------------------------
1 | using System.Text.Json.Serialization;
2 | 
3 | namespace Subdominator;
4 | 
5 | [JsonSerializable(typeof(List<Fingerprint>))]
6 | public partial class JsonContext : JsonSerializerContext
7 | {
8 | }


--------------------------------------------------------------------------------
/Subdominator.Tests/ThreadValidationTests.cs:
--------------------------------------------------------------------------------
 1 | using Subdominator;
 2 | 
 3 | namespace Subdominator.Tests;
 4 | 
 5 | [TestClass]
 6 | public class ThreadValidationTests
 7 | {
 8 |     [TestMethod]
 9 |     public void InvalidThreadValuesDefaultTo50()
10 |     {
11 |         Assert.AreEqual(50, Program.ValidateThreadCount(0));
12 |         Assert.AreEqual(50, Program.ValidateThreadCount(-5));
13 |         Assert.AreEqual(10, Program.ValidateThreadCount(10));
14 |     }
15 | }
16 | 


--------------------------------------------------------------------------------
/Subdominator/Models/CnameResolutionResult.cs:
--------------------------------------------------------------------------------
 1 | namespace Subdominator.Models;
 2 | 
 3 | public class CnameResolutionResult
 4 | {
 5 |     public List<string> Cnames { get; set; } = new List<string>();
 6 |     public List<string> A { get; set; } = new List<string>();
 7 |     public List<string> AAAA { get; set; } = new List<string>();
 8 |     public bool IsNxdomain { get; set; } = false;
 9 |     public bool? IsDomainRegistered { get; set; } = null; // null indicates not checked
10 | }


--------------------------------------------------------------------------------
/Subdominator/Models/Options.cs:
--------------------------------------------------------------------------------
 1 | namespace Subdominator.Models;
 2 | 
 3 | public class Options
 4 | {
 5 |     public string Domain { get; set; }
 6 |     public string DomainsFile { get; set; }
 7 |     public string OutputFile { get; set; }
 8 |     public string CsvHeading { get; set; }
 9 |     public int Threads { get; set; } = 50;
10 |     public bool Verbose { get; set; }
11 |     public bool ExcludeUnlikely { get; set; }
12 |     public bool Validate { get; set; }
13 |     public bool Quiet { get; set; }
14 | }
15 | 


--------------------------------------------------------------------------------
/Subdominator/Models/TakeoverResult.cs:
--------------------------------------------------------------------------------
 1 | namespace Subdominator.Models;
 2 | 
 3 | public class TakeoverResult
 4 | {
 5 |     public bool IsVulnerable { get; set; }
 6 |     public bool IsVerified { get; set; }
 7 |     public Fingerprint? Fingerprint { get; set; } 
 8 |     public List<string>? CNAMES { get; set; }
 9 |     public List<string>? A { get; set; }
10 |     public List<string>? AAAA { get; set; }
11 |     public MatchedRecord MatchedRecord { get; set; }
12 |     public MatchedLocation MatchedLocation { get; set; }
13 | }
14 | 


--------------------------------------------------------------------------------
/.github/workflows/dotnet-core.yml:
--------------------------------------------------------------------------------
 1 | name: CI
 2 | 
 3 | on:
 4 |   push:
 5 |     branches: [ master ]
 6 |   pull_request:
 7 |     branches: [ master ]
 8 | 
 9 | jobs:
10 |   build:
11 |     runs-on: ubuntu-latest
12 | 
13 |     steps:
14 |     - uses: actions/checkout@v2
15 |     - name: Setup .NET
16 |       uses: actions/setup-dotnet@v1
17 |       with:
18 |         dotnet-version: 8.0.x
19 |     - name: Install dependencies
20 |       run: dotnet restore Subdominator.sln
21 |     - name: Build
22 |       run: dotnet build --configuration Release --no-restore Subdominator.sln


--------------------------------------------------------------------------------
/Subdominator/Utils/ValidatorUtils.cs:
--------------------------------------------------------------------------------
 1 | using Subdominator.Validators;
 2 | 
 3 | namespace Subdominator.Utils;
 4 | 
 5 | public static class ValidatorUtils
 6 | {
 7 |     private static IValidator _azureValidator = new MicrosoftAzureValidator();
 8 | 
 9 |     // This could use reflection but it will break AoT compilation.
10 |     // Instead, it needs to have any new validators manually added.
11 |     // The validator key is same as the fingerprint name/service, minus any '/' or ' ' chars
12 |     public static IValidator? GetValidatorInstance(string key)
13 |     {
14 |         return key switch
15 |         {
16 |             "MicrosoftAzure" => _azureValidator, // Use a global instance so it only asks for creds once
17 |             "AWSElasticBeanstalk" => new AWSElasticBeanstalkValidator(),
18 |             _ => null,
19 |         };
20 |     }
21 | }
22 | 


--------------------------------------------------------------------------------
/Subdominator.Tests/Subdominator.Tests.csproj:
--------------------------------------------------------------------------------
 1 | <Project Sdk="Microsoft.NET.Sdk">
 2 | 
 3 |   <PropertyGroup>
 4 |     <TargetFramework>net9.0</TargetFramework>
 5 |     <ImplicitUsings>enable</ImplicitUsings>
 6 |     <Nullable>enable</Nullable>
 7 | 
 8 |     <IsPackable>false</IsPackable>
 9 |     <IsTestProject>true</IsTestProject>
10 |   </PropertyGroup>
11 | 
12 |   <ItemGroup>
13 |     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
14 |     <PackageReference Include="MSTest.TestAdapter" Version="3.7.1" />
15 |     <PackageReference Include="MSTest.TestFramework" Version="3.7.1" />
16 |     <PackageReference Include="coverlet.collector" Version="6.0.3">
17 |       <PrivateAssets>all</PrivateAssets>
18 |       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
19 |     </PackageReference>
20 |   </ItemGroup>
21 | 
22 |   <ItemGroup>
23 |     <ProjectReference Include="..\Subdominator\Subdominator.csproj" />
24 |   </ItemGroup>
25 | 
26 | </Project>
27 | 


--------------------------------------------------------------------------------
/Subdominator/Models/Fingerprint.cs:
--------------------------------------------------------------------------------
 1 | using System.Text.Json.Serialization;
 2 | 
 3 | namespace Subdominator;
 4 | 
 5 | public class Fingerprint
 6 | {
 7 |     [JsonPropertyName("cname")]
 8 |     public List<string> Cnames { get; set; } = new();
 9 | 
10 |     [JsonPropertyName("a")]
11 |     public List<string> ARecords { get; set; } = new();
12 | 
13 |     [JsonPropertyName("aaaa")]
14 |     public List<string> AAAARecords { get; set; } = new();
15 | 
16 |     [JsonPropertyName("fingerprint")]
17 |     [JsonConverter(typeof(SingleOrArrayConverter<string>))]
18 |     public List<string> FingerprintTexts { get; set; }
19 | 
20 |     [JsonPropertyName("http_status")]
21 |     public int? HttpStatus { get; set; }
22 | 
23 |     [JsonPropertyName("nxdomain")]
24 |     public bool Nxdomain { get; set; }
25 | 
26 |     [JsonPropertyName("service")]
27 |     public string Service { get; set; }
28 | 
29 |     [JsonPropertyName("status")]
30 |     public string Status { get; set; }
31 | 
32 |     [JsonPropertyName("vulnerable")]
33 |     public bool Vulnerable { get; set; }
34 | }
35 | 


--------------------------------------------------------------------------------
/Subdominator/SingleOrArrayConverter.cs:
--------------------------------------------------------------------------------
 1 | using System.Text.Json.Serialization;
 2 | using System.Text.Json;
 3 | 
 4 | namespace Subdominator;
 5 | 
 6 | public class SingleOrArrayConverter<T> : JsonConverter<List<T>>
 7 | {
 8 |     public override List<T> Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
 9 |     {
10 |         List<T> list = new List<T>();
11 |         if (reader.TokenType == JsonTokenType.StartArray)
12 |         {
13 |             while (reader.Read())
14 |             {
15 |                 if (reader.TokenType == JsonTokenType.EndArray) return list;
16 |                 list.Add(JsonSerializer.Deserialize<T>(ref reader, options));
17 |             }
18 |         }
19 |         else
20 |         {
21 |             var value = JsonSerializer.Deserialize<T>(ref reader, options);
22 |             list.Add(value);
23 |         }
24 |         return list;
25 |     }
26 | 
27 |     public override void Write(Utf8JsonWriter writer, List<T> value, JsonSerializerOptions options)
28 |     {
29 |         JsonSerializer.Serialize(writer, value, options);
30 |     }
31 | }
32 | 


--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2024 Stratus Security
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.


--------------------------------------------------------------------------------
/.github/workflows/release.yml:
--------------------------------------------------------------------------------
 1 | name: "Create Releases"
 2 | 
 3 | on:
 4 |   release:
 5 |     types: [published]
 6 |     
 7 | jobs:
 8 |   release:
 9 |     name: Release
10 |     strategy:
11 |       matrix:
12 |         kind: ['linux', 'windows']
13 |         include:
14 |           - kind: linux
15 |             os: ubuntu-20.04
16 |             target: linux-x64
17 |             ext: ''
18 |           - kind: windows
19 |             os: windows-latest
20 |             target: win-x64
21 |             ext: '.exe'
22 |     runs-on: ${{ matrix.os }}
23 |     steps:
24 |       - name: Checkout
25 |         uses: actions/checkout@v4
26 | 
27 |       - name: Setup dotnet
28 |         uses: actions/setup-dotnet@v4
29 |         with:
30 |           dotnet-version: 8.0.x
31 | 
32 |       - name: Build
33 |         shell: bash
34 |         run: |
35 |           release_name="Subdominator-${{ matrix.target }}"
36 |           # Build everything
37 |           dotnet publish Subdominator/Subdominator.csproj -r "${{ matrix.target }}" -c Release -o "Release-${{ matrix.target }}" -p:UseNativeAot=true
38 |       - name: Publish
39 |         uses: softprops/action-gh-release@v0.1.5
40 |         with:
41 |           files: "Release-${{ matrix.target }}/*${{ matrix.ext }}"
42 |         env:
43 |           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}


--------------------------------------------------------------------------------
/Subdominator/OptionsBinder.cs:
--------------------------------------------------------------------------------
 1 | using System.CommandLine.Binding;
 2 | using System.CommandLine;
 3 | using Subdominator.Models;
 4 | using System.Reflection;
 5 | 
 6 | namespace Subdominator
 7 | {
 8 |     public class OptionsBinder : BinderBase<Options>
 9 |     {
10 |         private readonly List<Option> _options;
11 | 
12 |         public OptionsBinder(List<Option> options)
13 |         {
14 |             _options = options;
15 |         }
16 | 
17 |         protected override Options GetBoundValue(BindingContext bindingContext)
18 |         {
19 |             var options = new Options();
20 |             var optionType = typeof(Options);
21 |             var properties = optionType.GetProperties(BindingFlags.Public | BindingFlags.Instance);
22 | 
23 |             foreach (var option in _options)
24 |             {
25 |                 var property = properties.FirstOrDefault(p => string.Equals(p.Name, option.Name, StringComparison.OrdinalIgnoreCase));
26 |                 if (property != null)
27 |                 {
28 |                     var convertedValue = Convert.ChangeType(bindingContext.ParseResult.GetValueForOption(option), property.PropertyType);
29 |                     property.SetValue(options, convertedValue);
30 |                 }
31 |             }
32 | 
33 |             return options;
34 |         }
35 |     }
36 | }
37 | 


--------------------------------------------------------------------------------
/Subdominator.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.7.34221.43
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Subdominator", "Subdominator\Subdominator.csproj", "{0923D295-E9CF-4C27-BB88-7C9E35682518}"
 7 | EndProject
 8 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Subdominator.Tests", "Subdominator.Tests\Subdominator.Tests.csproj", "{2631FB67-E381-44C8-A5AA-0635D5359A72}"
 9 | EndProject
10 | Global
11 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | 		Debug|Any CPU = Debug|Any CPU
13 | 		Release|Any CPU = Release|Any CPU
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{0923D295-E9CF-4C27-BB88-7C9E35682518}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
17 | 		{0923D295-E9CF-4C27-BB88-7C9E35682518}.Debug|Any CPU.Build.0 = Debug|Any CPU
18 | 		{0923D295-E9CF-4C27-BB88-7C9E35682518}.Release|Any CPU.ActiveCfg = Release|Any CPU
19 | 		{0923D295-E9CF-4C27-BB88-7C9E35682518}.Release|Any CPU.Build.0 = Release|Any CPU
20 | 		{2631FB67-E381-44C8-A5AA-0635D5359A72}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
21 | 		{2631FB67-E381-44C8-A5AA-0635D5359A72}.Debug|Any CPU.Build.0 = Debug|Any CPU
22 | 		{2631FB67-E381-44C8-A5AA-0635D5359A72}.Release|Any CPU.ActiveCfg = Release|Any CPU
23 | 		{2631FB67-E381-44C8-A5AA-0635D5359A72}.Release|Any CPU.Build.0 = Release|Any CPU
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {AA488B91-765B-4875-8B9E-FF4993558DBC}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/Subdominator/Subdominator.csproj:
--------------------------------------------------------------------------------
 1 | <Project Sdk="Microsoft.NET.Sdk">
 2 | 
 3 |   <PropertyGroup>
 4 |     <OutputType>Exe</OutputType>
 5 |     <TargetFramework>net9.0</TargetFramework>
 6 |     <ImplicitUsings>enable</ImplicitUsings>
 7 |     <Nullable>enable</Nullable>
 8 | 	<PublishAot>true</PublishAot>
 9 |   </PropertyGroup>
10 | 
11 |   <ItemGroup>
12 |     <PackageReference Include="AWSSDK.Core" Version="3.7.400.77" />
13 |     <PackageReference Include="AWSSDK.ElasticBeanstalk" Version="3.7.400.77" />
14 |     <PackageReference Include="Azure.Identity" Version="1.13.1" />
15 |     <PackageReference Include="Azure.ResourceManager.AppService" Version="1.3.0" />
16 |     <PackageReference Include="Azure.ResourceManager.Cdn" Version="1.3.0" />
17 |     <PackageReference Include="Azure.ResourceManager.Compute" Version="1.7.0" />
18 |     <PackageReference Include="Azure.ResourceManager.Dns" Version="1.1.1" />
19 |     <PackageReference Include="Azure.ResourceManager.TrafficManager" Version="1.1.2" />
20 |     <PackageReference Include="CsvHelper" Version="33.0.1" />
21 |     <PackageReference Include="DnsClient" Version="1.8.0" />
22 |     <PackageReference Include="Microsoft.Extensions.Configuration" Version="9.0.0" />
23 |     <PackageReference Include="Nager.PublicSuffix" Version="3.4.0" />
24 |     <PackageReference Include="System.CommandLine" Version="2.0.0-beta4.22272.1" />
25 |     <PackageReference Include="System.Configuration.ConfigurationManager" Version="9.0.0" />
26 |     <PackageReference Include="Whois" Version="3.0.1" />
27 |   </ItemGroup>
28 | 
29 |   <ItemGroup>
30 |     <None Update="custom_fingerprints.json">
31 |       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
32 |     </None>
33 |     <None Update="public_suffix_list.dat">
34 |       <CopyToOutputDirectory>Never</CopyToOutputDirectory>
35 |     </None>
36 |   </ItemGroup>
37 | 
38 | </Project>
39 | 


--------------------------------------------------------------------------------
/Subdominator.Tests/ValidatorTests.cs:
--------------------------------------------------------------------------------
 1 | using Subdominator.Validators;
 2 | 
 3 | namespace Subdominator.Tests;
 4 | 
 5 | [TestClass]
 6 | public class ValidatorTests
 7 | {
 8 |     [TestInitialize]
 9 |     public async Task Setup()
10 |     {
11 |         
12 |     }
13 | 
14 |     [TestMethod]
15 |     public async Task ShouldMatchAzureDomains()
16 |     {
17 |         // Invalid App Service
18 |         var validator = new MicrosoftAzureValidator();
19 |         var result = await validator.Execute(new List<string> { "aaaaaaaaaaathiswillneverberealaaaaaaaaaaa.azurewebsites.net" });
20 |         Assert.IsTrue(result);
21 | 
22 |         // Valid App Service
23 |         result = await validator.Execute(new List<string> { "site.azurewebsites.net" });
24 |         Assert.IsFalse(result);
25 | 
26 |         // Invalid Traffic Manager
27 |         result = await validator.Execute(new List<string> { "aaaaaaaaaaathiswillneverberealaaaaaaaaaaa.trafficmanager.net" });
28 |         Assert.IsTrue(result);
29 | 
30 |         // Valid Traffic Manager
31 |         result = await validator.Execute(new List<string> { "site.trafficmanager.net" });
32 |         Assert.IsFalse(result);
33 |     }
34 | 
35 |     [TestMethod]
36 |     public async Task ShouldMatchAwsDomains()
37 |     {
38 |         // Invalid beanstalk
39 |         var validator = new AWSElasticBeanstalkValidator();
40 |         var result = await validator.Execute(new List<string> { "aaaaaaaaaaathiswillneverberealaaaaaaaaaaa.us-east-1.elasticbeanstalk.com" });
41 |         Assert.IsTrue(result);
42 | 
43 |         // Valid beanstalk
44 |         result = await validator.Execute(new List<string> { "site.us-east-1.elasticbeanstalk.com" });
45 |         Assert.IsFalse(result);
46 | 
47 |         // Valid beanstalk with environment ID
48 |         result = await validator.Execute(new List<string> { "site.asconuiac.us-east-1.elasticbeanstalk.com" });
49 |         Assert.IsFalse(result);
50 |     }
51 | }
52 | 


