├── .appveyor.yml
├── .gitignore
├── .travis.yml
├── LICENSE
├── README.md
├── fingerprints.json
├── main.go
└── subjack
├── dns.go
├── dot.go
├── file.go
├── fingerprint.go
├── requests.go
└── subjack.go
/.appveyor.yml:
--------------------------------------------------------------------------------
1 | version: "{build}"
2 |
3 | clone_folder: c:\gopath\src\github.com\haccer\subjack
4 |
5 | environment:
6 | GOPATH: c:\gopath
7 |
8 | install:
9 | - echo %PATH%
10 | - echo %GOPATH%
11 | - set PATH=%GOPATH%\bin;c:\go\bin;%PATH%
12 | - go version
13 |
14 | build: false
15 |
16 | test_script:
17 | - go get github.com/haccer/available
18 | - go get github.com/miekg/dns
19 | - go get github.com/valyala/fasthttp
20 | - go build github.com/haccer/subjack
21 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # common files
2 | *~
3 | *.log
4 | *.bak
5 | *.tmp
6 | *.swp
7 | *.lock
8 |
9 | # .gitignore Go Template
10 | # Binaries for programs and plugins
11 | *.exe
12 | *.exe~
13 | *.dll
14 | *.so
15 | *.dylib
16 |
17 | # Test binary, build with `go test -c`
18 | *.test
19 |
20 | # Output of the go coverage tool, specifically when used with LiteIDE
21 | *.out
22 |
--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
1 | language: go
2 | go: master
3 | sudo: false
4 | script: go test ./...
5 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Apache License
2 | Version 2.0, January 2004
3 | http://www.apache.org/licenses/
4 |
5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6 |
7 | 1. Definitions.
8 |
9 | "License" shall mean the terms and conditions for use, reproduction,
10 | and distribution as defined by Sections 1 through 9 of this document.
11 |
12 | "Licensor" shall mean the copyright owner or entity authorized by
13 | the copyright owner that is granting the License.
14 |
15 | "Legal Entity" shall mean the union of the acting entity and all
16 | other entities that control, are controlled by, or are under common
17 | control with that entity. For the purposes of this definition,
18 | "control" means (i) the power, direct or indirect, to cause the
19 | direction or management of such entity, whether by contract or
20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
21 | outstanding shares, or (iii) beneficial ownership of such entity.
22 |
23 | "You" (or "Your") shall mean an individual or Legal Entity
24 | exercising permissions granted by this License.
25 |
26 | "Source" form shall mean the preferred form for making modifications,
27 | including but not limited to software source code, documentation
28 | source, and configuration files.
29 |
30 | "Object" form shall mean any form resulting from mechanical
31 | transformation or translation of a Source form, including but
32 | not limited to compiled object code, generated documentation,
33 | and conversions to other media types.
34 |
35 | "Work" shall mean the work of authorship, whether in Source or
36 | Object form, made available under the License, as indicated by a
37 | copyright notice that is included in or attached to the work
38 | (an example is provided in the Appendix below).
39 |
40 | "Derivative Works" shall mean any work, whether in Source or Object
41 | form, that is based on (or derived from) the Work and for which the
42 | editorial revisions, annotations, elaborations, or other modifications
43 | represent, as a whole, an original work of authorship. For the purposes
44 | of this License, Derivative Works shall not include works that remain
45 | separable from, or merely link (or bind by name) to the interfaces of,
46 | the Work and Derivative Works thereof.
47 |
48 | "Contribution" shall mean any work of authorship, including
49 | the original version of the Work and any modifications or additions
50 | to that Work or Derivative Works thereof, that is intentionally
51 | submitted to Licensor for inclusion in the Work by the copyright owner
52 | or by an individual or Legal Entity authorized to submit on behalf of
53 | the copyright owner. For the purposes of this definition, "submitted"
54 | means any form of electronic, verbal, or written communication sent
55 | to the Licensor or its representatives, including but not limited to
56 | communication on electronic mailing lists, source code control systems,
57 | and issue tracking systems that are managed by, or on behalf of, the
58 | Licensor for the purpose of discussing and improving the Work, but
59 | excluding communication that is conspicuously marked or otherwise
60 | designated in writing by the copyright owner as "Not a Contribution."