--------------------------------------------------------------------------------
/Subdominator/Validators/AWSElasticBeanstalkValidator.cs:
--------------------------------------------------------------------------------
 1 | using Amazon;
 2 | using Amazon.ElasticBeanstalk;
 3 | 
 4 | namespace Subdominator.Validators;
 5 | 
 6 | public class AWSElasticBeanstalkValidator : IValidator
 7 | {
 8 |     public async Task<bool?> Execute(IEnumerable<string> cnames)
 9 |     {
10 |         var isChecked = false;
11 | 
12 |         foreach (var rawCname in cnames)
13 |         {
14 |             var cname = rawCname.Trim('.'); // DNS likes to returns dots at the end
15 | 
16 |             // There are 3 formats for a beanstalk cname:
17 |             //  - <app-name>.<region>.elasticbeanstalk.com
18 |             //  - <app-name>.<id>.<region>.elasticbeanstalk.com
19 |             //  - <app-name>.elasticbeanstalk.com (Legacy, no longer registerable)
20 |             var cnameParts = cname.Split('.');
21 | 
22 |             // <app-name>.elasticbeanstalk.com is the legacy format and no longer able to be registered
23 |             if (!cname.EndsWith("elasticbeanstalk.com") || cnameParts.Length <= 3)
24 |             {
25 |                 isChecked = true;
26 |                 continue;
27 |             }
28 | 
29 |             // Extract the app name (always the first bit)
30 |             var appname = cnameParts[0];
31 | 
32 |             // Extract the region, it's always the last part before elasticbeanstalk.com in the known formats
33 |             string region = cnameParts[^3];
34 | 
35 |             // This means it has the random ID, it can still be taken over if you can register <id>.<region>.elasticbeanstalk.com
36 |             // The subdomain will verify the wildcard
37 |             string id = "";
38 |             if(cnameParts.Length == 5)
39 |             {
40 |                 id = cnameParts[1];
41 |             }
42 | 
43 |             // Now we can check
44 |             var client = new AmazonElasticBeanstalkClient(RegionEndpoint.GetBySystemName(region));
45 |             var result = await client.CheckDNSAvailabilityAsync(
46 |                 new Amazon.ElasticBeanstalk.Model.CheckDNSAvailabilityRequest
47 |                 {
48 |                     CNAMEPrefix = string.IsNullOrEmpty(id) ? appname : id,
49 |                 }
50 |             );
51 |             if (result.Available)
52 |             {
53 |                 return true;
54 |             }
55 |             else
56 |             {
57 |                 isChecked = true;
58 |             }
59 |         }
60 | 
61 |         // If we have checked records and none matched, it's a false positive, other it's unknown
62 |         return isChecked ? false : null;
63 |     }
64 | }
65 | 


--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
 1 | ###############################################################################
 2 | # Set default behavior to automatically normalize line endings.
 3 | ###############################################################################
 4 | * text=auto
 5 | 
 6 | ###############################################################################
 7 | # Set default behavior for command prompt diff.
 8 | #
 9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs     diff=csharp
14 | 
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following 
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln       merge=binary
26 | #*.csproj    merge=binary
27 | #*.vbproj    merge=binary
28 | #*.vcxproj   merge=binary
29 | #*.vcproj    merge=binary
30 | #*.dbproj    merge=binary
31 | #*.fsproj    merge=binary
32 | #*.lsproj    merge=binary
33 | #*.wixproj   merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj   merge=binary
36 | #*.wwaproj   merge=binary
37 | 
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg   binary
44 | #*.png   binary
45 | #*.gif   binary
46 | 
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | # 
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the 
52 | # entries below.
53 | ###############################################################################
54 | #*.doc   diff=astextplain
55 | #*.DOC   diff=astextplain
56 | #*.docx  diff=astextplain
57 | #*.DOCX  diff=astextplain
58 | #*.dot   diff=astextplain
59 | #*.DOT   diff=astextplain
60 | #*.pdf   diff=astextplain
61 | #*.PDF   diff=astextplain
62 | #*.rtf   diff=astextplain
63 | #*.RTF   diff=astextplain
64 | 


--------------------------------------------------------------------------------
/Subdominator.Tests/FingerprintTests.cs:
--------------------------------------------------------------------------------
 1 | using Subdominator.Models;
 2 | using System.Net;
 3 | 
 4 | namespace Subdominator.Tests;
 5 | 
 6 | [TestClass]
 7 | public class FingerprintTests
 8 | {
 9 |     private SubdomainHijack _subdomainHijack;
10 |     private IEnumerable<Fingerprint> _fingerprints;
11 | 
12 |     [TestInitialize]
13 |     public async Task Setup()
14 |     {
15 |         _subdomainHijack = new SubdomainHijack();
16 |         _fingerprints = await _subdomainHijack.GetFingerprintsAsync(false);
17 |     }
18 | 
19 |     [TestMethod]
20 |     public void ShouldNotHaveDuplicateServices()
21 |     {
22 |         Assert.IsTrue(
23 |             _fingerprints.Count() == _fingerprints.DistinctBy(f => f.Service.ToLower().Replace(" ", "")).Count()
24 |         );
25 |     }
26 | 
27 |     /// <summary>
28 |     /// This test is a good way to check everything works
29 |     /// It will also detect some as vulnerable if the fingerprint matches without a valid parent pointing to it
30 |     /// </summary>
31 |     /// <returns></returns>
32 |     [TestMethod]
33 |     public async Task TestFingerprints()
34 |     {
35 |         foreach (var fingerprint in _fingerprints)
36 |         {
37 |             foreach (var cname in fingerprint.Cnames)
38 |             {
39 |                 CnameResolutionResult subdomainCnames;
40 |                 string randomSubdomain;
41 | 
42 |                 // Since we're directly grabbing expected cname values, there's sometimes IPs.
43 |                 // These will be incorrectly flagged with NXDOMAIN and don't need a subdomain
44 |                 if (IPAddress.TryParse(cname, out _))
45 |                 {
46 |                     subdomainCnames = new();
47 |                     randomSubdomain = cname;
48 |                 }
49 |                 else
50 |                 {
51 |                     subdomainCnames = await _subdomainHijack.GetDnsForSubdomain(cname);
52 |                     randomSubdomain = GenerateRandomSubdomain(cname);
53 |                 }
54 | 
55 |                 var isVulnerable = await _subdomainHijack.IsFingerprintVulnerable(fingerprint, subdomainCnames, randomSubdomain);
56 |                 Console.WriteLine($"Fingerprint: {fingerprint.Service} -- Vulnerable: {isVulnerable}");
57 |             }
58 |         }
59 |     }
60 | 
61 |     private string GenerateRandomSubdomain(string baseCname)
62 |     {
63 |         var random = new Random();
64 |         const string chars = "abcdefghijklmnopqrstuvwxyz0123456789";
65 |         var subdomain = new string(Enumerable.Repeat(chars, 12)
66 |           .Select(s => s[random.Next(s.Length)]).ToArray());
67 | 
68 |         return $"{subdomain}.{baseCname}";
69 |     }
70 | 
71 |     [TestMethod]
72 |     public async Task ShouldExcludeEdgeCaseFingerprints()
73 |     {
74 |         var hijack = new SubdomainHijack();
75 |         var allFingerprints = await hijack.GetFingerprintsAsync(false);
76 |         Assert.IsTrue(allFingerprints.Any(f => f.Status.ToLower() == "edge case"));
77 | 
78 |         hijack = new SubdomainHijack();
79 |         var filteredFingerprints = await hijack.GetFingerprintsAsync(true);
80 |         Assert.IsFalse(filteredFingerprints.Any(f => f.Status.ToLower() == "edge case"));
81 |     }
82 | }


--------------------------------------------------------------------------------
/Subdominator/Validators/MicrosoftAzureValidator.cs:
--------------------------------------------------------------------------------
  1 | using Azure.Identity;
  2 | using Azure.ResourceManager.TrafficManager;
  3 | using Azure.ResourceManager.TrafficManager.Models;
  4 | using Azure.ResourceManager.AppService;
  5 | using Azure.ResourceManager.AppService.Models;
  6 | using Azure.ResourceManager;
  7 | using Azure.ResourceManager.Resources;
  8 | using Azure.Core;
  9 | 
 10 | namespace Subdominator.Validators;
 11 | 
 12 | public class MicrosoftAzureValidator : IValidator
 13 | {
 14 |     private readonly SubscriptionResource _subscription;
 15 | 
 16 |     public MicrosoftAzureValidator()
 17 |     {
 18 |         TokenCredential credential = new DefaultAzureCredential();
 19 |         var armClient = new ArmClient(credential);
 20 | 
 21 |         try
 22 |         {
 23 |             _subscription = armClient.GetDefaultSubscription();
 24 |         }
 25 |         catch
 26 |         {
 27 |             // Fall back to manual login if no creds are found
 28 |             credential = new InteractiveBrowserCredential();
 29 |             armClient = new ArmClient(credential);
 30 |             _subscription = armClient.GetDefaultSubscription();
 31 |         }
 32 |     }
 33 | 
 34 |     public async Task<bool?> Execute(IEnumerable<string> cnames)
 35 |     {
 36 |         var isChecked = false;
 37 | 
 38 |         foreach (var rawCname in cnames)
 39 |         {
 40 |             var cname = rawCname.Trim('.'); // DNS likes to returns dots at the end
 41 |             if (cname.ToLower().Contains("cloudapp.net"))
 42 |             {
 43 |                 // Check Azure Virtual Machines and Cloud Services (API Not Available in Azure yet)
 44 |                 //return await CheckCloudAppNet(cname);
 45 |             }
 46 |             else if (cname.ToLower().Contains("azurewebsites.net"))
 47 |             {
 48 |                 // Check Azure App Services
 49 |                 var isAvailable = await CheckAzureWebsitesNet(cname);
 50 | 
 51 |                 // Only return if available so we can check nested records
 52 |                 if (isAvailable)
 53 |                 {
 54 |                     return true;
 55 |                 }
 56 |                 else
 57 |                 {
 58 |                     isChecked = true;
 59 |                 }
 60 |             }
 61 |             else if (cname.ToLower().Contains("cloudapp.azure.com"))
 62 |             {
 63 |                 // Check Azure VM Scale Sets (API Not Available in Azure yet)
 64 |                 // await CheckCloudAppAzureCom(cname);
 65 |             }
 66 |             else if (cname.ToLower().Contains("trafficmanager.net"))
 67 |             {
 68 |                 // Check Azure Traffic Manager
 69 |                 var isAvailable = await CheckTrafficManagerNet(cname);
 70 |                 if (isAvailable)
 71 |                 {
 72 |                     return true;
 73 |                 }
 74 |                 else
 75 |                 {
 76 |                     isChecked = true;
 77 |                 }
 78 |             }
 79 |             else if (cname.ToLower().Contains("azureedge.net"))
 80 |             {
 81 |                 // Check Azure CDN (Classic) Endpoint
 82 |                 // await CheckAzureCdn(cname);
 83 |             }
 84 |         }
 85 | 
 86 |         // If we have checked records and none matched, it's a false positive, other it's unknown
 87 |         return isChecked ? false : null;
 88 |     }
 89 | 
 90 |     private async Task<bool> CheckAzureCdn(string cname)
 91 |     {
 92 |         throw new NotImplementedException();
 93 |     }
 94 | 
 95 |     private async Task<bool> CheckCloudAppNet(string cname)
 96 |     {
 97 |         throw new NotImplementedException();
 98 |     }
 99 | 
100 |     private async Task<bool> CheckAzureWebsitesNet(string cname)
101 |     {
102 |         // We might end up with things like *.privatelink.azurewebsites.net or *.scm
103 |         // They are linked to *.azurewebsites.net so we don't need to check the whole thing
104 |         var resourceName = cname.Split('.')[0];
105 |         var resourceType = CheckNameResourceType.MicrosoftWebSites;
106 |         //TODO: Do we need to manage app service slots?
107 |         var result = await _subscription.CheckAppServiceNameAvailabilityAsync(new ResourceNameAvailabilityContent(resourceName, resourceType));
108 | 
109 |         return result.Value.IsNameAvailable ?? false;
110 |     }
111 | 
112 |     private async Task<bool> CheckCloudAppAzureCom(string cname)
113 |     {
114 |         throw new NotImplementedException();
115 |     }
116 | 
117 |     private async Task<bool> CheckTrafficManagerNet(string cname)
118 |     {
119 |         var content = new TrafficManagerRelativeDnsNameAvailabilityContent()
120 |         {
121 |             Name = cname.Split('.')[0],
122 |             ResourceType = new ResourceType("microsoft.network/trafficmanagerprofiles"),
123 |         };
124 |         var result = await _subscription.CheckTrafficManagerNameAvailabilityV2Async(content);
125 | 
126 |         return result.Value.IsNameAvailable ?? false;
127 |     }
128 | }
129 | 


--------------------------------------------------------------------------------
/Subdominator/Scanner.cs:
--------------------------------------------------------------------------------
  1 | using System.IO.Compression;
  2 | using System.Text.RegularExpressions;
  3 | 
  4 | namespace Subdominator;
  5 | 
  6 | public class Scanner
  7 | {
  8 |     public async Task<List<string>> FindVulnerableSubdomains()
  9 |     {
 10 |         var cnameRecords = new List<string>();
 11 |         var cnameDb = new HashSet<string>();
 12 | 
 13 |         // Download the latest file
 14 |         await RunWithSpinnerAsync("Downloading latest file (This may take a while).", async () =>
 15 |         {
 16 |             //TODO: Make this pull the file from disk (or the internet if possible)
 17 |             var fileContent = await DownloadFileAsync($"https://opendata.rapid7.com/file.zip");
 18 |             cnameRecords.AddRange(await ParseCnameRecordsAsync(fileContent));
 19 |         });
 20 | 
 21 |         // Process CNAME records
 22 |         cnameDb.UnionWith(cnameRecords.Select(record => record.Split(' ')[0]).Distinct());
 23 | 
 24 |         return cnameDb.ToList();
 25 |     }
 26 | 
 27 |     private async Task RunWithSpinnerAsync(string message, Func<Task> action)
 28 |     {
 29 |         var spinner = new[] { "|", "/", "-", "\\" };
 30 |         bool isCompleted = false;
 31 | 
 32 |         var spinnerTask = Task.Run(() =>
 33 |         {
 34 |             int spinnerIndex = 0;
 35 |             while (!isCompleted)
 36 |             {
 37 |                 Console.Write($"\r[{spinner[spinnerIndex++ % spinner.Length]}] {message}");
 38 |                 Task.Delay(150).Wait();
 39 |             }
 40 |         });
 41 | 
 42 |         await action();
 43 |         isCompleted = true;
 44 |         await spinnerTask;
 45 |     }
 46 | 
 47 |     private async Task<string> GetLatestFileNameAsync()
 48 |     {
 49 |         using var client = new HttpClient();
 50 |         string html = await client.GetStringAsync("https://opendata.rapid7.com/sonar.fdns_v2/");
 51 |         var match = Regex.Matches(html, "<td><a.*?href=\"(.*?)\".*?>").FirstOrDefault();
 52 |         return match?.Groups[1].Value.Split('/').Last();
 53 |     }
 54 | 
 55 |     private async Task<Stream> DownloadFileAsync(string url)
 56 |     {
 57 |         using var client = new HttpClient();
 58 |         var response = await client.GetAsync(url);
 59 |         return await response.Content.ReadAsStreamAsync();
 60 |     }
 61 | 
 62 |     private async Task<List<string>> ParseCnameRecordsAsync(Stream dataStream)
 63 |     {
 64 |         var cnameRecords = new List<string>();
 65 |         var domains = new string[] 
 66 |         {
 67 |             ".cloudfront.net",
 68 |             ".s3-website",
 69 |             ".s3.amazonaws.com",
 70 |             "w.amazonaws.com",
 71 |             "1.amazonaws.com",
 72 |             "2.amazonaws.com",
 73 |             "s3-external",
 74 |             "s3-accelerate.amazonaws.com",
 75 |             ".herokuapp.com",
 76 |             ".herokudns.com",
 77 |             ".wordpress.com",
 78 |             ".pantheonsite.io",
 79 |             "domains.tumblr.com",
 80 |             ".zendesk.com",
 81 |             ".github.io",
 82 |             ".global.fastly.net",
 83 |             ".helpjuice.com",
 84 |             ".helpscoutdocs.com",
 85 |             ".ghost.io",
 86 |             "cargocollective.com",
 87 |             "redirect.feedpress.me",
 88 |             ".myshopify.com",
 89 |             ".statuspage.io",
 90 |             ".uservoice.com",
 91 |             ".surge.sh",
 92 |             ".bitbucket.io",
 93 |             "custom.intercom.help",
 94 |             "proxy.webflow.com",
 95 |             "landing.subscribepage.com",
 96 |             "endpoint.mykajabi.com",
 97 |             ".teamwork.com",
 98 |             ".thinkific.com",
 99 |             "clientaccess.tave.com",
100 |             "wishpond.com",
101 |             ".aftership.com",
102 |             "ideas.aha.io",
103 |             "domains.tictail.com",
104 |             "cname.mendix.net",
105 |             ".bcvp0rtal.com",
106 |             ".brightcovegallery.com",
107 |             ".gallery.video",
108 |             ".bigcartel.com",
109 |             ".activehosted.com",
110 |             ".createsend.com",
111 |             ".acquia-test.co",
112 |             ".proposify.biz",
113 |             "simplebooklet.com",
114 |             ".gr8.com",
115 |             ".vendecommerce.com",
116 |             ".azurewebsites.net",
117 |             ".cloudapp.net",
118 |             ".trafficmanager.net",
119 |             ".blob.core.windows.net"
120 |         };
121 |         var domainPattern = string.Join("|", domains.Select(Regex.Escape));
122 | 
123 |         using var decompressionStream = new GZipStream(dataStream, CompressionMode.Decompress);
124 |         using var reader = new StreamReader(decompressionStream);
125 |         string line;
126 |         while ((line = await reader.ReadLineAsync()) != null)
127 |         {
128 |             if (Regex.IsMatch(line, "\"type\":\"cname\"") && Regex.IsMatch(line, domainPattern))
129 |             {
130 |                 var parts = line.Split(new[] { "type\":\"cname", "\"" }, StringSplitOptions.RemoveEmptyEntries);
131 |                 cnameRecords.Add($"{parts[0]} {parts[1]}");
132 |             }
133 |         }
134 | 
135 |         return cnameRecords;
136 |     }
137 | }
138 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | ##
  4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
  5 | 
  6 | # User-specific files
  7 | *.rsuser
  8 | *.suo
  9 | *.user
 10 | *.userosscache
 11 | *.sln.docstates
 12 | 
 13 | # User-specific files (MonoDevelop/Xamarin Studio)
 14 | *.userprefs
 15 | 
 16 | # Mono auto generated files
 17 | mono_crash.*
 18 | 
 19 | # Build results
 20 | [Dd]ebug/
 21 | [Dd]ebugPublic/
 22 | [Rr]elease/
 23 | [Rr]eleases/
 24 | x64/
 25 | x86/
 26 | [Ww][Ii][Nn]32/
 27 | [Aa][Rr][Mm]/
 28 | [Aa][Rr][Mm]64/
 29 | bld/
 30 | [Bb]in/
 31 | [Oo]bj/
 32 | [Oo]ut/
 33 | [Ll]og/
 34 | [Ll]ogs/
 35 | 
 36 | # Visual Studio 2015/2017 cache/options directory
 37 | .vs/
 38 | # Uncomment if you have tasks that create the project's static files in wwwroot
 39 | #wwwroot/
 40 | 
 41 | # Visual Studio 2017 auto generated files
 42 | Generated\ Files/
 43 | 
 44 | # MSTest test Results
 45 | [Tt]est[Rr]esult*/
 46 | [Bb]uild[Ll]og.*
 47 | 
 48 | # NUnit
 49 | *.VisualState.xml
 50 | TestResult.xml
 51 | nunit-*.xml
 52 | 
 53 | # Build Results of an ATL Project
 54 | [Dd]ebugPS/
 55 | [Rr]eleasePS/
 56 | dlldata.c
 57 | 
 58 | # Benchmark Results
 59 | BenchmarkDotNet.Artifacts/
 60 | 
 61 | # .NET Core
 62 | project.lock.json
 63 | project.fragment.lock.json
 64 | artifacts/
 65 | 
 66 | # ASP.NET Scaffolding
 67 | ScaffoldingReadMe.txt
 68 | 
 69 | # StyleCop
 70 | StyleCopReport.xml
 71 | 
 72 | # Files built by Visual Studio
 73 | *_i.c
 74 | *_p.c
 75 | *_h.h
 76 | *.ilk
 77 | *.meta
 78 | *.obj
 79 | *.iobj
 80 | *.pch
 81 | *.pdb
 82 | *.ipdb
 83 | *.pgc
 84 | *.pgd
 85 | *.rsp
 86 | *.sbr
 87 | *.tlb
 88 | *.tli
 89 | *.tlh
 90 | *.tmp
 91 | *.tmp_proj
 92 | *_wpftmp.csproj
 93 | *.log
 94 | *.vspscc
 95 | *.vssscc
 96 | .builds
 97 | *.pidb
 98 | *.svclog
 99 | *.scc
100 | 
101 | # Chutzpah Test files
102 | _Chutzpah*
103 | 
104 | # Visual C++ cache files
105 | ipch/
106 | *.aps
107 | *.ncb
108 | *.opendb
109 | *.opensdf
110 | *.sdf
111 | *.cachefile
112 | *.VC.db
113 | *.VC.VC.opendb
114 | 
115 | # Visual Studio profiler
116 | *.psess
117 | *.vsp
118 | *.vspx
119 | *.sap
120 | 
121 | # Visual Studio Trace Files
122 | *.e2e
123 | 
124 | # TFS 2012 Local Workspace
125 | $tf/
126 | 
127 | # Guidance Automation Toolkit
128 | *.gpState
129 | 
130 | # ReSharper is a .NET coding add-in
131 | _ReSharper*/
132 | *.[Rr]e[Ss]harper
133 | *.DotSettings.user
134 | 
135 | # TeamCity is a build add-in
136 | _TeamCity*
137 | 
138 | # DotCover is a Code Coverage Tool
139 | *.dotCover
140 | 
141 | # AxoCover is a Code Coverage Tool
142 | .axoCover/*
143 | !.axoCover/settings.json
144 | 
145 | # Coverlet is a free, cross platform Code Coverage Tool
146 | coverage*.json
147 | coverage*.xml
148 | coverage*.info
149 | 
150 | # Visual Studio code coverage results
151 | *.coverage
152 | *.coveragexml
153 | 
154 | # NCrunch
155 | _NCrunch_*
156 | .*crunch*.local.xml
157 | nCrunchTemp_*
158 | 
159 | # MightyMoose
160 | *.mm.*
161 | AutoTest.Net/
162 | 
163 | # Web workbench (sass)
164 | .sass-cache/
165 | 
166 | # Installshield output folder
167 | [Ee]xpress/
168 | 
169 | # DocProject is a documentation generator add-in
170 | DocProject/buildhelp/
171 | DocProject/Help/*.HxT
172 | DocProject/Help/*.HxC
173 | DocProject/Help/*.hhc
174 | DocProject/Help/*.hhk
175 | DocProject/Help/*.hhp
176 | DocProject/Help/Html2
177 | DocProject/Help/html
178 | 
179 | # Click-Once directory
180 | publish/
181 | 
182 | # Publish Web Output
183 | *.[Pp]ublish.xml
184 | *.azurePubxml
185 | # Note: Comment the next line if you want to checkin your web deploy settings,
186 | # but database connection strings (with potential passwords) will be unencrypted
187 | *.pubxml
188 | *.publishproj
189 | 
190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
191 | # checkin your Azure Web App publish settings, but sensitive information contained
192 | # in these scripts will be unencrypted
193 | PublishScripts/
194 | 
195 | # NuGet Packages
196 | *.nupkg
197 | # NuGet Symbol Packages
198 | *.snupkg
199 | # The packages folder can be ignored because of Package Restore
200 | **/[Pp]ackages/*
201 | # except build/, which is used as an MSBuild target.
202 | !**/[Pp]ackages/build/
203 | # Uncomment if necessary however generally it will be regenerated when needed
204 | #!**/[Pp]ackages/repositories.config
205 | # NuGet v3's project.json files produces more ignorable files
206 | *.nuget.props
207 | *.nuget.targets
208 | 
209 | # Microsoft Azure Build Output
210 | csx/
211 | *.build.csdef
212 | 
213 | # Microsoft Azure Emulator
214 | ecf/
215 | rcf/
216 | 
217 | # Windows Store app package directories and files
218 | AppPackages/
219 | BundleArtifacts/
220 | Package.StoreAssociation.xml
221 | _pkginfo.txt
222 | *.appx
223 | *.appxbundle
224 | *.appxupload
225 | 
226 | # Visual Studio cache files
227 | # files ending in .cache can be ignored
228 | *.[Cc]ache
229 | # but keep track of directories ending in .cache
230 | !?*.[Cc]ache/
231 | 
232 | # Others
233 | ClientBin/
234 | ~$*
235 | *~
236 | *.dbmdl
237 | *.dbproj.schemaview
238 | *.jfm
239 | *.pfx
240 | *.publishsettings
241 | orleans.codegen.cs
242 | 
243 | # Including strong name files can present a security risk
244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
245 | #*.snk
246 | 
247 | # Since there are multiple workflows, uncomment next line to ignore bower_components
248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
249 | #bower_components/
250 | 
251 | # RIA/Silverlight projects
252 | Generated_Code/
253 | 
254 | # Backup & report files from converting an old project file
255 | # to a newer Visual Studio version. Backup files are not needed,
256 | # because we have git ;-)
257 | _UpgradeReport_Files/
258 | Backup*/
259 | UpgradeLog*.XML
260 | UpgradeLog*.htm
261 | ServiceFabricBackup/
262 | *.rptproj.bak
263 | 
264 | # SQL Server files
265 | *.mdf
266 | *.ldf
267 | *.ndf
268 | 
269 | # Business Intelligence projects
270 | *.rdl.data
271 | *.bim.layout
272 | *.bim_*.settings
273 | *.rptproj.rsuser
274 | *- [Bb]ackup.rdl
275 | *- [Bb]ackup ([0-9]).rdl
276 | *- [Bb]ackup ([0-9][0-9]).rdl
277 | 
278 | # Microsoft Fakes
279 | FakesAssemblies/
280 | 
281 | # GhostDoc plugin setting file
282 | *.GhostDoc.xml
283 | 
284 | # Node.js Tools for Visual Studio
285 | .ntvs_analysis.dat
286 | node_modules/
287 | 
288 | # Visual Studio 6 build log
289 | *.plg
290 | 
291 | # Visual Studio 6 workspace options file
292 | *.opt
293 | 
294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
295 | *.vbw
296 | 
297 | # Visual Studio LightSwitch build output
298 | **/*.HTMLClient/GeneratedArtifacts
299 | **/*.DesktopClient/GeneratedArtifacts
300 | **/*.DesktopClient/ModelManifest.xml
301 | **/*.Server/GeneratedArtifacts
302 | **/*.Server/ModelManifest.xml
303 | _Pvt_Extensions
304 | 
305 | # Paket dependency manager
306 | .paket/paket.exe
307 | paket-files/
308 | 
309 | # FAKE - F# Make
310 | .fake/
311 | 
312 | # CodeRush personal settings
313 | .cr/personal
314 | 
315 | # Python Tools for Visual Studio (PTVS)
316 | __pycache__/
317 | *.pyc
318 | 
319 | # Cake - Uncomment if you are using it
320 | # tools/**
321 | # !tools/packages.config
322 | 
323 | # Tabs Studio
324 | *.tss
325 | 
326 | # Telerik's JustMock configuration file
327 | *.jmconfig
328 | 
329 | # BizTalk build output
330 | *.btp.cs
331 | *.btm.cs
332 | *.odx.cs
333 | *.xsd.cs
334 | 
335 | # OpenCover UI analysis results
336 | OpenCover/
337 | 
338 | # Azure Stream Analytics local run output
339 | ASALocalRun/
340 | 
341 | # MSBuild Binary and Structured Log
342 | *.binlog
343 | 
344 | # NVidia Nsight GPU debugger configuration file
345 | *.nvuser
346 | 
347 | # MFractors (Xamarin productivity tool) working folder
348 | .mfractor/
349 | 
350 | # Local History for Visual Studio
351 | .localhistory/
352 | 
353 | # BeatPulse healthcheck temp database
354 | healthchecksdb
355 | 
356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
357 | MigrationBackup/
358 | 
359 | # Ionide (cross platform F# VS Code tools) working folder
360 | .ionide/
361 | 
362 | # Fody - auto-generated XML schema
363 | FodyWeavers.xsd