61 |
62 | "Contributor" shall mean Licensor and any individual or Legal Entity
63 | on behalf of whom a Contribution has been received by Licensor and
64 | subsequently incorporated within the Work.
65 |
66 | 2. Grant of Copyright License. Subject to the terms and conditions of
67 | this License, each Contributor hereby grants to You a perpetual,
68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69 | copyright license to reproduce, prepare Derivative Works of,
70 | publicly display, publicly perform, sublicense, and distribute the
71 | Work and such Derivative Works in Source or Object form.
72 |
73 | 3. Grant of Patent License. Subject to the terms and conditions of
74 | this License, each Contributor hereby grants to You a perpetual,
75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76 | (except as stated in this section) patent license to make, have made,
77 | use, offer to sell, sell, import, and otherwise transfer the Work,
78 | where such license applies only to those patent claims licensable
79 | by such Contributor that are necessarily infringed by their
80 | Contribution(s) alone or by combination of their Contribution(s)
81 | with the Work to which such Contribution(s) was submitted. If You
82 | institute patent litigation against any entity (including a
83 | cross-claim or counterclaim in a lawsuit) alleging that the Work
84 | or a Contribution incorporated within the Work constitutes direct
85 | or contributory patent infringement, then any patent licenses
86 | granted to You under this License for that Work shall terminate
87 | as of the date such litigation is filed.
88 |
89 | 4. Redistribution. You may reproduce and distribute copies of the
90 | Work or Derivative Works thereof in any medium, with or without
91 | modifications, and in Source or Object form, provided that You
92 | meet the following conditions:
93 |
94 | (a) You must give any other recipients of the Work or
95 | Derivative Works a copy of this License; and
96 |
97 | (b) You must cause any modified files to carry prominent notices
98 | stating that You changed the files; and
99 |
100 | (c) You must retain, in the Source form of any Derivative Works
101 | that You distribute, all copyright, patent, trademark, and
102 | attribution notices from the Source form of the Work,
103 | excluding those notices that do not pertain to any part of
104 | the Derivative Works; and
105 |
106 | (d) If the Work includes a "NOTICE" text file as part of its
107 | distribution, then any Derivative Works that You distribute must
108 | include a readable copy of the attribution notices contained
109 | within such NOTICE file, excluding those notices that do not
110 | pertain to any part of the Derivative Works, in at least one
111 | of the following places: within a NOTICE text file distributed
112 | as part of the Derivative Works; within the Source form or
113 | documentation, if provided along with the Derivative Works; or,
114 | within a display generated by the Derivative Works, if and
115 | wherever such third-party notices normally appear. The contents
116 | of the NOTICE file are for informational purposes only and
117 | do not modify the License. You may add Your own attribution
118 | notices within Derivative Works that You distribute, alongside
119 | or as an addendum to the NOTICE text from the Work, provided
120 | that such additional attribution notices cannot be construed
121 | as modifying the License.
122 |
123 | You may add Your own copyright statement to Your modifications and
124 | may provide additional or different license terms and conditions
125 | for use, reproduction, or distribution of Your modifications, or
126 | for any such Derivative Works as a whole, provided Your use,
127 | reproduction, and distribution of the Work otherwise complies with
128 | the conditions stated in this License.
129 |
130 | 5. Submission of Contributions. Unless You explicitly state otherwise,
131 | any Contribution intentionally submitted for inclusion in the Work
132 | by You to the Licensor shall be under the terms and conditions of
133 | this License, without any additional terms or conditions.
134 | Notwithstanding the above, nothing herein shall supersede or modify
135 | the terms of any separate license agreement you may have executed
136 | with Licensor regarding such Contributions.
137 |
138 | 6. Trademarks. This License does not grant permission to use the trade
139 | names, trademarks, service marks, or product names of the Licensor,
140 | except as required for reasonable and customary use in describing the
141 | origin of the Work and reproducing the content of the NOTICE file.
142 |
143 | 7. Disclaimer of Warranty. Unless required by applicable law or
144 | agreed to in writing, Licensor provides the Work (and each
145 | Contributor provides its Contributions) on an "AS IS" BASIS,
146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 | implied, including, without limitation, any warranties or conditions
148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 | PARTICULAR PURPOSE. You are solely responsible for determining the
150 | appropriateness of using or redistributing the Work and assume any
151 | risks associated with Your exercise of permissions under this License.
152 |
153 | 8. Limitation of Liability. In no event and under no legal theory,
154 | whether in tort (including negligence), contract, or otherwise,
155 | unless required by applicable law (such as deliberate and grossly
156 | negligent acts) or agreed to in writing, shall any Contributor be
157 | liable to You for damages, including any direct, indirect, special,
158 | incidental, or consequential damages of any character arising as a
159 | result of this License or out of the use or inability to use the
160 | Work (including but not limited to damages for loss of goodwill,
161 | work stoppage, computer failure or malfunction, or any and all
162 | other commercial damages or losses), even if such Contributor
163 | has been advised of the possibility of such damages.
164 |
165 | 9. Accepting Warranty or Additional Liability. While redistributing
166 | the Work or Derivative Works thereof, You may choose to offer,
167 | and charge a fee for, acceptance of support, warranty, indemnity,
168 | or other liability obligations and/or rights consistent with this
169 | License. However, in accepting such obligations, You may act only
170 | on Your own behalf and on Your sole responsibility, not on behalf
171 | of any other Contributor, and only if You agree to indemnify,
172 | defend, and hold each Contributor harmless for any liability
173 | incurred by, or claims asserted against, such Contributor by reason
174 | of your accepting any such warranty or additional liability.
175 |
176 | END OF TERMS AND CONDITIONS
177 |
178 | APPENDIX: How to apply the Apache License to your work.
179 |
180 | To apply the Apache License to your work, attach the following
181 | boilerplate notice, with the fields enclosed by brackets "{}"
182 | replaced with your own identifying information. (Don't include
183 | the brackets!) The text should be enclosed in the appropriate
184 | comment syntax for the file format. We also recommend that a
185 | file or class name and description of purpose be included on the
186 | same "printed page" as the copyright notice for easier
187 | identification within third-party archives.
188 |
189 | Copyright {yyyy} {name of copyright owner}
190 |
191 | Licensed under the Apache License, Version 2.0 (the "License");
192 | you may not use this file except in compliance with the License.
193 | You may obtain a copy of the License at
194 |
195 | http://www.apache.org/licenses/LICENSE-2.0
196 |
197 | Unless required by applicable law or agreed to in writing, software
198 | distributed under the License is distributed on an "AS IS" BASIS,
199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 | See the License for the specific language governing permissions and
201 | limitations under the License.
202 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # subjack
2 |
3 | [](https://travis-ci.org/haccer/subjack)
4 | [](https://ci.appveyor.com/project/haccer/subjack)
5 | [](https://goreportcard.com/report/github.com/haccer/subjack)
6 | [](http://godoc.org/github.com/haccer/subjack/subjack)
7 | [](https://github.com/haccer/subjack/blob/master/LICENSE)
8 |
9 | Subjack is a Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked. With Go's speed and efficiency, this tool really stands out when it comes to mass-testing. Always double check the results manually to rule out false positives.
10 |
11 | Subjack will also check for subdomains attached to domains that don't exist (NXDOMAIN) and are **available to be registered**. No need for dig ever again! This is still cross-compatible too.