--------------------------------------------------------------------------------
/ReadMe.md:
--------------------------------------------------------------------------------
  1 | ![GitHub Actions CI](https://github.com/Stratus-Security/Subdominator/workflows/CI/badge.svg)
  2 | ![GitHub all releases](https://img.shields.io/github/downloads/Stratus-Security/Subdominator/total)
  3 | 
  4 | # Subdominator 🚀
  5 | 
  6 | ## Welcome to the Subdominator Club!
  7 | Meet **Subdominator**, your new favourite CLI tool for detecting subdomain takeovers. It's designed to be fast, accurate, and dependable, offering [a significant improvement over other available tools](https://www.stratussecurity.com/post/the-ultimate-subdomain-takeover-tool).
  8 | 
  9 | 🔍 Precision and speed are our goal. Subdominator delivers better results without the wait, see the benchmark and feature comparison below for details.
 10 | 
 11 | ## Installing 🛠️
 12 | To quickly, get up and running, you can download the latest release for [windows](https://github.com/Stratus-Security/Subdominator/releases/latest/download/Subdominator.exe) or [linux](https://github.com/Stratus-Security/Subdominator/releases/latest/download/Subdominator).
 13 | Alternatively, download it via CLI (remove .exe for linux version):
 14 | ```bash
 15 | wget https://github.com/Stratus-Security/Subdominator/releases/latest/download/Subdominator.exe
 16 | ```
 17 | 
 18 | ## Quick Start 🚦
 19 | To quickly check a list of domains, simply run: 
 20 | ```bash
 21 | Subdominator -l subdomains.txt -o takeovers.txt
 22 | ```
 23 | Or to quickly check a single domain, run:
 24 | ```bash
 25 | Subdominator -d sub.example.com
 26 | ```
 27 | 
 28 | ## Options 🎛️
 29 | ```
 30 | -d, --domain <domain>    A single domain to check
 31 | -l, --list <list>        A list of domains to check (line delimited)
 32 | -o, --output <output>    Output subdomains to a file
 33 | -t, --threads <threads>  Number of domains to check at once; values \<= 0 use the default [default: 50]
 34 | -v, --verbose            Print extra information
 35 | -q, --quiet              Quiet mode: Only print found results
 36 | -eu, --exclude-unlikely  Exclude unlikely (edge-case) fingerprints
 37 | -c, --csv <csv>          Column index or heading to parse for CSV file. Forces -l to read as CSV instead of line-delimited
 38 | --validate               Validate the takeovers are exploitable (where possible)
 39 | --version                Show version information
 40 | -?, -h, --help           Show help and usage information
 41 | ```
 42 | 
 43 | ## Output
 44 | There will be a periodic progress updates to the CLI, additionally output for vulnerable domains is indicated as shown below.
 45 | 
 46 | By default, only vulnerable domains will be printed or saved to the file along with the vulnerable DNS record(s).
 47 | The output format is as follows:
 48 | ```
 49 | [Service Name] vulnerable.domain.com - RecordType: dns.record.com
 50 | ```
 51 | 
 52 | For example, a vulnerable Azure CDN takeover will look like this:
 53 | ```
 54 | [Microsoft Azure] example.stratussecurity.com - CNAME: stratus-cdn-stg.azureedge.net
 55 | ``` 
 56 | 
 57 | If you use the verbose flag, it will print all domains checked. 
 58 | For example, this shows the same vulnerable domain and another non-vulnerable domain indicated by [-]:
 59 | ```
 60 | [Microsoft Azure] example.stratussecurity.com - CNAME: stratus-cdn-stg.azureedge.net
 61 | [-] www.stratussecurity.com
 62 | ```
 63 | 
 64 | Finally, if a domain is vulnerable and passes validation with the --validation flag, it will be prepended with a ✅.
 65 | These domains have been validated to be vulnerable with the services directly, not just the fingerprint. For example:
 66 | ```
 67 | ✅ [Microsoft Azure] example.stratussecurity.com - CNAME: stratus-cdn-stg.azureedge.net
 68 | ```
 69 | 
 70 | ## Demo
 71 | The tool running across 1000 passively gathered subdomains:
 72 | ![Demo](https://raw.githubusercontent.com/Stratus-Security/Subdominator/master/Demo.gif)
 73 | 
 74 | ## Benchmark 📊
 75 | A benchmark was run across ~100,000 subdomains to compare performance with other popular tools
 76 | | Tool         | Threads | Time Taken         |
 77 | |--------------|---------|--------------------|
 78 | | **Subdominator** | 50      | 19 minutes, 8 seconds |
 79 | | Subjack      | 50      | 2 hours, 30 minutes, 2 seconds |
 80 | | Subdover     | 50      | 2 hours, 33 minutes, 27 seconds |
 81 | 
 82 | ## Key Features 🔥
 83 | - **Advanced DNS Matching**: Supports DNS matching for CNAME, A, and AAAA records.
 84 | - **Recursive DNS Queries**: Performs in-depth queries to enhance accuracy and reduce false positives.
 85 | - **Intelligent Domain Matching**: Uses a custom `public_suffix_list.dat` for more effective domain matching.
 86 | - **Domain Registration Detection**: Checks for unregistered domains, with a more reliable method compared to other tools.
 87 | - **High-Speed Performance**: Achieves faster results through intelligent DNS record matching.
 88 | - **Vetted Ruleset**: Includes a thoroughly reviewed and updated ruleset.
 89 | - **Comprehensive Detection**: Capable of identifying takeovers missed by other tools.
 90 | - **Validation**: Dynamic takeover validation modules to check beyond fingerprints.
 91 | 
 92 | ## Feature Comparison 🥊
 93 | | Feature                          | Subdominator | Subjack | Subdover |
 94 | |----------------------------------|--------------|---------|----------|
 95 | | Advanced DNS Matching            | ✅          | ❌      | ❌       |
 96 | | Recursive DNS Queries            | ✅          | ❌      | ❌       |
 97 | | Intelligent Domain Matching      | ✅          | ❌      | ❌       |
 98 | | Domain Registration Detection    | ✅          | ✅      | ❌       |
 99 | | High-Speed Performance           | ✅          | ❌      | ❌       |
100 | | Vetted and Updated Ruleset       | ✅          | ❌      | ❌       |
101 | | Comprehensive Detection          | ✅          | ❌      | ❌       |
102 | | Custom Fingerprint Support       | ✅          | ✅      | ❌       |
103 | | Validation                       | ✅          | ❌      | ❌       |
104 | | Fingerprints                     | 97           | 35      | 80       |
105 | 
106 | ## Contributions
107 | Got a suggestion, fingerprint, or want to chip in? We're all ears! Open a PR or issue – this will keep subdominator on top! 😄
108 | 
109 | ## Fingerprints 
110 | The fingerprints and services are dynamically pulled from the [CanITakeOverXYZ repo](https://github.com/EdOverflow/can-i-take-over-xyz) as a source of truth. To fill in the gaps and correct incorrect fingerprints, this tool also has its own [custom fingerprints list](https://github.com/Stratus-Security/Subdominator/blob/master/Subdominator/custom_fingerprints.json) which is used in conjunction.
111 | 
112 | Below is the current list of services supported, to ignore edge cases use the `-eu` flag.
113 | | Service | Status |
114 | |---------|--------|
115 | | Acquia | Edge case |
116 | | ActiveCampaign | Vulnerable |
117 | | Aftership | Vulnerable |
118 | | Agile CRM | Vulnerable |
119 | | Aha | Vulnerable |
120 | | Airee.ru | Vulnerable |
121 | | Amazon Cognito | Vulnerable |
122 | | Anima | Vulnerable |
123 | | Announcekit | Vulnerable |
124 | | Apigee | Vulnerable |
125 | | Appery.io | Vulnerable |
126 | | AWS/Elastic Beanstalk | Vulnerable |
127 | | AWS/S3 | Vulnerable |
128 | | Better Uptime | Vulnerable |
129 | | BigCartel | Vulnerable |
130 | | Bitbucket | Vulnerable |
131 | | Branch.io | Vulnerable |
132 | | Brandpad | Vulnerable |
133 | | Brightcove | Vulnerable |
134 | | Bubble.io | Vulnerable |
135 | | Campaign Monitor | Vulnerable |
136 | | Canny | Vulnerable |
137 | | Cargo Collective | Vulnerable |
138 | | ConvertKit | Vulnerable |
139 | | DatoCMS.com | Vulnerable |
140 | | Digital Ocean | Vulnerable |
141 | | Discourse | Vulnerable |
142 | | EasyRedir | Vulnerable |
143 | | Fastly | Edge case |
144 | | Flexbe | Edge Case |
145 | | Flywheel | Vulnerable |
146 | | Frontify | Edge case |
147 | | Gemfury | Vulnerable |
148 | | GetCloudApp | Vulnerable |
149 | | Getresponse | Vulnerable |
150 | | Ghost | Vulnerable |
151 | | Gitbook | Vulnerable |
152 | | Github | Edge case |
153 | | HatenaBlog | Vulnerable |
154 | | Help Juice | Vulnerable |
155 | | Help Scout | Vulnerable |
156 | | Helprace | Vulnerable |
157 | | Heroku | Edge case |
158 | | Instapage | Edge case |
159 | | Intercom | Edge case |
160 | | JazzHR | Edge Case |
161 | | JetBrains | Vulnerable |
162 | | Kajabi | Vulnerable |
163 | | Landingi | Edge case |
164 | | LaunchRock | Vulnerable |
165 | | LeadPages.com | Vulnerable |
166 | | Mashery | Edge case |
167 | | Meteor Cloud (Galaxy) | Vulnerable |
168 | | Microsoft Azure | Vulnerable |
169 | | Netlify | Edge case |
170 | | Ngrok | Vulnerable |
171 | | Pagewiz | Vulnerable |
172 | | Pantheon | Vulnerable |
173 | | Pingdom | Vulnerable |
174 | | Proposify | Vulnerable |
175 | | Readme.io | Vulnerable |
176 | | Readthedocs | Vulnerable |
177 | | Refined | Vulnerable |
178 | | Shopify | Edge case |
179 | | Short.io | Vulnerable |
180 | | SimpleBooklet | Vulnerable |
181 | | SmartJobBoard | Vulnerable |
182 | | Smartling | Edge case |
183 | | Smugsmug | Vulnerable |
184 | | Softr | Vulnerable |
185 | | Sprintful | Vulnerable |
186 | | Strikingly | Vulnerable |
187 | | Surge.sh | Vulnerable |
188 | | Surveygizmo | Vulnerable |
189 | | SurveySparrow | Vulnerable |
190 | | Tave | Vulnerable |
191 | | Teamwork | Vulnerable |
192 | | Thinkific | Vulnerable |
193 | | Tictail | Vulnerable |
194 | | Tilda | Edge case |
195 | | Tribe | Vulnerable |
196 | | Tumblr | Edge case |
197 | | Uberflip | Vulnerable |
198 | | Unbounce | Edge case |
199 | | Uptimerobot | Vulnerable |
200 | | UseResponse | Vulnerable |
201 | | UserVoice | Edge case |
202 | | Vend | Vulnerable |
203 | | Vercel | Edge case |
204 | | Webflow | Edge case |
205 | | Wishpond | Vulnerable |
206 | | Wix | Edge case |
207 | | Wordpress | Vulnerable |
208 | | Worksites | Vulnerable |
209 | | Wufoo | Vulnerable |
210 | | Zendesk | Edge case |
211 | | Zoho Forms | Vulnerable |
212 | | Zoho Forms India | Vulnerable |


--------------------------------------------------------------------------------
/Subdominator/Program.cs:
--------------------------------------------------------------------------------
  1 | using Nager.PublicSuffix;
  2 | using System.Diagnostics;
  3 | using System.CommandLine;
  4 | using Subdominator.Models;
  5 | using System.Text;
  6 | using System.Globalization;
  7 | using CsvHelper;
  8 | using CsvHelper.Configuration;
  9 | using Nager.PublicSuffix.RuleProviders;
 10 | using Nager.PublicSuffix.RuleProviders.CacheProviders;
 11 | using Microsoft.Extensions.Configuration;
 12 | 
 13 | namespace Subdominator;
 14 | 
 15 | public class Program
 16 | {
 17 |     private static readonly object _fileLock = new();
 18 |     private static StreamWriter? _outputFileWriter = null;
 19 |     private static readonly string _version = "v1.71";
 20 | 
 21 |     public static async Task Main(string[] args = null)
 22 |     {
 23 |         Console.OutputEncoding = Encoding.UTF8;
 24 | 
 25 |         // Define the command line options
 26 |         // Note: For options that don't match the flag (e.g. --domain == Options.Domain), use name property to map to the correct property
 27 |         var command = new RootCommand("A subdomain takeover detection tool for cool kids")
 28 |         {
 29 |             new Option<string>(["-d", "--domain"], "A single domain to check"),
 30 |             new Option<string>(["-l", "--list"], "A list of domains to check (line delimited)") { Name = "DomainsFile" }, 
 31 |             new Option<string>(["-o", "--output"], "Output subdomains to a file") { Name = "OutputFile" },
 32 |             new Option<int>(["-t", "--threads"], () => 50, "Number of domains to check at once (0 or less uses default of 50)"),
 33 |             new Option<bool>(["-v", "--verbose"], "Print extra information"),
 34 |             new Option<bool>(["-q", "--quiet"], "Quiet mode: Only print found results"),
 35 |             new Option<string>(["-c", "--csv"], "Heading or column index to parse for CSV file. Forces -l to read as CSV instead of line-delimited") { Name = "CsvHeading" },
 36 |             new Option<bool>(["-eu", "--exclude-unlikely"], "Exclude unlikely (edge-case) fingerprints"),
 37 |             new Option<bool>(["--validate"], "Validate the takeovers are exploitable (where possible)")
 38 |         };
 39 | 
 40 |         command.SetHandler(async (options) =>
 41 |         {
 42 |             await RunSubdominator(options);
 43 |         }, new OptionsBinder([.. command.Options]));
 44 |             
 45 |         // Parse the incoming args and invoke the handler
 46 |         await command.InvokeAsync(args);
 47 |     }
 48 | 
 49 |     public static async Task RunSubdominator(Options o)
 50 |     {
 51 |         // Print banner!
 52 |         if (!o.Quiet)
 53 |         {
 54 |             Console.WriteLine(@$"
 55 | 
 56 |  _____       _         _                 _             _             
 57 | /  ___|     | |       | |               (_)           | |            
 58 | \ `--. _   _| |__   __| | ___  _ __ ___  _ _ __   __ _| |_ ___  _ __ 
 59 |  `--. \ | | | '_ \ / _` |/ _ \| '_ ` _ \| | '_ \ / _` | __/ _ \| '__|
 60 | /\__/ / |_| | |_) | (_| | (_) | | | | | | | | | | (_| | || (_) | |   
 61 | \____/ \__,_|_.__/ \__,_|\___/|_| |_| |_|_|_| |_|\__,_|\__\___/|_|   
 62 |                     {_version} | stratussecurity.com
 63 | ");
 64 |         }
 65 | 
 66 |         // Get domain(s) from the options
 67 |         var rawDomains = new List<string>();
 68 |         if (!string.IsNullOrEmpty(o.DomainsFile))
 69 |         {
 70 |             string file = o.DomainsFile;
 71 |             if (string.IsNullOrEmpty(o.CsvHeading))
 72 |             {
 73 |                 rawDomains = [.. (await File.ReadAllLinesAsync(file))];
 74 |             }
 75 |             else // CSV input
 76 |             {
 77 |                 try
 78 |                 {
 79 |                     using var reader = new StreamReader(file);
 80 |                     using var csv = new CsvReader(reader, CultureInfo.InvariantCulture);
 81 |                     var config = new CsvConfiguration(CultureInfo.InvariantCulture)
 82 |                     {
 83 |                         PrepareHeaderForMatch = args => args.Header.Trim(),
 84 |                     };
 85 |                     csv.Read();
 86 |                     csv.ReadHeader();
 87 |                     while (csv.Read())
 88 |                     {
 89 |                         string domain;
 90 |                         if (int.TryParse(o.CsvHeading, out int columnIndex))
 91 |                         {
 92 |                             domain = csv.GetField<string>(columnIndex);
 93 |                         }
 94 |                         else
 95 |                         {
 96 |                             domain = csv.GetField<string>(o.CsvHeading);
 97 |                         }
 98 |                         rawDomains.Add(domain);
 99 |                     }
100 |                 }
101 |                 catch (CsvHelper.MissingFieldException)
102 |                 {
103 |                     Console.ForegroundColor = ConsoleColor.Red;
104 |                     Console.WriteLine($"The CSV ({file}) is missing the specified heading! ({o.CsvHeading})");
105 |                     Console.ResetColor();
106 |                     return;
107 |                 }
108 |             }
109 |         }
110 |         else if (!string.IsNullOrEmpty(o.Domain))
111 |         {
112 |             rawDomains.Add(o.Domain);
113 |         }
114 |         else
115 |         {
116 |             Console.ForegroundColor = ConsoleColor.Red;
117 |             Console.WriteLine("A domain (-d) or file (-l) must be specified!");
118 |             Console.ResetColor();
119 |             return;
120 |         }
121 | 
122 |         // Define maximum concurrent tasks
123 |         int maxConcurrentTasks = ValidateThreadCount(o.Threads);
124 |         var vulnerableCount = 0;
125 | 
126 |         // Pre-check domains passed in and filter any that are invalid
127 |         var domains = await FilterAndNormalizeDomains(rawDomains, o.Quiet);
128 | 
129 |         // Pre-load fingerprints to memory
130 |         var hijackChecker = new SubdomainHijack();
131 |         await hijackChecker.GetFingerprintsAsync(o.ExcludeUnlikely);
132 | 
133 |         // Do the things
134 |         var stopwatch = new Stopwatch();
135 |         stopwatch.Start();
136 | 
137 |         int completedTasks = 0;
138 |         var updateInterval = TimeSpan.FromSeconds(60);
139 | 
140 |         using var cts = new CancellationTokenSource();
141 |         var updateTask = PeriodicUpdateAsync(updateInterval, () =>
142 |         {
143 |             // Skip the first print since it's 0 anyway
144 |             if (!o.Quiet && completedTasks != 0)
145 |             {
146 |                 var elapsed = stopwatch.Elapsed;
147 |                 var rate = completedTasks / elapsed.TotalSeconds;
148 |                 Console.WriteLine($"{completedTasks}/{domains.Count()} domains processed. Average rate: {rate:F2} domains/sec");
149 |             }
150 |         }, cts.Token);
151 | 
152 |         // Set up output file if specified
153 |         if (!string.IsNullOrWhiteSpace(o.OutputFile))
154 |         {
155 |             _outputFileWriter = new StreamWriter(o.OutputFile, append: true)
156 |             {
157 |                 AutoFlush = true
158 |             };
159 |         }
160 | 
161 |         await Parallel.ForEachAsync(domains, new ParallelOptions { MaxDegreeOfParallelism = maxConcurrentTasks }, async (domain, cancellationToken) =>
162 |         {
163 |             var isVulnerable = await CheckAndLogDomain(hijackChecker, domain, o.Validate, o.Verbose, o.Quiet, o.ExcludeUnlikely);
164 |             if(isVulnerable)
165 |             {
166 |                 Interlocked.Increment(ref vulnerableCount);
167 |             }
168 |             Interlocked.Increment(ref completedTasks);
169 |         });
170 | 
171 |         _outputFileWriter?.Close();
172 |         stopwatch.Stop();
173 |         cts.Cancel(); // Signal the update task to stop
174 |         await updateTask; // Ensure the update task completes before finishing the program
175 | 
176 |         // One last output for clarity
177 |         if (!o.Quiet)
178 |         {
179 |             var elapsed = stopwatch.Elapsed;
180 |             var rate = completedTasks / elapsed.TotalSeconds;
181 |             Console.WriteLine($"{completedTasks}/{domains.Count()} domains processed. Average rate: {rate:F2} domains/sec");
182 |             Console.WriteLine($"Done in {stopwatch.Elapsed.TotalSeconds:N2}s! Subdominator found {vulnerableCount} vulnerable domains.");
183 |         }
184 | 
185 |         // Exit non-zero if we have a takeover, for the DevOps folks
186 |         if (vulnerableCount > 0)
187 |         {
188 |             Environment.ExitCode = 1;
189 |         }
190 |     }
191 | 
192 |     static async Task PeriodicUpdateAsync(TimeSpan interval, Action action, CancellationToken cancellationToken)
193 |     {
194 |         while (!cancellationToken.IsCancellationRequested)
195 |         {
196 |             action();
197 |             try
198 |             {
199 |                 await Task.Delay(interval, cancellationToken);
200 |             }
201 |             catch (TaskCanceledException)
202 |             {
203 |                 break; // Exit loop if the task is canceled
204 |             }
205 |         }
206 |     }
207 | 
208 |     static async Task<IEnumerable<string>> FilterAndNormalizeDomains(List<string> domains, bool quiet)
209 |     {
210 |         IConfiguration configuration = new ConfigurationBuilder()
211 |             .AddInMemoryCollection(
212 |             [
213 |                 new("Nager:PublicSuffix:DataUrl", "https://raw.githubusercontent.com/Stratus-Security/Subdominator/master/Subdominator/public_suffix_list.dat")
214 |             ])
215 |             .Build();
216 |         var cacheProvider = new LocalFileSystemCacheProvider();
217 |         var ruleProvider = new CachedHttpRuleProvider(cacheProvider, new HttpClient(), configuration);
218 |         var domainParser = new DomainParser(ruleProvider);
219 |         await ruleProvider.BuildAsync();
220 | 
221 |         // Normalize domains and check validity
222 |         var normalizedDomains = domains
223 |             .Select(domain => domain.Replace("http://", "").Replace("https://", "").TrimEnd('/'))
224 |             .Select(domain => new { Original = domain, IsValid = domainParser.IsValidDomain(domain) })
225 |             .ToList();
226 | 
227 |         // Count and report removed domains
228 |         var removedDomains = normalizedDomains.Count(d => !d.IsValid);
229 |         if (!quiet && removedDomains > 0)
230 |         {
231 |             Console.ForegroundColor = ConsoleColor.Red;
232 |             Console.WriteLine($"Removed {removedDomains} invalid domains.");
233 |             Console.ResetColor();
234 |         }
235 | 
236 |         // Return only valid domains
237 |         return normalizedDomains.Where(d => d.IsValid).Select(d => d.Original);
238 |     }
239 | 
240 |     static async Task<bool> CheckAndLogDomain(SubdomainHijack hijackChecker, string domain, bool validateResults, bool verbose, bool quiet, bool excludeUnlikely)
241 |     {
242 |         bool isFound = false;
243 |         try
244 |         {
245 |             var result = await hijackChecker.IsDomainVulnerable(domain, validateResults, excludeUnlikely);
246 |             if (result.IsVulnerable || verbose)
247 |             {
248 |                 if (result.IsVulnerable)
249 |                 {
250 |                     isFound = true;
251 |                 }
252 |                 var fingerPrintName = result.Fingerprint == null ? "-" : result.Fingerprint.Service;
253 | 
254 |                 // Show where we matched the takeover
255 |                 var locationString = "";
256 |                 if(result.MatchedRecord == MatchedRecord.CNAME)
257 |                 {
258 |                     if(result.MatchedLocation != MatchedLocation.DomainAvailable ||
259 |                         (result.MatchedLocation == MatchedLocation.DomainAvailable && result.CNAMES?.Any() == true)
260 |                     )
261 |                     {
262 |                         locationString = $" - CNAME: {string.Join(", ", result.CNAMES ?? [])}";
263 |                     }
264 |                 }
265 |                 else if(result.MatchedRecord == MatchedRecord.A)
266 |                 {
267 |                     locationString = $" - A: {string.Join(", ", result.A ?? [])}";
268 |                 }
269 |                 else if (result.MatchedRecord == MatchedRecord.AAAA)
270 |                 {
271 |                     locationString = $" - AAAA: {string.Join(", ", result.AAAA ?? [])}";
272 |                 }
273 | 
274 |                 // Build the output string after determining locationString
275 |                 var output = $"{(result.IsVerified ? "✅ " : "")}[{fingerPrintName}] {domain}{locationString}";
276 | 
277 |                 // Thread-safe console print and append to results file
278 |                 lock (_fileLock)
279 |                 {
280 |                     Console.Write($"{(result.IsVerified ? "✅ " : "")}[");
281 |                     Console.ForegroundColor = result.IsVulnerable ? ConsoleColor.Red : ConsoleColor.Green;
282 |                     Console.Write(fingerPrintName);
283 |                     Console.ResetColor();
284 |                     Console.Write($"] {domain}{locationString}" + Environment.NewLine);
285 | 
286 |                     if (_outputFileWriter != null)
287 |                     {
288 |                         _outputFileWriter.WriteLine(output);
289 |                     }
290 |                 }
291 |             }
292 |         }
293 |         catch (Exception ex)
294 |         {
295 |             Console.WriteLine(ex.ToString());
296 |         }
297 |         return isFound;
298 |     }
299 | 
300 |     public static int ValidateThreadCount(int threads)
301 |     {
302 |         return threads > 0 ? threads : 50;
303 |     }
304 | }