12 |
13 | **What's New? (Last Updated 09/17/18)**
14 | - Custom fingerprint support
15 | - New Services (Re-added Zendesk && Added Readme, Bitly, and more)
16 | - Slight performance enhancements
17 |
18 | ## Installing
19 |
20 | Requires [Go](https://golang.org/dl/)
21 |
22 | `go get github.com/haccer/subjack`
23 |
24 | ## How To Use:
25 |
26 | Examples:
27 | - `./subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl`
28 |
29 | Options:
30 | - `-d test.com` if you want to test a single domain.
31 | - `-w domains.txt` is your list of subdomains.
32 | - `-t` is the number of threads (Default: 10 threads).
33 | - `-timeout` is the seconds to wait before timeout connection (Default: 10 seconds).
34 | - `-o results.txt` where to save results to. For JSON: `-o results.json`
35 | - `-ssl` enforces HTTPS requests which may return a different set of results and increase accuracy.
36 | - `-a` skips CNAME check and sends requests to every URL. **(Recommended)**
37 | - `-m` flag the presence of a dead record, but valid CNAME entry.
38 | - `-v` verbose. Display more information per each request.
39 | - `-c` Path to configuration file.
40 |
41 | ## Practical Use
42 |
43 | You can use [scanio.sh](https://gist.github.com/haccer/3698ff6927fc00c8fe533fc977f850f8) which is kind of a PoC script to mass-locate vulnerable subdomains using results from Rapid7's Project Sonar. This script parses and greps through the dump for desired CNAME records and makes a large list of subdomains to check with subjack if they're vulnerable to Hostile Subdomain Takeover. Of course this isn't the only method to get a large amount of data to test. **Please use this responsibly ;)**
44 |
45 | ## Adding subjack to your workflow
46 |
47 | ```go
48 | package main
49 |
50 | import (
51 | "fmt"
52 | "encoding/json"
53 | "io/ioutil"
54 | "strings"
55 |
56 | "github.com/haccer/subjack/subjack"
57 | )
58 |
59 |
60 | func main() {
61 | var fingerprints []subjack.Fingerprints
62 | config, _ := ioutil.ReadFile("custom_fingerprints.json")
63 | json.Unmarshal(config, &fingerprints)
64 |
65 | subdomain := "dead.cody.su"
66 | /* Use subjack's advanced detection to identify
67 | if the subdomain is able to be taken over. */
68 | service := subjack.Identify(subdomain, false, false, 10, fingerprints)
69 |
70 | if service != "" {
71 | service = strings.ToLower(service)
72 | fmt.Printf("%s is pointing to a vulnerable %s service.\n", subdomain, service)
73 | }
74 | }
75 | ```
76 |
77 | See the [godoc](https://godoc.org/github.com/haccer/subjack/subjack) for more functions.
78 |
79 | ## FAQ
80 | **Q:** What should my wordlist look like?
81 |
82 | **A:** Your wordlist should include a list of subdomains you're checking and should look something like:
83 | ```
84 | assets.cody.su
85 | assets.github.com
86 | b.cody.su
87 | big.example.com
88 | cdn.cody.su
89 | dev.cody.su
90 | dev2.twitter.com
91 | ```
92 |
93 | ## References
94 | Extra information about Hostile Subdomain Takeovers:
95 |
96 | - [https://github.com/EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz)
97 | - [https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/](https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/)
98 |
--------------------------------------------------------------------------------
/fingerprints.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "service": "fastly",
4 | "cname": [
5 | "fastly"
6 | ],
7 | "fingerprint": [
8 | "Fastly error: unknown domain"
9 | ],
10 | "nxdomain": false
11 | },
12 | {
13 | "service": "github",
14 | "cname": [
15 | "github.io"
16 | ],
17 | "fingerprint": [
18 | "There isn't a GitHub Pages site here."
19 | ],
20 | "nxdomain": false
21 | },
22 | {
23 | "service": "heroku",
24 | "cname": [
25 | "herokuapp"
26 | ],
27 | "fingerprint": [
28 | "herokucdn.com/error-pages/no-such-app.html"
29 | ],
30 | "nxdomain": false
31 | },
32 | {
33 | "service": "pantheon",
34 | "cname": [
35 | "pantheonsite.io"
36 | ],
37 | "fingerprint": [
38 | "The gods are wise, but do not know of the site which you seek."
39 | ],
40 | "nxdomain": false
41 | },
42 | {
43 | "service": "tumblr",
44 | "cname": [
45 | "domains.tumblr.com"
46 | ],
47 | "fingerprint": [
48 | "Whatever you were looking for doesn't currently exist at this address."
49 | ],
50 | "nxdomain": false
51 | },
52 | {
53 | "service": "wordpress",
54 | "cname": [
55 | "wordpress.com"
56 | ],
57 | "fingerprint": [
58 | "Do you want to register"
59 | ],
60 | "nxdomain": false
61 | },
62 | {
63 | "service": "teamwork",
64 | "cname": [
65 | "teamwork.com"
66 | ],
67 | "fingerprint": [
68 | "Oops - We didn't find your site."
69 | ],
70 | "nxdomain": false
71 | },
72 | {
73 | "service": "helpjuice",
74 | "cname": [
75 | "helpjuice.com"
76 | ],
77 | "fingerprint": [
78 | "We could not find what you're looking for."
79 | ],
80 | "nxdomain": false
81 | },
82 | {
83 | "service": "helpscout",
84 | "cname": [
85 | "helpscoutdocs.com"
86 | ],
87 | "fingerprint": [
88 | "No settings were found for this company:"
89 | ],
90 | "nxdomain": false
91 | },
92 | {
93 | "service": "s3 bucket",
94 | "cname": [
95 | "amazonaws"
96 | ],
97 | "fingerprint": [
98 | "The specified bucket does not exist"
99 | ],
100 | "nxdomain": false
101 | },
102 | {
103 | "service": "ghost",
104 | "cname": [
105 | "ghost.io"
106 | ],
107 | "fingerprint": [
108 | "The thing you were looking for is no longer here, or never was"
109 | ],
110 | "nxdomain": false
111 | },
112 | {
113 | "service": "shopify",
114 | "cname": [
115 | "myshopify.com"
116 | ],
117 | "fingerprint": [
118 | "Sorry, this shop is currently unavailable."
119 | ],
120 | "nxdomain": false
121 | },
122 | {
123 | "service": "uservoice",
124 | "cname": [
125 | "uservoice.com"
126 | ],
127 | "fingerprint": [
128 | "This UserVoice subdomain is currently available!"
129 | ],
130 | "nxdomain": false
131 | },
132 | {
133 | "service": "surge",
134 | "cname": [
135 | "surge.sh"
136 | ],
137 | "fingerprint": [
138 | "project not found"
139 | ],
140 | "nxdomain": false
141 | },
142 | {
143 | "service": "bitbucket",
144 | "cname": [
145 | "bitbucket.io"
146 | ],
147 | "fingerprint": [
148 | "Repository not found"
149 | ],
150 | "nxdomain": false
151 | },
152 | {
153 | "service": "intercom",
154 | "cname": [
155 | "custom.intercom.help"
156 | ],
157 | "fingerprint": [
158 | "This page is reserved for artistic dogs.",
159 | ""
160 | ],
161 | "nxdomain": false
162 | },
163 | {
164 | "service": "webflow",
165 | "cname": [
166 | "proxy.webflow.com",
167 | "proxy-ssl.webflow.com"
168 | ],
169 | "fingerprint": [
170 | "
The page you are looking for doesn't exist or has been moved.