--------------------------------------------------------------------------------
/Subdominator/custom_fingerprints.json:
--------------------------------------------------------------------------------
  1 | [
  2 |   {
  3 |     "cname": [ "teamwork.com" ],
  4 |     "discussion": "",
  5 |     "documentation": "",
  6 |     "fingerprint": "Oops - We didn't find your site.",
  7 |     "http_status": null,
  8 |     "nxdomain": false,
  9 |     "service": "Teamwork",
 10 |     "status": "Vulnerable",
 11 |     "vulnerable": true
 12 |   },
 13 |   {
 14 |     "cname": [ "wishpond.com" ],
 15 |     "discussion": "",
 16 |     "documentation": "",
 17 |     "fingerprint": "https://www.wishpond.com/404?campaign=true",
 18 |     "http_status": null,
 19 |     "nxdomain": false,
 20 |     "service": "Wishpond",
 21 |     "status": "Vulnerable",
 22 |     "vulnerable": true
 23 |   },
 24 |   {
 25 |     "cname": [ "aftership.com" ],
 26 |     "discussion": "",
 27 |     "documentation": "",
 28 |     "fingerprint": "Oops.</h2><p class=\"text-muted text-tight\">The page you're looking for doesn't exist.",
 29 |     "http_status": null,
 30 |     "nxdomain": false,
 31 |     "service": "Aftership",
 32 |     "status": "Vulnerable",
 33 |     "vulnerable": true
 34 |   },
 35 |   {
 36 |     "cname": [ "ideas.aha.io" ],
 37 |     "discussion": "",
 38 |     "documentation": "",
 39 |     "fingerprint": "There is no portal here ... sending you back to Aha!",
 40 |     "http_status": null,
 41 |     "nxdomain": false,
 42 |     "service": "Aha",
 43 |     "status": "Vulnerable",
 44 |     "vulnerable": true
 45 |   },
 46 |   {
 47 |     "cname": [ "domains.tictail.com" ],
 48 |     "discussion": "",
 49 |     "documentation": "",
 50 |     "fingerprint": [
 51 |       "to target URL: <a href=\"https://tictail.com",
 52 |       "Start selling on Tictail."
 53 |     ],
 54 |     "http_status": null,
 55 |     "nxdomain": false,
 56 |     "service": "Tictail",
 57 |     "status": "Vulnerable",
 58 |     "vulnerable": true
 59 |   },
 60 |   {
 61 |     "cname": [ "brightcovegallery.com", "gallery.video", "bcvp0rtal.com" ],
 62 |     "discussion": "",
 63 |     "documentation": "",
 64 |     "fingerprint": "<p class=\"bc-gallery-error-code\">Error Code: 404</p>",
 65 |     "http_status": null,
 66 |     "nxdomain": false,
 67 |     "service": "Brightcove",
 68 |     "status": "Vulnerable",
 69 |     "vulnerable": true
 70 |   },
 71 |   {
 72 |     "cname": [ "bigcartel.com" ],
 73 |     "discussion": "",
 74 |     "documentation": "",
 75 |     "fingerprint": "<h1>Oops! We couldn&#8217;t find that page.</h1>",
 76 |     "http_status": null,
 77 |     "nxdomain": false,
 78 |     "service": "BigCartel",
 79 |     "status": "Vulnerable",
 80 |     "vulnerable": true
 81 |   },
 82 |   {
 83 |     "cname": [ "simplebooklet.com" ],
 84 |     "discussion": "",
 85 |     "documentation": "",
 86 |     "fingerprint": "We can't find this <a href=\"https://simplebooklet.com",
 87 |     "http_status": null,
 88 |     "nxdomain": false,
 89 |     "service": "SimpleBooklet",
 90 |     "status": "Vulnerable",
 91 |     "vulnerable": true
 92 |   },
 93 |   {
 94 |     "cname": [ "vendecommerce.com" ],
 95 |     "discussion": "",
 96 |     "documentation": "",
 97 |     "fingerprint": "Looks like you've traveled too far into cyberspace.",
 98 |     "http_status": null,
 99 |     "nxdomain": false,
100 |     "service": "Vend",
101 |     "status": "Vulnerable",
102 |     "vulnerable": true
103 |   },
104 |   {
105 |     "cname": [ "-portal.apigee.net" ],
106 |     "discussion": "",
107 |     "documentation": "",
108 |     "fingerprint": "NXDOMAIN",
109 |     "http_status": null,
110 |     "nxdomain": true,
111 |     "service": "Apigee",
112 |     "status": "Vulnerable",
113 |     "vulnerable": true
114 |   },
115 |   {
116 |     "cname": [ "activehosted.com" ],
117 |     "discussion": "",
118 |     "documentation": "",
119 |     "fingerprint": "alt=\"LIGHTTPD - fly light.\"",
120 |     "http_status": null,
121 |     "nxdomain": false,
122 |     "service": "ActiveCampaign",
123 |     "status": "Vulnerable",
124 |     "vulnerable": true
125 |   },
126 |   {
127 |     "cname": [ "endpoint.mykajabi.com" ],
128 |     "discussion": "",
129 |     "documentation": "https://pastes.io/ik2rhibj6m",
130 |     "fingerprint": "<h1>The page you were looking for doesn't exist.</h1>",
131 |     "http_status": null,
132 |     "nxdomain": false,
133 |     "service": "Kajabi",
134 |     "status": "Vulnerable",
135 |     "vulnerable": true
136 |   },
137 |   {
138 |     "cname": [ "custom-proxy.leadpages.net", "leadpages.net" ],
139 |     "discussion": "",
140 |     "documentation": "",
141 |     "fingerprint": "Double check that you have the right web address and give it another go!</p>",
142 |     "http_status": null,
143 |     "nxdomain": false,
144 |     "service": "LeadPages.com",
145 |     "status": "Vulnerable",
146 |     "vulnerable": true
147 |   },
148 |   {
149 |     "cname": [ "proposify.biz" ],
150 |     "discussion": "",
151 |     "documentation": "",
152 |     "fingerprint": "If you need immediate assistance, please contact <a href=\"mailto:support@proposify.biz",
153 |     "http_status": null,
154 |     "nxdomain": false,
155 |     "service": "Proposify",
156 |     "status": "Vulnerable",
157 |     "vulnerable": true
158 |   },
159 |   {
160 |     "cname": [ "privatedomain.sgizmo.com", "privatedomain.surveygizmo.eu", "privatedomain.sgizmoca.com" ],
161 |     "discussion": "",
162 |     "documentation": "",
163 |     "fingerprint": "data-html-name",
164 |     "http_status": null,
165 |     "nxdomain": false,
166 |     "service": "Surveygizmo",
167 |     "status": "Vulnerable",
168 |     "vulnerable": true
169 |   },
170 |   {
171 |     "cname": [ "clientaccess.tave.com" ],
172 |     "discussion": "",
173 |     "documentation": "",
174 |     "fingerprint": "<h1>Error 404: Page Not Found</h1>",
175 |     "http_status": null,
176 |     "nxdomain": false,
177 |     "service": "Tave",
178 |     "status": "Vulnerable",
179 |     "vulnerable": true
180 |   },
181 |   {
182 |     "cname": [ "thinkific.com" ],
183 |     "discussion": "",
184 |     "documentation": "",
185 |     "fingerprint": "You may have mistyped the address or the page may have moved.",
186 |     "http_status": null,
187 |     "nxdomain": false,
188 |     "service": "Thinkific",
189 |     "status": "Vulnerable",
190 |     "vulnerable": true
191 |   },
192 |   {
193 |     "cname": [ "appery.io" ],
194 |     "a": [ "35.171.252.37", "107.20.248.61" ],
195 |     "discussion": "",
196 |     "documentation": "",
197 |     "fingerprint": "This page will be updated automatically when your app is published.",
198 |     "http_status": null,
199 |     "nxdomain": false,
200 |     "service": "Appery.io",
201 |     "status": "Vulnerable",
202 |     "vulnerable": true
203 |   },
204 |   {
205 |     "cname": [ "datocms.com" ],
206 |     "discussion": "",
207 |     "documentation": "",
208 |     "fingerprint": "<!doctype html><html><head><meta charset=\"utf-8\"><title>Loading...</title>",
209 |     "http_status": null,
210 |     "nxdomain": false,
211 |     "service": "DatoCMS.com",
212 |     "status": "Vulnerable",
213 |     "vulnerable": true
214 |   },
215 |   {
216 |     "cname": [ "jazzhr.com" ],
217 |     "discussion": "",
218 |     "documentation": "",
219 |     "fingerprint": "This account no longer active",
220 |     "http_status": null,
221 |     "nxdomain": false,
222 |     "service": "JazzHR",
223 |     "status": "Edge Case",
224 |     "vulnerable": true
225 |   },
226 |   {
227 |     "cname": [ "www.wufoo.com", "subdomain.wufoo.com", "hello.wufoo.com", "pizzapalace.wufoo.com" ],
228 |     "discussion": "",
229 |     "documentation": "",
230 |     "fingerprint": "Hmmm....something is not right.",
231 |     "http_status": null,
232 |     "nxdomain": false,
233 |     "service": "Wufoo",
234 |     "status": "Vulnerable",
235 |     "vulnerable": true
236 |   },
237 |   {
238 |     "cname": [ "proxy.sprintful.com", "cname.sprintful.com", "sprintful.com" ],
239 |     "discussion": "",
240 |     "documentation": "",
241 |     "fingerprint": "This domain name does not have a default page configured.",
242 |     "http_status": null,
243 |     "nxdomain": false,
244 |     "service": "Sprintful",
245 |     "status": "Vulnerable",
246 |     "vulnerable": true
247 |   },
248 |   {
249 |     "cname": [ "s1.pagewiz.net" ],
250 |     "discussion": "",
251 |     "documentation": "",
252 |     "fingerprint": "pagewiz",
253 |     "http_status": null,
254 |     "nxdomain": false,
255 |     "service": "Pagewiz",
256 |     "status": "Vulnerable",
257 |     "vulnerable": true
258 |   },
259 |   {
260 |     "cname": [ "gitbook.io" ],
261 |     "discussion": "",
262 |     "documentation": "",
263 |     "fingerprint": "Domain not found",
264 |     "http_status": null,
265 |     "nxdomain": false,
266 |     "service": "Gitbook",
267 |     "status": "Vulnerable",
268 |     "vulnerable": true
269 |   },
270 |   {
271 |     "cname": [ "getflywheel.com" ],
272 |     "discussion": "",
273 |     "documentation": "",
274 |     "fingerprint": "We're sorry, you've landed on a page that is hosted by Flywheel",
275 |     "http_status": null,
276 |     "nxdomain": false,
277 |     "service": "Flywheel",
278 |     "status": "Vulnerable",
279 |     "vulnerable": true
280 |   },
281 |   {
282 |     "cname": [ "cname.announcekit.app" ],
283 |     "a": [ "3.92.121.217", "50.16.59.100", "54.237.94.37" ],
284 |     "discussion": "https://github.com/EdOverflow/can-i-take-over-xyz/issues/228",
285 |     "documentation": "",
286 |     "fingerprint": "Error 404 - AnnounceKit",
287 |     "http_status": null,
288 |     "nxdomain": false,
289 |     "service": "Announcekit",
290 |     "status": "Vulnerable",
291 |     "vulnerable": true
292 |   },
293 |   {
294 |     "cname": [ "flexbe.com" ],
295 |     "discussion": "",
296 |     "documentation": "",
297 |     "fingerprint": "flexbe",
298 |     "http_status": null,
299 |     "nxdomain": false,
300 |     "service": "Flexbe",
301 |     "status": "Edge Case",
302 |     "vulnerable": true
303 |   },
304 |   {
305 |     "cname": [],
306 |     "a": [
307 |       "3.13.222.255",
308 |       "3.13.246.91",
309 |       "3.130.60.26"
310 |     ],
311 |     "discussion": "https://github.com/punk-security/dnsReaper/pull/157",
312 |     "documentation": "",
313 |     "fingerprint": "The page you were looking for doesn",
314 |     "http_status": null,
315 |     "nxdomain": false,
316 |     "service": "ConvertKit",
317 |     "status": "Vulnerable",
318 |     "vulnerable": true
319 |   },
320 |   {
321 |     "cname": [ "domains.tribeplatform.com" ],
322 |     "discussion": "https://github.com/EdOverflow/can-i-take-over-xyz/issues/286",
323 |     "documentation": "https://community.tribe.so/knowledge-base-2-0/post/custom-domain-GN59yUKKHrgKdBX",
324 |     "fingerprint": "Community not found",
325 |     "http_status": null,
326 |     "nxdomain": false,
327 |     "service": "Tribe",
328 |     "status": "Vulnerable",
329 |     "vulnerable": true
330 |   },
331 |   {
332 |     "cname": [ "forms.cs.zohohost.com", "forms.cs.zohohost.eu" ],
333 |     "discussion": "https://github.com/punk-security/dnsReaper/pull/105",
334 |     "documentation": "",
335 |     "fingerprint": "HTTP_STATUS=400",
336 |     "http_status": 400,
337 |     "nxdomain": false,
338 |     "service": "Zoho Forms",
339 |     "status": "Vulnerable",
340 |     "vulnerable": true
341 |   },
342 |   {
343 |     "cname": [ "forms.cs.zohohost.in" ],
344 |     "discussion": "https://github.com/punk-security/dnsReaper/pull/105",
345 |     "documentation": "",
346 |     "fingerprint": "HTTP_STATUS=403",
347 |     "http_status": 403,
348 |     "nxdomain": false,
349 |     "service": "Zoho Forms India",
350 |     "status": "Vulnerable",
351 |     "vulnerable": true
352 |   },
353 |   {
354 |     "cname": [ "brandpad.io" ],
355 |     "discussion": "",
356 |     "documentation": "https://hackerone.com/reports/1474784",
357 |     "fingerprint": "Sorry, that page doesn't exist",
358 |     "http_status": null,
359 |     "nxdomain": false,
360 |     "service": "Brandpad",
361 |     "status": "Vulnerable",
362 |     "vulnerable": true
363 |   },
364 |   {
365 |     "cname": [ "app.bubble.io" ],
366 |     "discussion": "https://github.com/EdOverflow/can-i-take-over-xyz/issues/382",
367 |     "documentation": "https://manual.bubble.io/help-guides/optimizing-an-application/hosting-and-scaling/domain-and-dns",
368 |     "fingerprint": "HTTP_STATUS=301",
369 |     "http_status": 301,
370 |     "nxdomain": false,
371 |     "service": "Bubble.io",
372 |     "status": "Vulnerable",
373 |     "vulnerable": true
374 |   },
375 |   {
376 |     "cname": [ ".refined.site" ],
377 |     "discussion": "https://github.com/EdOverflow/can-i-take-over-xyz/issues/376",
378 |     "documentation": "https://help.refined.com/space/CLOUDDOCS/4704241157",
379 |     "fingerprint": "",
380 |     "http_status": null,
381 |     "nxdomain": true,
382 |     "service": "Refined",
383 |     "status": "Vulnerable",
384 |     "vulnerable": true
385 |   },
386 |   {
387 |     "cname": [ "statuspage.betteruptime.com" ],
388 |     "discussion": "https://github.com/EdOverflow/can-i-take-over-xyz/issues/368",
389 |     "documentation": "https://betterstack.com/docs/uptime/custom-subdomain/",
390 |     "fingerprint": "HTTP_STATUS=302",
391 |     "http_status": 302,
392 |     "nxdomain": false,
393 |     "service": "Better Uptime",
394 |     "status": "Vulnerable",
395 |     "vulnerable": true
396 |   },
397 |   {
398 |     "cname": [ ".amazoncognito.com" ],
399 |     "discussion": "https://github.com/EdOverflow/can-i-take-over-xyz/issues/358",
400 |     "documentation": "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html",
401 |     "fingerprint": "",
402 |     "http_status": null,
403 |     "nxdomain": true,
404 |     "service": "Amazon Cognito",
405 |     "status": "Vulnerable",
406 |     "vulnerable": true
407 |   },
408 |   {
409 |     "cname": [ ".useresponse.com" ],
410 |     "discussion": "https://github.com/EdOverflow/can-i-take-over-xyz/issues/357",
411 |     "documentation": "https://help.useresponse.com/knowledge-base/article/using-a-custom-domain-for-your-support-center",
412 |     "fingerprint": "HTTP_STATUS=302",
413 |     "http_status": 302,
414 |     "nxdomain": false,
415 |     "service": "UseResponse",
416 |     "status": "Vulnerable",
417 |     "vulnerable": true
418 |   },
419 |   {
420 |     "cname": [ ".softr.io" ],
421 |     "a": [ "35.158.87.123" ],
422 |     "discussion": "https://github.com/EdOverflow/can-i-take-over-xyz/issues/352",
423 |     "documentation": "https://docs.softr.io/custom-domain-and-publishing/9qTmU2Lj8Gnpr1Ue6dEAkX/add-a-custom-domain-to-your-app/93K5bLJN3n91MRo9uRGdAf",
424 |     "fingerprint": "HTTP_STATUS=302",
425 |     "http_status": 302,
426 |     "nxdomain": false,
427 |     "service": "Softr",
428 |     "status": "Vulnerable",
429 |     "vulnerable": true
430 |   },
431 |   {
432 |     "cname": [ ".galaxy-ingress.meteor.com" ],
433 |     "discussion": "https://github.com/EdOverflow/can-i-take-over-xyz/issues/321",
434 |     "documentation": "https://galaxy-guide.meteor.com/dns.html",
435 |     "fingerprint": "HTTP_STATUS=404",
436 |     "http_status": 404,
437 |     "nxdomain": false,
438 |     "service": "Meteor Cloud (Galaxy)",
439 |     "status": "Vulnerable",
440 |     "vulnerable": true
441 |   },
442 |   {
443 |     "cname": [ ".app.link", ".bnc.lt" ],
444 |     "discussion": "https://github.com/EdOverflow/can-i-take-over-xyz/issues/197",
445 |     "documentation": "https://help.branch.io/using-branch/docs/advanced-settings-configuration",
446 |     "fingerprint": "That link could not be found!",
447 |     "http_status": null,
448 |     "nxdomain": false,
449 |     "service": "Branch.io",
450 |     "status": "Vulnerable",
451 |     "vulnerable": true
452 |   },
453 |   {
454 |     "cname": [ "custom.zight.com", "custom.getcloudapp.com" ],
455 |     "discussion": "https://github.com/EdOverflow/can-i-take-over-xyz/issues/196",
456 |     "documentation": "https://support.zight.com/hc/en-us/articles/5840762908311-How-do-I-setup-a-branded-URL-custom-domain-and-SSL-HTTPS-",
457 |     "fingerprint": "HTTP_STATUS=301",
458 |     "http_status": 301,
459 |     "nxdomain": false,
460 |     "service": "GetCloudApp",
461 |     "status": "Vulnerable",
462 |     "vulnerable": true
463 |   }
464 | ]


--------------------------------------------------------------------------------
/Subdominator.Tests/CoverageTests.cs:
--------------------------------------------------------------------------------
  1 | using System.Text.Json;
  2 | using System.Text.RegularExpressions;
  3 | 
  4 | namespace Subdominator.Tests;
  5 | 
  6 | [TestClass]
  7 | public class CoverageTests
  8 | {
  9 |     private HttpClient _http = new();
 10 | 
 11 |     [TestInitialize]
 12 |     public void Setup()
 13 |     {
 14 |         _http = new();
 15 |         _http.DefaultRequestHeaders.UserAgent.Clear();
 16 |         _http.DefaultRequestHeaders.UserAgent.Add(new System.Net.Http.Headers.ProductInfoHeaderValue("Subdominator", "1"));
 17 |     }
 18 | 
 19 |     [TestMethod]
 20 |     public async Task TestDnsCoverage()
 21 |     {
 22 | 
 23 |     }
 24 | 
 25 |     [TestMethod]
 26 |     public async Task TestDomainCoverage()
 27 |     {
 28 |         var myFingerprints = (await new SubdomainHijack().GetFingerprintsAsync(false)).ToList();
 29 |         var canITakeOverFingerprints = await GetCanITakeOverXyzFingerprints();
 30 |         var subdoverFingerprints = await GetSubdoverFingerprints();
 31 |         var subjackFingerprints = await GetSubjackFingerprints();
 32 |         var dnsReaperFingerprints = await GetDnsReaperFingerprints();
 33 |         var echoCipherFingerprints = await GetEchoCipherFingerprints();
 34 | 
 35 |         // Make sure we got them all correctly
 36 |         Assert.IsTrue(myFingerprints.Any());
 37 |         Assert.IsTrue(canITakeOverFingerprints.Any());
 38 |         Assert.IsTrue(subdoverFingerprints.Any());
 39 |         Assert.IsTrue(subjackFingerprints.Any());
 40 |         Assert.IsTrue(dnsReaperFingerprints.Any());
 41 |         Assert.IsTrue(echoCipherFingerprints.Any());
 42 | 
 43 |         // Make sure there's no "Not vulnerable" services
 44 |         Assert.IsFalse(myFingerprints.Any(f => f.Status.ToLower() == "not vulnerable"));
 45 |         Assert.IsFalse(canITakeOverFingerprints.Any(f => f.Status.ToLower() == "not vulnerable"));
 46 |         Assert.IsFalse(subdoverFingerprints.Any(f => f.Status.ToLower() == "not vulnerable"));
 47 |         Assert.IsFalse(subjackFingerprints.Any(f => f.Status?.ToLower() == "not vulnerable"));
 48 |         Assert.IsFalse(dnsReaperFingerprints.Any(f => f.Status.ToLower() == "not vulnerable"));
 49 |         Assert.IsFalse(echoCipherFingerprints.Any(f => f.Status.ToLower() == "not vulnerable"));
 50 | 
 51 |         // Generic function to normalize service names
 52 |         static string normalizeServiceName(string name) => name.ToLowerInvariant()
 53 |             .Replace(" ", "").Replace("_", "").Replace("-", "").Replace(".org", "")
 54 |             .Replace(".io", "").Replace(".com", "").Replace(".net", "");
 55 | 
 56 |         // Define mappings for remaining service name differences
 57 |         var mappings = new Dictionary<string, List<string>>
 58 |         {
 59 |             {"cargocollective", new(){ "cargo" }},
 60 |             {"smugsmug", new(){ "smugmug" }},
 61 |             {"smartjobboard", new(){ "smartjob", "mysmartjobboard" }},
 62 |             {"short", new(){ "shortio" }},
 63 |             {"aws/s3", new(){ "s3bucket", "amazonaws" }},
 64 |             {"surge.sh", new(){ "surge" }},
 65 |             {"microsoftazure", new(){ "azure" }},
 66 |             {"aws/elasticbeanstalk", new(){ "elasticbeanstalkawsservice", "elasticbeanstalk" }},
 67 |             {"airee.ru", new(){ "aireeru" }},
 68 |             {"wordpress", new(){ "wordpresscomcname" }},
 69 |             {"activecampaign", new(){ "activecompaign" }},
 70 |             {"campaignmonitor", new(){ "compaignmonitor" } },
 71 |             {"github", new(){ "githubpages" } },
 72 |             {"launchrock", new(){ "launchrockcname" } },
 73 |             {"vend", new(){ "vendhq" } },
 74 |             {"zohoformsindia", new(){ "zohoformsin" } }
 75 |         };
 76 | 
 77 |         // Some tools have invalid fingerprints that aren't possible to take over anymore
 78 |         var invalidFingerprints = new List<string>()
 79 |         {
 80 |             "cloudfront",
 81 |             "feedpress",
 82 |             "statuspage",
 83 |             "freshdesk",
 84 |             "hubspot",
 85 |             "kinsta",
 86 |             "desk"
 87 |         };
 88 | 
 89 |         var dnsFingerprints = new List<string>()
 90 |         {
 91 |             "000domains",
 92 |             "awsns",
 93 |             "bizland",
 94 |             "brandpad",
 95 |             "dnsmadeeasy",
 96 |             "dnssimple",
 97 |             "domain",
 98 |             "dotster",
 99 |             "googlecloud",
100 |             "hostinger",
101 |             "hurricaneelectric",
102 |             "linode",
103 |             "mediatemplate",
104 |             "name", // name.com
105 |             "nsone",
106 |             "reg",
107 |             "tierranet",
108 |             "wordpresscomns"
109 |         };
110 | 
111 |         // Function to apply mappings to service names
112 |         string applyMappings(string serviceName)
113 |         {
114 |             var normalizedServiceName = normalizeServiceName(serviceName);
115 |             foreach (var mapping in mappings)
116 |             {
117 |                 if (mapping.Value.Contains(normalizedServiceName))
118 |                 {
119 |                     return mapping.Key;  // Return the key if the normalized name is in the value list
120 |                 }
121 |             }
122 |             return normalizedServiceName;  // Return the normalized name if no mapping is found
123 |         }
124 | 
125 |         // Dictionary to hold normalized service names and their sources
126 |         var serviceSources = new Dictionary<string, List<string>>();
127 | 
128 |         // Helper method to add services to the dictionary
129 |         void AddServices(IEnumerable<Fingerprint> fingerprints, string source)
130 |         {
131 |             foreach (var fp in fingerprints)
132 |             {
133 |                 var mappedService = applyMappings(fp.Service);
134 |                 if (!invalidFingerprints.Contains(mappedService) && !dnsFingerprints.Contains(mappedService))
135 |                 {
136 |                     if (!serviceSources.ContainsKey(mappedService))
137 |                     {
138 |                         serviceSources[mappedService] = new List<string>();
139 |                     }
140 |                     serviceSources[mappedService].Add(source);
141 |                 }
142 |             }
143 |         }
144 | 
145 |         // Add services from each source
146 |         AddServices(canITakeOverFingerprints, "CanITakeOver");
147 |         AddServices(subdoverFingerprints, "Subdover");
148 |         AddServices(subjackFingerprints, "Subjack");
149 |         AddServices(dnsReaperFingerprints, "DNSReaper");
150 |         AddServices(echoCipherFingerprints, "EchoCipher");
151 | 
152 |         // Normalized services from your fingerprints
153 |         var myNormalizedServices = myFingerprints.Select(fp => applyMappings(fp.Service)).ToHashSet();
154 | 
155 |         // Find missing services
156 |         var missingFingerprints = serviceSources.Keys.Except(myNormalizedServices).ToList();
157 | 
158 |         // Filter fingerprints to exclude invalid and DNS services before counting
159 |         int countValidFingerprints(IEnumerable<Fingerprint> fingerprints) =>
160 |             fingerprints.Count(fp => !invalidFingerprints.Contains(applyMappings(fp.Service))
161 |                                   && !dnsFingerprints.Contains(applyMappings(fp.Service)));
162 | 
163 |         // Calculate number of fingerprints for each tool
164 |         var myFingerprintCount = countValidFingerprints(myFingerprints);
165 |         var canITakeOverCount = countValidFingerprints(canITakeOverFingerprints);
166 |         var subdoverCount = countValidFingerprints(subdoverFingerprints);
167 |         var subjackCount = countValidFingerprints(subjackFingerprints);
168 |         var dnsReaperCount = countValidFingerprints(dnsReaperFingerprints);
169 |         var echoCipherCount = countValidFingerprints(echoCipherFingerprints);
170 | 
171 |         // Calculate crossover counts for each set of fingerprints
172 |         var calculateCrossoverCount = new Func<IEnumerable<Fingerprint>, int>(fingerprints =>
173 |             fingerprints.Count(fp => myNormalizedServices.Contains(applyMappings(fp.Service))));
174 | 
175 |         var canITakeOverCrossoverCount = calculateCrossoverCount(canITakeOverFingerprints);
176 |         var subdoverCrossoverCount = calculateCrossoverCount(subdoverFingerprints);
177 |         var subjackCrossoverCount = calculateCrossoverCount(subjackFingerprints);
178 |         var dnsReaperCrossoverCount = calculateCrossoverCount(dnsReaperFingerprints);
179 |         var echoCipherCrossoverCount = calculateCrossoverCount(echoCipherFingerprints);
180 | 
181 |         // Print results
182 |         Console.WriteLine($"Custom Fingerprints:       {myFingerprintCount}, Crossover: {myFingerprintCount}");
183 |         Console.WriteLine($"CanITakeOver Fingerprints: {canITakeOverCount}, Crossover: {canITakeOverCrossoverCount}");
184 |         Console.WriteLine($"Subdover Fingerprints:     {subdoverCount}, Crossover: {subdoverCrossoverCount}");
185 |         Console.WriteLine($"Subjack Fingerprints:      {subjackCount}, Crossover: {subjackCrossoverCount}");
186 |         Console.WriteLine($"DNS Reaper Fingerprints:   {dnsReaperCount}, Crossover: {dnsReaperCrossoverCount}");
187 |         Console.WriteLine($"EchoCipher Fingerprints:   {echoCipherCount}, Crossover: {echoCipherCrossoverCount}");
188 | 
189 |         // Print missing services, if any
190 |         if (missingFingerprints.Any())
191 |         {
192 |             Console.WriteLine("These services are not found in the custom fingerprints: ");
193 |             foreach (var service in missingFingerprints)
194 |             {
195 |                 var sources = string.Join(", ", serviceSources[service]);
196 |                 Console.WriteLine($"\t{service} (found in {sources})");
197 |             }
198 |         }
199 |         else
200 |         {
201 |             Console.WriteLine("Subdominator has complete coverage!");
202 |         }
203 | 
204 |         // Print a list of fingerprints for the readme
205 |         foreach (var fingerprint in myFingerprints.OrderBy(s => s.Service))
206 |         {
207 |             Console.WriteLine($"| {fingerprint.Service} | {fingerprint.Status} |");
208 |         }
209 |     }
210 | 
211 |     private async Task<List<Fingerprint>> GetCanITakeOverXyzFingerprints()
212 |     {
213 |         var canitakeoverxyzFingerprintJson = "https://raw.githubusercontent.com/EdOverflow/can-i-take-over-xyz/master/fingerprints.json";
214 |         var fingerprintsData = await _http.GetStringAsync(canitakeoverxyzFingerprintJson);
215 |         return JsonSerializer.Deserialize<List<Fingerprint>>(fingerprintsData)?
216 |             .Where(f => f.Status.ToLower() != "not vulnerable").ToList() ?? new List<Fingerprint>();
217 |     }
218 | 
219 |     private async Task<List<Fingerprint>> GetSubdoverFingerprints()
220 |     {
221 |         var subdoverFingerprintsPy = "https://raw.githubusercontent.com/PushpenderIndia/subdover/master/src/fingerprints.py";
222 |         var pythonFileContent = await _http.GetStringAsync(subdoverFingerprintsPy);
223 | 
224 |         // Parse out the fingerprints
225 |         const string startIndicator = "fingerprints_list = [";
226 |         const string endIndicator = "];";
227 | 
228 |         int startIndex = pythonFileContent.IndexOf(startIndicator);
229 |         if (startIndex == -1)
230 |         {
231 |             throw new Exception("Unable to parse Subdover fingerprints, start not found"); // Start indicator not found, throw
232 |         }
233 |         startIndex += startIndicator.Length - 1; // Adjust to include the opening bracket '['
234 | 
235 |         // Now we need to parse the json into objects following our structure
236 |         var subdoverJson = pythonFileContent[startIndex..];
237 | 
238 |         // Regular expression to remove Python-style comments
239 |         string jsonCompatibleString = Regex.Replace(subdoverJson.Replace("&#8217;", "'"), @"#.*", "")
240 |             .Replace("\r", "").Replace("\n", "");
241 | 
242 |         // Grab their array of arrays as objects because I'm too lazy to add classes for each provider
243 |         var options = new JsonSerializerOptions { AllowTrailingCommas = true };
244 |         var rawFingerprints = JsonSerializer.Deserialize<List<List<object>>>(jsonCompatibleString, options);
245 |         if (rawFingerprints == null)
246 |         {
247 |             return new List<Fingerprint>();
248 |         }
249 | 
250 |         var fingerprints = new List<Fingerprint>();
251 |         foreach (var rawFingerprint in rawFingerprints)
252 |         {
253 |             var fingerprint = new Fingerprint
254 |             {
255 |                 Service = rawFingerprint[0].ToString(),
256 |                 Status = rawFingerprint[1].ToString(),
257 |                 Cnames = rawFingerprint[2] is JsonElement jsonElement && jsonElement.ValueKind == JsonValueKind.Array
258 |                          ? jsonElement.EnumerateArray().Select(element => element.GetString()).ToList()
259 |                          : new List<string>(),
260 |                 FingerprintTexts = new List<string> { rawFingerprint[3].ToString() },
261 |                 Vulnerable = true
262 |             };
263 | 
264 |             fingerprints.Add(fingerprint);
265 |         }
266 | 
267 |         return fingerprints.Where(f => f.Status.ToLower() != "not vulnerable").ToList();
268 |     }
269 | 
270 |     private async Task<List<Fingerprint>> GetSubjackFingerprints()
271 |     {
272 |         var subjackFingerprintJson = "https://raw.githubusercontent.com/haccer/subjack/master/fingerprints.json";
273 |         var jsonContent = await _http.GetStringAsync(subjackFingerprintJson);
274 | 
275 |         return JsonSerializer.Deserialize<List<Fingerprint>>(jsonContent) ?? new List<Fingerprint>();
276 |     }
277 | 
278 |     // For DNS Reaper we are being a little cheeky and just pulling the signatures repo to check file names
279 |     private async Task<List<Fingerprint>> GetDnsReaperFingerprints()
280 |     {
281 |         var dnsReaperSignatures = "https://api.github.com/repos/punk-security/dnsReaper/contents/signatures?ref=main";
282 | 
283 |         var response = await _http.GetStringAsync(dnsReaperSignatures);
284 | 
285 |         var fileEntries = JsonSerializer.Deserialize<List<GitFileEntry>>(response, new JsonSerializerOptions { PropertyNameCaseInsensitive = true });
286 | 
287 |         if (fileEntries == null)
288 |         {
289 |             return new List<Fingerprint>();
290 |         }
291 | 
292 |         var fingerprints = new List<Fingerprint>();
293 |         foreach (var fileEntry in fileEntries)
294 |         {
295 |             if (fileEntry.Type == "file" && !fileEntry.Name.StartsWith("_") && fileEntry.Name.EndsWith(".py"))
296 |             {
297 |                 var serviceName = fileEntry.Name.Replace(".py", ""); // Removing the .py extension
298 |                 var fingerprint = new Fingerprint
299 |                 {
300 |                     Service = serviceName,
301 |                     Cnames = new List<string>(),
302 |                     FingerprintTexts = new List<string>(),
303 |                     HttpStatus = null,
304 |                     Nxdomain = false,
305 |                     Status = "Vulnerable",
306 |                     Vulnerable = true
307 |                 };
308 | 
309 |                 fingerprints.Add(fingerprint);
310 |             }
311 |         }
312 | 
313 |         return fingerprints;
314 |     }
315 | 
316 |     private async Task<List<Fingerprint>> GetEchoCipherFingerprints()
317 |     {
318 |         var jsonUrl = "https://raw.githubusercontent.com/Echocipher/Subdomain-Takeover/master/providers.json";
319 |         var response = await _http.GetStringAsync(jsonUrl);
320 | 
321 |         var rawFingerprints = JsonSerializer.Deserialize<List<EchoCipherFingerprint>>(response, new JsonSerializerOptions { PropertyNameCaseInsensitive = true });
322 |         if (rawFingerprints == null)
323 |         {
324 |             return new List<Fingerprint>();
325 |         }
326 | 
327 |         var echoCipherFingerprints = new List<Fingerprint>();
328 |         foreach (var rawFingerprint in rawFingerprints)
329 |         {
330 |             var fingerprint = new Fingerprint
331 |             {
332 |                 Service = rawFingerprint.Name,
333 |                 Cnames = rawFingerprint.Cname,
334 |                 FingerprintTexts = rawFingerprint.Response,
335 |                 HttpStatus = null,
336 |                 Nxdomain = false,
337 |                 Status = "Vulnerable",
338 |                 Vulnerable = true
339 |             };
340 | 
341 |             echoCipherFingerprints.Add(fingerprint);
342 |         }
343 | 
344 |         return echoCipherFingerprints;
345 |     }
346 | 
347 |     private class GitFileEntry
348 |     {
349 |         public string Name { get; set; }
350 |         public string Type { get; set; }
351 |     }
352 | 
353 |     private class EchoCipherFingerprint
354 |     {
355 |         public string Name { get; set; }
356 |         public List<string> Cname { get; set; }
357 |         public List<string> Response { get; set; }
358 |     }
359 | }
360 | 