"
171 | ],
172 | "nxdomain": false
173 | },
174 | {
175 | "service": "wishpond",
176 | "cname": [
177 | "wishpond.com"
178 | ],
179 | "fingerprint": [
180 | "https://www.wishpond.com/404?campaign=true"
181 | ],
182 | "nxdomain": false
183 | },
184 | {
185 | "service": "aftership",
186 | "cname": [
187 | "aftership.com"
188 | ],
189 | "fingerprint": [
190 | "Oops.The page you're looking for doesn't exist."
191 | ],
192 | "nxdomain": false
193 | },
194 | {
195 | "service": "aha",
196 | "cname": [
197 | "ideas.aha.io"
198 | ],
199 | "fingerprint": [
200 | "There is no portal here ... sending you back to Aha!"
201 | ],
202 | "nxdomain": false
203 | },
204 | {
205 | "service": "tictail",
206 | "cname": [
207 | "domains.tictail.com"
208 | ],
209 | "fingerprint": [
210 | "to target URL: Error Code: 404
"
224 | ],
225 | "nxdomain": false
226 | },
227 | {
228 | "service": "bigcartel",
229 | "cname": [
230 | "bigcartel.com"
231 | ],
232 | "fingerprint": [
233 | "Oops! We could’t find that page.
"
234 | ],
235 | "nxdomain": false
236 | },
237 | {
238 | "service": "campaignmonitor",
239 | "cname": [
240 | "createsend.com"
241 | ],
242 | "fingerprint": [
243 | "Double check the URL or \nLearn more about Worksites.net"
355 | ],
356 | "nxdomain": false
357 | }
358 | ]
359 |
--------------------------------------------------------------------------------
/main.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | "flag"
5 | "fmt"
6 | "os"
7 |
8 | "github.com/haccer/subjack/subjack"
9 | )
10 |
11 | func main() {
12 | GOPATH := os.Getenv("GOPATH")
13 | Project := "/src/github.com/haccer/subjack/"
14 | configFile := "fingerprints.json"
15 | defaultConfig := GOPATH + Project + configFile
16 |
17 | o := subjack.Options{}
18 |
19 | flag.StringVar(&o.Domain, "d", "", "Domain.")
20 | flag.StringVar(&o.Wordlist, "w", "", "Path to wordlist.")
21 | flag.IntVar(&o.Threads, "t", 10, "Number of concurrent threads (Default: 10).")
22 | flag.IntVar(&o.Timeout, "timeout", 10, "Seconds to wait before connection timeout (Default: 10).")
23 | flag.BoolVar(&o.Ssl, "ssl", false, "Force HTTPS connections (May increase accuracy (Default: http://).")
24 | flag.BoolVar(&o.All, "a", false, "Find those hidden gems by sending requests to every URL. (Default: Requests are only sent to URLs with identified CNAMEs).")
25 | flag.BoolVar(&o.Verbose, "v", false, "Display more information per each request.")
26 | flag.StringVar(&o.Output, "o", "", "Output results to file (Subjack will write JSON if file ends with '.json').")
27 | flag.StringVar(&o.Config, "c", defaultConfig, "Path to configuration file.")
28 | flag.BoolVar(&o.Manual, "m", false, "Flag the presence of a dead record, but valid CNAME entry.")