--------------------------------------------------------------------------------
/Subdominator/SubdomainHijack.cs:
--------------------------------------------------------------------------------
  1 | using DnsClient;
  2 | using Microsoft.Extensions.Configuration;
  3 | using Nager.PublicSuffix;
  4 | using Nager.PublicSuffix.RuleProviders.CacheProviders;
  5 | using Nager.PublicSuffix.RuleProviders;
  6 | using Subdominator.Models;
  7 | using Subdominator.Utils;
  8 | using System.Collections.Concurrent;
  9 | using System.Text;
 10 | using System.Text.Json;
 11 | 
 12 | namespace Subdominator;
 13 | 
 14 | public class SubdomainHijack
 15 | {
 16 |     private readonly HttpClient _httpClient;
 17 |     private readonly HttpClient _httpClientNoRedirect;
 18 |     private readonly LookupClient _dnsClient;
 19 |     private List<Fingerprint> _fingerprints = new();
 20 |     private DomainParser _domainParser;
 21 | 
 22 |     // Some of the fingerprints are incorrectly labelled - these are all at least edge cases
 23 |     private HashSet<string> _overrides = new()
 24 |     {
 25 |         "Acquia",
 26 |         "Fastly",
 27 |         "Instapage", // https://github.com/EdOverflow/can-i-take-over-xyz/issues/349
 28 |         "Unbounce",
 29 |         "UserVoice", // Unsure - one confirmed report on snapchat
 30 |         "Zendesk"
 31 |     };
 32 | 
 33 |     // Some also have the wrong fingerprint >:(
 34 |     private Dictionary<string, List<string>> _fingerprintOverrides = new()
 35 |     {
 36 |         { "Acquia", new(){ "The site you are looking for could not be found.", "Web Site Not Found" } },
 37 |         { "Campaign Monitor", new(){ "Double check the URL or <a href=\"mailto:help@createsend.com" } },
 38 |         { "Cargo Collective", new(){ "If you're moving your domain away from Cargo you must make this configuration through your registrar's DNS control panel." } },
 39 |         { "Ghost", new(){ "The thing you were looking for is no longer here, or never was" } },
 40 |         { "Heroku", new(){ "herokucdn.com/error-pages/no-such-app.html" } },
 41 |         { "Instapage", new(){ "You've Discovered A Missing Link. Our Apologies!", "Looks Like You're Lost" } },
 42 |         { "Pantheon", new(){ "The gods are wise, but do not know of the site which you seek." } },
 43 |         { "Readthedocs", new(){ "is unknown to Read the Docs" } },
 44 |         { "Short.io", new(){ "This domain is not configured on Short.io" } },
 45 |         { "Wix", new(){ "Connect it to your Wix website in just a few easy steps", "Error ConnectYourDomain occurred" } },
 46 |         { "Ngrok", new(){ "ngrok.io not found" } },
 47 |         { "Wordpress", new(){ "Do you want to register " } }
 48 |     };
 49 | 
 50 |     // Extra cnames
 51 |     private Dictionary<string, List<string>> _cnameOverrides = new()
 52 |     {        
 53 |         { "Acquia", new(){ "acquia-test.co" } },
 54 |         { "Campaign Monitor", new(){ "createsend.com", "name.createsend.com" } },
 55 |         { "Canny", new(){ "cname.canny.io" } },
 56 |         { "Cargo Collective", new(){ "cargocollective.com", "subdomain.cargocollective.com" } },
 57 |         { "Fastly", new(){ "fastly.net" } },
 58 |         { "Frontify", new(){ "frontify.com" } },
 59 |         { "GetResponse", new(){ "gr8.com" } },
 60 |         { "Github", new() { "github.io" } },
 61 |         { "Heroku", new() { "herokuapp" } },
 62 |         { "Intercom", new() { "custom.intercom.help" } },
 63 |         { "Instapage", new(){ "pageserve.co", "secure.pageserve.co" } },
 64 |         { "Landingi", new() { "cname.landingi.com" } },
 65 |         { "Mashery", new() { "mashery.com" } },
 66 |         { "Microsoft Azure", new(){ "trafficmanager.net" } },
 67 |         { "Netlify", new() { "cname.netlify.app", "cname.netlify.com", "netlify.com", "netlify.app" } },
 68 |         { "Pantheon", new(){ "pantheonsite.io" } },
 69 |         { "Pingdom", new(){ "stats.pingdom.com" } },
 70 |         { "Readthedocs", new(){ "readthedocs.io" } },
 71 |         { "Shopify", new(){ "myshopify.com" } },
 72 |         { "Short.io", new(){ "cname.short.io" } },
 73 |         { "Smartling", new(){ "smartling.com" } },
 74 |         { "Smugsmug", new(){ "domains.smugmug.com" } },
 75 |         { "Tilda", new(){ "tilda.ws" } },
 76 |         { "Tumblr", new(){ "domains.tumblr.com" } },
 77 |         { "Unbounce", new(){ "unbouncepages.com" } },
 78 |         { "UserVoice", new(){ "uservoice.com" } },
 79 |         { "Webflow", new(){ "proxy.webflow.com", "proxy-ssl.webflow.com" } },
 80 |         { "Wix", new(){ "wixdns.net" } },
 81 |         { "Vercel", new(){ ".vercel.com", "cname.vercel-dns.com" } },
 82 |         { "AWS/S3", new(){
 83 |             ".s3-accelerate.amazonaws.com",
 84 |             ".s3-accelerate.dualstack.amazonaws.com",
 85 |             ".s3-website-<region>.amazonaws.com",
 86 |             ".s3.<region>.amazonaws.com",
 87 |         }}
 88 |     };
 89 |     readonly List<string> awsRegions = new() {
 90 |         "us-east-1","us-east-2","us-west-1","us-west-2","af-south-1","ap-east-1","ap-south-1",
 91 |         "ap-northeast-3","ap-northeast-2", "ap-southeast-1","ap-southeast-2","ap-northeast-1",
 92 |         "ca-central-1","eu-central-1","eu-west-1","eu-west-2","eu-south-1","eu-west-3",
 93 |         "eu-north-1","me-south-1","sa-east-1","cn-north-1","cn-northwest-1",
 94 |         "gov-west-1","gov-east-1"
 95 |     };
 96 | 
 97 |     // At what point to I just make my own master list???
 98 |     private Dictionary<string, bool> _nxDomainOverride = new()
 99 |     {
100 |         { "Smugsmug", true }
101 |     };
102 | 
103 |     // We're fancy and support A/AAAA records
104 |     private Dictionary<string, List<string>> _aOverrides = new()
105 |     {
106 |         { "Github", new(){ "185.199.108.153", "185.199.109.153", "185.199.110.153", "185.199.111.153" } },
107 |         { "Fastly", new(){ "151.101." } },
108 |         { "Pantheon", new(){ "23.185.0." } },
109 |         { "Vercel", new(){ "76.76.21.21" } }
110 |     };
111 | 
112 |     private Dictionary<string, List<string>> _aaaaOverrides = new()
113 |     {
114 |         { "Github", new(){ "2606:50c0:8000::153", "2606:50c0:8001::153", "2606:50c0:8002::153", "2606:50c0:8003::153" } },
115 |         { "Fastly", new(){ "2a04:4e42:" } },
116 |         { "Pantheon", new(){ "2620:12a:" } }
117 |     };
118 | 
119 |     public SubdomainHijack(int httpTimeout = 5)
120 |     {
121 |         // Magic fix for weird content-type encodings from sites like windows-874
122 |         Encoding.RegisterProvider(CodePagesEncodingProvider.Instance);
123 | 
124 |         var handler = new HttpClientHandler
125 |         {
126 |             // Invalid SSL should be allowed
127 |             ServerCertificateCustomValidationCallback = (message, certificate2, chain, errors) => true
128 |         };
129 |         _httpClient = new HttpClient(handler) { Timeout = TimeSpan.FromSeconds(httpTimeout) };
130 | 
131 |         // We want to ignore redirects when expecting something like a 301 and follow otherwise to get the best results
132 |         handler = new HttpClientHandler
133 |         {
134 |             ServerCertificateCustomValidationCallback = (message, certificate2, chain, errors) => true,
135 |             AllowAutoRedirect = false
136 |         };
137 |         _httpClientNoRedirect = new HttpClient(handler) { Timeout = TimeSpan.FromSeconds(httpTimeout) };
138 | 
139 |         _dnsClient = new LookupClient();
140 | 
141 |         IConfiguration configuration = new ConfigurationBuilder()
142 |             .AddInMemoryCollection(
143 |             [
144 |                 new("Nager:PublicSuffix:DataUrl", "https://raw.githubusercontent.com/Stratus-Security/Subdominator/master/Subdominator/public_suffix_list.dat")
145 |             ])
146 |             .Build();
147 |         var cacheProvider = new LocalFileSystemCacheProvider();
148 |         var ruleProvider = new CachedHttpRuleProvider(cacheProvider, new HttpClient(), configuration);
149 |         _domainParser = new DomainParser(ruleProvider);
150 |         ruleProvider.BuildAsync().GetAwaiter().GetResult();
151 |     }
152 | 
153 |     public async Task<IEnumerable<Fingerprint>> GetFingerprintsAsync(bool excludeUnlikely, bool update = false)
154 |     {
155 |         // Don't reload if they're already cached in memory
156 |         if (_fingerprints.Count == 0)
157 |         {
158 |             string filePath = "fingerprints.json";
159 |             string customFilePath = "custom_fingerprints.json";
160 |             string fingerprintsData, customFingerprintsData;
161 | 
162 |             try
163 |             {
164 |                 // Check if the file exists locally
165 |                 if (!update && File.Exists(filePath))
166 |                 {
167 |                     // Read from the file if it exists
168 |                     fingerprintsData = await File.ReadAllTextAsync(filePath);
169 |                 }
170 |                 else
171 |                 {
172 |                     // Download the file if it doesn't exist
173 |                     var fingerprintsUrl = "https://raw.githubusercontent.com/EdOverflow/can-i-take-over-xyz/master/fingerprints.json";
174 |                     try
175 |                     {
176 |                         fingerprintsData = await _httpClient.GetStringAsync(fingerprintsUrl);
177 |                     }
178 |                     catch // One retry just in case github is having a bad day
179 |                     {
180 |                         fingerprintsData = await _httpClient.GetStringAsync(fingerprintsUrl);
181 |                     }
182 | 
183 |                     // Save the file locally for future use
184 |                     await File.WriteAllTextAsync(filePath, fingerprintsData);
185 |                 }
186 |                 
187 |                 // We also have a custom fingerprints file to enhance coverage but still allow auto-updates from can-i-take-over-xyz
188 |                 if (!update && File.Exists(customFilePath))
189 |                 {
190 |                     customFingerprintsData = await File.ReadAllTextAsync(customFilePath);
191 |                 }
192 |                 else
193 |                 {
194 |                     var customFingerprintsUrl = "https://raw.githubusercontent.com/Stratus-Security/Subdominator/master/Subdominator/custom_fingerprints.json";
195 | 
196 |                     try
197 |                     {
198 |                         customFingerprintsData = await _httpClient.GetStringAsync(customFingerprintsUrl);
199 |                     }
200 |                     catch
201 |                     {
202 |                         customFingerprintsData = await _httpClient.GetStringAsync(customFingerprintsUrl);
203 |                     }
204 |                     await File.WriteAllTextAsync(customFilePath, customFingerprintsData);
205 |                 }
206 | 
207 |                 var options = new JsonSerializerOptions();
208 |                 var context = new JsonContext(options);
209 | 
210 |                 // Deserialize the JSON data directly into a list of Fingerprint objects
211 |                 var fingerprints = JsonSerializer.Deserialize(fingerprintsData, context.ListFingerprint) ?? [];
212 |                 var customFingerprints = JsonSerializer.Deserialize(customFingerprintsData, context.ListFingerprint) ?? [];
213 | 
214 |                 // Find and store appropriate fingerprints
215 |                 foreach (var fingerprint in fingerprints)
216 |                 {
217 |                     // The override list contains edge cases that were incorrectly marked
218 |                     if (_overrides.Contains(fingerprint.Service))
219 |                     {
220 |                         fingerprint.Status = "Edge case";
221 |                     }
222 | 
223 |                     // Some of the fingerprints are wrong too :(
224 |                     if (_fingerprintOverrides.ContainsKey(fingerprint.Service))
225 |                     {
226 |                         fingerprint.FingerprintTexts.AddRange(_fingerprintOverrides[fingerprint.Service]);
227 |                     }
228 | 
229 |                     // Some of the cnames are missing so we fix
230 |                     if (_cnameOverrides.ContainsKey(fingerprint.Service))
231 |                     {
232 |                         var overrides = _cnameOverrides[fingerprint.Service];
233 | 
234 |                         // Populate with AWS regions
235 |                         if (fingerprint.Service == "AWS/S3")
236 |                         {
237 |                             foreach (var endpoint in overrides)
238 |                             {
239 |                                 if (endpoint.Contains("<region>"))
240 |                                 {
241 |                                     foreach (var region in awsRegions)
242 |                                     {
243 |                                         fingerprint.Cnames.Add(endpoint.Replace("<region>", region));
244 |                                     }
245 |                                 }
246 |                                 else
247 |                                 {
248 |                                     fingerprint.Cnames.Add(endpoint);
249 |                                 }
250 |                             }
251 |                         }
252 |                         else
253 |                         {
254 |                             fingerprint.Cnames.AddRange(overrides);
255 |                         }
256 |                     }
257 | 
258 |                     // Some nxdomain flags are wrong too ._.
259 |                     if (_nxDomainOverride.ContainsKey(fingerprint.Service))
260 |                     {
261 |                         fingerprint.Nxdomain = _nxDomainOverride[fingerprint.Service];
262 |                     }
263 |                     
264 |                     if (_aOverrides.ContainsKey(fingerprint.Service))
265 |                     {
266 |                         fingerprint.ARecords.AddRange(_aOverrides[fingerprint.Service]);
267 |                     }
268 | 
269 |                     if (_aaaaOverrides.ContainsKey(fingerprint.Service))
270 |                     {
271 |                         fingerprint.AAAARecords.AddRange(_aaaaOverrides[fingerprint.Service]);
272 |                     }
273 | 
274 |                     // Now ignore any non-vulnerable fingerprints
275 |                     if (fingerprint.Status.ToLower() != "not vulnerable")
276 |                     {
277 |                         // Filter edge cases if requested
278 |                         if(!(excludeUnlikely && fingerprint.Status.ToLower() == "edge case"))
279 |                         {
280 |                             _fingerprints.Add(fingerprint);
281 |                         }
282 |                     }
283 |                 }
284 | 
285 |                 // Now iterate custom fingerprints. The custom list is used for completeness, so it should not override the original
286 |                 foreach(var fingerprint in customFingerprints)
287 |                 {
288 |                     if (fingerprint.Status.ToLower() != "not vulnerable" && 
289 |                         !_fingerprints.Any(f => f.Service.ToLower() == fingerprint.Service.ToLower())
290 |                     )
291 |                     {
292 |                         // Filter edge cases if requested
293 |                         if (!(excludeUnlikely && fingerprint.Status.ToLower() == "edge case"))
294 |                         {
295 |                             _fingerprints.Add(fingerprint);
296 |                         }
297 |                     }
298 |                 }
299 |             }
300 |             catch (Exception ex)
301 |             {
302 |                 throw new Exception($"Error getting fingerprints! ({ex.Message})");
303 |             }
304 |         }
305 | 
306 |         return _fingerprints;
307 |     }
308 | 
309 |     public async Task<TakeoverResult> IsDomainVulnerable(string domain, bool validateResults, bool excludeUnlikely = false, bool update = false)
310 |     {
311 |         var fingerprints = await GetFingerprintsAsync(excludeUnlikely: excludeUnlikely, update: update);
312 | 
313 |         // DNS Lookup
314 |         var subdomainDns = await GetDnsForSubdomain(domain);
315 | 
316 |         // Before checking all the fingerprints, do the base check for expired domains
317 |         if(subdomainDns.IsNxdomain)
318 |         {
319 |             // Check if the domain is registered