29 |
30 | flag.Parse()
31 |
32 | flag.Usage = func() {
33 | fmt.Printf("Usage of %s:\n", os.Args[0])
34 | flag.PrintDefaults()
35 | }
36 |
37 | if flag.NFlag() == 0 {
38 | flag.Usage()
39 | os.Exit(1)
40 | }
41 |
42 | subjack.Process(&o)
43 | }
44 |
--------------------------------------------------------------------------------
/subjack/dns.go:
--------------------------------------------------------------------------------
1 | package subjack
2 |
3 | import (
4 | "fmt"
5 | "net"
6 | "strings"
7 |
8 | "github.com/haccer/available"
9 | "github.com/miekg/dns"
10 | )
11 |
12 | func (s *Subdomain) dns(o *Options) {
13 | config := o.Fingerprints
14 |
15 | if o.All {
16 | detect(s.Url, o.Output, o.Ssl, o.Verbose, o.Manual, o.Timeout, config)
17 | } else {
18 | if VerifyCNAME(s.Url, config) {
19 | detect(s.Url, o.Output, o.Ssl, o.Verbose, o.Manual, o.Timeout, config)
20 | }
21 |
22 | if o.Verbose {
23 | result := fmt.Sprintf("[Not Vulnerable] %s\n", s.Url)
24 | c := "\u001b[31;1mNot Vulnerable\u001b[0m"
25 | out := strings.Replace(result, "Not Vulnerable", c, -1)
26 | fmt.Printf(out)
27 |
28 | if o.Output != "" {
29 | if chkJSON(o.Output) {
30 | writeJSON("", s.Url, o.Output)
31 | } else {
32 | write(result, o.Output)
33 | }
34 | }
35 | }
36 | }
37 | }
38 |
39 | func resolve(url string) (cname string) {
40 | cname = ""
41 | d := new(dns.Msg)
42 | d.SetQuestion(url+".", dns.TypeCNAME)
43 | ret, err := dns.Exchange(d, "8.8.8.8:53")
44 | if err != nil {
45 | return
46 | }
47 |
48 | for _, a := range ret.Answer {
49 | if t, ok := a.(*dns.CNAME); ok {
50 | cname = t.Target
51 | }
52 | }
53 |
54 | return cname
55 | }
56 |
57 | func nslookup(domain string) (nameservers []string) {
58 | m := new(dns.Msg)
59 | m.SetQuestion(dotDomain(domain), dns.TypeNS)
60 | ret, err := dns.Exchange(m, "8.8.8.8:53")
61 | if err != nil {
62 | return
63 | }
64 |
65 | nameservers = []string{}
66 |
67 | for _, a := range ret.Answer {
68 | if t, ok := a.(*dns.NS); ok {
69 | nameservers = append(nameservers, t.Ns)
70 | }
71 | }
72 |
73 | return nameservers
74 | }
75 |
76 | func nxdomain(nameserver string) bool {
77 | if _, err := net.LookupHost(nameserver); err != nil {
78 | if strings.Contains(fmt.Sprintln(err), "no such host") {
79 | return true
80 | }
81 | }
82 |
83 | return false
84 | }
85 |
86 | func NS(domain, output string, verbose bool) {
87 | nameservers := nslookup(domain)
88 | for _, ns := range nameservers {
89 | if verbose {
90 | msg := fmt.Sprintf("[*] %s: Nameserver is %s\n", domain, ns)
91 | fmt.Printf(msg)
92 |
93 | if output != "" {
94 | write(msg, output)
95 | }
96 | }
97 |
98 | if nxdomain(ns) {
99 | av := available.Domain(ns)
100 |
101 | if av {
102 | msg := fmt.Sprintf("[!] %s's nameserver: %s is available for purchase!\n", domain, ns)
103 | fmt.Printf(msg)
104 | if output != "" {
105 | write(msg, output)
106 | }
107 | }
108 | }
109 | }
110 | }
111 |
--------------------------------------------------------------------------------
/subjack/dot.go:
--------------------------------------------------------------------------------
1 | package subjack
2 |
3 | func dotDomain(domain string) string {
4 | return domain + "."