320 |             if (subdomainDns.IsDomainRegistered == false)
321 |             {
322 |                 return new TakeoverResult()
323 |                 {
324 |                     IsVulnerable = true,
325 |                     Fingerprint = new Fingerprint() { Service = "Domain Available" },
326 |                     CNAMES = subdomainDns.Cnames,
327 |                     A = subdomainDns.A,
328 |                     AAAA =  subdomainDns.AAAA,
329 |                     MatchedLocation = MatchedLocation.DomainAvailable,
330 |                     MatchedRecord = MatchedRecord.CNAME
331 |                 };
332 |             }
333 |         }
334 | 
335 |         // Now check all the fingerprints
336 |         foreach (var fingerprint in fingerprints)
337 |         {
338 |             var result = await IsFingerprintVulnerable(fingerprint, subdomainDns, domain);
339 |             bool isVerified = false;
340 | 
341 |             if (result.Item1)
342 |             {
343 |                 // If we're validating results, we need to get a bit fancy
344 |                 if (validateResults)
345 |                 {
346 |                     try
347 |                     {
348 |                         // Check for any validator, it's a bit of reflected voodoo to strictly scope and maintain AoT compat
349 |                         var validator = ValidatorUtils.GetValidatorInstance(fingerprint.Service.Replace(" ", "").Replace("/", ""));
350 |                         if (validator != null)
351 |                         {
352 |                             var isAvailable = await validator.Execute(subdomainDns.Cnames);
353 |                             if (isAvailable.HasValue)
354 |                             {
355 |                                 if (isAvailable.Value)
356 |                                 {
357 |                                     // Successfully verified!
358 |                                     isVerified = true;
359 |                                 }
360 |                                 else
361 |                                 {
362 |                                     // Validation shows this isn't really vulnerable
363 |                                     continue;
364 |                                 }
365 |                             }
366 |                         }
367 |                     }
368 |                     catch
369 |                     {
370 |                         // There's a bunch that can go wrong (e.g. no creds) but we can't always get them
371 |                     }
372 |                 }
373 | 
374 |                 return new TakeoverResult()
375 |                 {
376 |                     IsVulnerable = true,
377 |                     IsVerified = isVerified,
378 |                     Fingerprint = fingerprint,
379 |                     CNAMES = subdomainDns.Cnames,
380 |                     A = subdomainDns.A,
381 |                     AAAA = subdomainDns.AAAA,
382 |                     MatchedRecord = result.Item2,
383 |                     MatchedLocation = result.Item3
384 |                 };
385 |             }
386 |         }
387 | 
388 |         return new TakeoverResult()
389 |         {
390 |             IsVulnerable = false,
391 |             Fingerprint = null,
392 |             CNAMES = subdomainDns.Cnames,
393 |             A = subdomainDns.A,
394 |             AAAA = subdomainDns.AAAA,
395 |             MatchedRecord = MatchedRecord.None,
396 |             MatchedLocation = MatchedLocation.None,
397 |         };
398 |     }
399 | 
400 |     // Check an individual fingerprint against and domain name and dns records
401 |     public async Task<(bool, MatchedRecord, MatchedLocation)> IsFingerprintVulnerable(Fingerprint fingerprint, CnameResolutionResult dns, string domain)
402 |     {
403 |         var isCnameMatch = dns.Cnames.Any(r => fingerprint.Cnames.Any(r.Contains));
404 |         var isAMatch = dns.A.Any(r => fingerprint.ARecords.Any(r.Contains));
405 |         var isAaaaMatch = dns.AAAA.Any(r => fingerprint.AAAARecords.Any(r.Contains));
406 | 
407 |         var matchedRecord = MatchedRecord.None;
408 |         if (isCnameMatch)
409 |         {
410 |             matchedRecord = MatchedRecord.CNAME;
411 |         }
412 |         else if (isAMatch)
413 |         {
414 |             matchedRecord = MatchedRecord.A;
415 |         }
416 |         else if (isAaaaMatch)
417 |         {
418 |             matchedRecord = MatchedRecord.AAAA;
419 |         }
420 | 
421 |         // If we expected nxdomain, check the cname matches
422 |         if (dns.IsNxdomain && fingerprint.Nxdomain)
423 |         {
424 |             // If any of the cnames, A or AAAA records from this fingerprint are in ours, match.
425 |             // Note this is a loose match (hence contains) to remove the need for regexes
426 |             if (isCnameMatch || isAMatch || isAaaaMatch)
427 |             {
428 |                 return (true, matchedRecord, MatchedLocation.NXDomain);
429 |             }
430 |         }
431 | 
432 |         // Only check fingerprints if we have a (partial) match
433 |         if (isCnameMatch || isAMatch || isAaaaMatch) 
434 |         {
435 |             var response = await HttpGet(domain, fingerprint.HttpStatus >= 300 && fingerprint.HttpStatus < 400);
436 |             string responseBody = "";
437 | 
438 |             // If we didn't get NXDOMAIN'd
439 |             if (response != null)
440 |             {
441 |                 try
442 |                 {
443 |                     responseBody = await response.Content.ReadAsStringAsync();
444 |                 }
445 |                 catch (InvalidOperationException)
446 |                 {
447 |                     // Fallback when an invalid charset is specified in the
448 |                     // response headers. Read as bytes and assume UTF8 to avoid
449 |                     // crashing. See GH issue #11.
450 |                     var bytes = await response.Content.ReadAsByteArrayAsync();
451 |                     responseBody = Encoding.UTF8.GetString(bytes);
452 |                 }
453 | 
454 |                 // Check if HTTP status matches the fingerprint
455 |                 if (fingerprint.HttpStatus.HasValue && (int)response.StatusCode == fingerprint.HttpStatus.Value)
456 |                 {
457 |                     return (true, matchedRecord, MatchedLocation.HttpStatus);
458 |                 }
459 | 
460 |                 // Check response content is available and matches
461 |                 if (fingerprint.FingerprintTexts.Any() && !string.IsNullOrWhiteSpace(responseBody))
462 |                 {
463 |                     foreach (var fingerprintMatch in fingerprint.FingerprintTexts)
464 |                     {
465 |                         if (!string.IsNullOrWhiteSpace(fingerprintMatch) && responseBody.Contains(fingerprintMatch))
466 |                         {
467 |                             return (true, matchedRecord, MatchedLocation.HttpBody);
468 |                         }
469 |                     }
470 |                 }
471 |             }
472 |         }
473 | 
474 |         return (false, matchedRecord, MatchedLocation.None);
475 |     }
476 | 
477 |     public async Task<CnameResolutionResult> GetDnsForSubdomain(string domain)
478 |     {
479 |         var result = new CnameResolutionResult();
480 |         var visitedCnames = new HashSet<string>();
481 | 
482 |         try
483 |         {
484 |             await ResolveDns(domain, result, visitedCnames);
485 |         }
486 |         catch// (Exception ex)
487 |         {
488 |             // This is fine
489 |             //throw new Exception($"Exception thrown trying to get cname records for {domain}! ({ex.Message})");
490 |         }
491 | 
492 |         return result;
493 |     }
494 | 
495 |     private async Task ResolveDns(string domain, CnameResolutionResult result, HashSet<string> visitedCnames)
496 |     {
497 |         const int maxRetries = 3; // Maximum number of retries
498 |         int retryCount = 0;
499 | 
500 |         while (retryCount < maxRetries)
501 |         {
502 |             try
503 |             {
504 |                 var cnameQueryResult = await _dnsClient.QueryAsync(domain, QueryType.CNAME);
505 | 
506 |                 if (cnameQueryResult.Header.ResponseCode == DnsHeaderResponseCode.NotExistentDomain)
507 |                 {
508 |                     result.IsNxdomain = true;
509 |                     result.IsDomainRegistered = await CheckDomainRegistration(domain);
510 |                     return;
511 |                 }
512 |                 else if (cnameQueryResult.HasError)
513 |                 {
514 |                     throw new Exception("DNS query error >:(");
515 |                 }
516 | 
517 |                 var cnameRecords = cnameQueryResult.Answers.CnameRecords().ToList();
518 |                 if (cnameRecords.Any())
519 |                 {
520 |                     foreach (var cnameRecord in cnameRecords)
521 |                     {
522 |                         var cname = cnameRecord.CanonicalName.Value;
523 | 
524 |                         // Check for loops
525 |                         if (visitedCnames.Contains(cname))
526 |                         {
527 |                             // Loop detected, move on
528 |                             return;
529 |                         }
530 | 
531 |                         visitedCnames.Add(cname);
532 |                         result.Cnames.Add(cname);
533 | 
534 |                         // Recursively resolve the current CNAME
535 |                         await ResolveDns(cname, result, visitedCnames);
536 |                     }
537 |                 }
538 |                 else
539 |                 {
540 |                     // Parallel queries for A and AAAA records
541 |                     var aTask = _dnsClient.QueryAsync(domain, QueryType.A);
542 |                     var aaaaTask = _dnsClient.QueryAsync(domain, QueryType.AAAA);
543 |                     await Task.WhenAll(aTask, aaaaTask);
544 | 
545 |                     var aQueryResult = aTask.Result;
546 |                     foreach (var aRecord in aQueryResult.Answers.ARecords())
547 |                     {
548 |                         result.A.Add(aRecord.Address.ToString());
549 |                     }
550 | 
551 |                     var aaaaQueryResult = aaaaTask.Result;
552 |                     foreach (var aaaaRecord in aaaaQueryResult.Answers.AaaaRecords())
553 |                     {
554 |                         result.AAAA.Add(aaaaRecord.Address.ToString());
555 |                     }
556 |                 }
557 | 
558 |                 // If we reach this point, it means the operation was successful
559 |                 break;
560 |             }
561 |             catch //(Exception ex)
562 |             {
563 |                 retryCount++;
564 |                 if (retryCount >= maxRetries)
565 |                 {
566 |                     // This is fine, almost always a bad record but we retry just in case
567 |                     //Console.WriteLine($"Exception thrown trying to get cname records for {domain} after {maxRetries} attempts! ({ex.Message})");
568 |                 }
569 |                 else
570 |                 {
571 |                     // Exponential backoff
572 |                     await Task.Delay(100 * retryCount);
573 |                 }
574 |             }
575 |         }
576 |     }
577 | 
578 |     // Cache checked domain registrations since I'm sure most runs of this tool will have lots of subdomains per root
579 |     private readonly ConcurrentDictionary<string, bool> _domainCache = new();
580 |     private readonly ConcurrentDictionary<string, SemaphoreSlim> _domainLocks = new();
581 |     private async Task<bool> CheckDomainRegistration(string domain)
582 |     {
583 |         try
584 |         {
585 |             // Normalize and extract the registrable part of the domain
586 |             var normalizedDomain = domain.Trim().ToLower().Trim('.');
587 | 
588 |             if (!_domainParser.IsValidDomain(normalizedDomain))
589 |             {
590 |                 return true;
591 |             }
592 | 
593 |             // Extract the registrable part of the domain
594 |             var domainData = _domainParser.Parse(normalizedDomain);
595 |             var registrableDomain = domainData.RegistrableDomain;
596 | 
597 |             var domainLock = _domainLocks.GetOrAdd(registrableDomain, _ => new SemaphoreSlim(1, 1));
598 |             await domainLock.WaitAsync();
599 | 
600 |             bool isRegistered = true;
601 |             try
602 |             {
603 |                 if (_domainCache.TryGetValue(registrableDomain, out isRegistered))
604 |                 {
605 |                     return isRegistered;
606 |                 }
607 | 
608 |                 var response = await new Whois.WhoisLookup().LookupAsync(registrableDomain);
609 |                 var whoisResponse = response.Content;
610 | 
611 |                 if (string.IsNullOrWhiteSpace(whoisResponse))
612 |                 {
613 |                     isRegistered = true;
614 |                 }
615 |                 else
616 |                 {
617 |                     isRegistered = IsDomainRegistered(whoisResponse);
618 |                 }
619 |                 _domainCache[registrableDomain] = isRegistered;
620 |             }
621 |             finally
622 |             {
623 |                 domainLock.Release();
624 |             }
625 | 
626 |             return isRegistered;
627 |         }
628 |         catch (Exception)
629 |         {
630 |             return true;
631 |         }
632 |     }
633 | 
634 |     private bool IsDomainRegistered(string whoisResponse)
635 |     {
636 |         // Expanded checks for indicators of a registered domain
637 |         var registrationIndicators = new List<string>
638 |         {
639 |             "Registrant:",
640 |             "Registrant Contact:",
641 |             "Registry Registrant ID",
642 |             "Admin Contact:",
643 |             "Tech Contact:",
644 |             "Name Server:",
645 |             "Creation Date:",
646 |             "Updated Date:",
647 |             "Registry Domain ID",
648 |             "Domain Status",
649 |             "Registrar:",
650 |             "Expiration Date:",
651 |             "Whois Server"
652 |         };
653 | 
654 |         foreach (var indicator in registrationIndicators)
655 |         {
656 |             if (whoisResponse.Contains(indicator, StringComparison.OrdinalIgnoreCase))
657 |             {
658 |                 return true;
659 |             }
660 |         }
661 | 
662 |         // Additional logic to handle common negative responses
663 |         var unregisteredIndicators = new List<string>
664 |         {
665 |             "No match for",
666 |             "No entries found",
667 |             "NOT FOUND",
668 |             "No data found"
669 |         };
670 | 
671 |         foreach (var indicator in unregisteredIndicators)
672 |         {
673 |             if (whoisResponse.Contains(indicator, StringComparison.OrdinalIgnoreCase))
674 |             {
675 |                 return false;
676 |             }
677 |         }
678 | 
679 |         // If none of the indicators are found, the domain's registration status is ambiguous
680 |         return true;
681 |     }
682 | 
683 |     public async Task<HttpResponseMessage?> HttpGet(string domain, bool redirect = true)
684 |     {
685 |         var client = redirect ? _httpClient : _httpClientNoRedirect;
686 |         try
687 |         {
688 |             return await client.GetAsync($"https://{domain}");
689 |         }
690 |         catch (HttpRequestException ex) when (ex.Message.Contains("No such host is known.")) 
691 |         {
692 |             // We could just skip HTTP requests when we detect NXDOMAIN responses but there's edge cases.
693 |             // For example, there could be an A record that points to an IP on a vulnerable domain
694 |             return null;
695 |         }
696 |         catch
697 |         {
698 |             // Try again with HTTP just in case
699 |             try
700 |             {
701 |                 return await client.GetAsync($"http://{domain}");
702 |             }
703 |             catch
704 |             {
705 |                 // Sometimes the site is just having a bad day and that's okay
706 |                 return new HttpResponseMessage();
707 |             }
708 |         }
709 |     }
710 | }
711 | 


--------------------------------------------------------------------------------