5 | }
6 |
7 | func joinHost(server string) string {
8 | return server + ":53"
9 | }
10 |
--------------------------------------------------------------------------------
/subjack/file.go:
--------------------------------------------------------------------------------
1 | package subjack
2 |
3 | import (
4 | "bufio"
5 | "encoding/json"
6 | "io/ioutil"
7 | "log"
8 | "os"
9 | "strings"
10 | )
11 |
12 | type Results struct {
13 | Subdomain string `json:"subdomain"`
14 | Vulnerable bool `json:"vulnerable"`
15 | Service string `json:"service,omitempty"`
16 | Domain string `json:"nonexist_domain,omitempty"`
17 | }
18 |
19 | func open(path string) (lines []string, Error error) {
20 | file, err := os.Open(path)
21 | if err != nil {
22 | log.Fatalln(err)
23 | }
24 |
25 | defer file.Close()
26 |
27 | scanner := bufio.NewScanner(file)
28 |
29 | for scanner.Scan() {
30 | lines = append(lines, scanner.Text())
31 | }
32 |
33 | return lines, scanner.Err()
34 | }
35 |
36 | func chkJSON(output string) (json bool) {
37 | json = false
38 |
39 | if strings.Contains(output, ".json") {
40 | if output[len(output)-5:] == ".json" {
41 | json = true
42 | }
43 | }
44 |
45 | return json
46 | }
47 |
48 | func write(result, output string) {
49 | f, err := os.OpenFile(output, os.O_RDWR|os.O_APPEND|os.O_CREATE, 0600)
50 | if err != nil {
51 | log.Fatalln(err)
52 | }
53 |
54 | defer f.Close()
55 |
56 | _, err = f.WriteString(result)
57 | if err != nil {
58 | log.Fatalln(err)
59 | }
60 | }
61 |
62 | func writeJSON(service, url, output string) {
63 | var r Results
64 | if strings.Contains(service, "DOMAIN") {
65 | r = Results{
66 | Subdomain: strings.ToLower(url),
67 | Vulnerable: true,
68 | Service: "unregistered domain",
69 | Domain: strings.Split(service, " - ")[1],
70 | }
71 | } else {
72 | if service != "" {
73 | r = Results{
74 | Subdomain: strings.ToLower(url),
75 | Vulnerable: true,
76 | Service: strings.ToLower(service),
77 | }
78 | } else {
79 | r = Results{
80 | Subdomain: strings.ToLower(url),
81 | Vulnerable: false,
82 | }
83 | }
84 | }
85 |
86 | f, err := os.OpenFile(output, os.O_CREATE|os.O_RDWR, 0600)
87 | if err != nil {
88 | log.Fatalln(err)
89 | }
90 |
91 | defer f.Close()
92 |
93 | file, err := ioutil.ReadAll(f)
94 | if err != nil {
95 | log.Fatalln(err)
96 | }
97 |
98 | var data []Results
99 | json.Unmarshal(file, &data)
100 | data = append(data, r)
101 |
102 | results, _ := json.Marshal(data)
103 |
104 | wf, err := os.OpenFile(output, os.O_CREATE|os.O_RDWR, 0600)
105 | if err != nil {
106 | log.Fatalln(err)
107 | }
108 |
109 | defer wf.Close()
110 |
111 | wf.Write(results)
112 | }
113 |
114 | func fingerprints(file string) (data []Fingerprints) {
115 | config, err := ioutil.ReadFile(file)
116 | if err != nil {
117 | log.Fatalln(err)
118 | }
119 |
120 | err = json.Unmarshal(config, &data)
121 | if err != nil {
122 | log.Fatalln(err)
123 | }
124 |
125 | return data
126 | }
127 |
--------------------------------------------------------------------------------
/subjack/fingerprint.go:
--------------------------------------------------------------------------------
1 | package subjack
2 |
3 | import (
4 | "bytes"
5 | "fmt"
6 | "strings"
7 |
8 | "github.com/haccer/available"
9 | )
10 |
11 | type Fingerprints struct {
12 | Service string `json:"service"`
13 | Cname []string `json:"cname"`
14 | Fingerprint []string `json:"fingerprint"`
15 | Nxdomain bool `json:"nxdomain"`
16 | }
17 |
18 | /*
19 | * Triage step to check whether the CNAME matches
20 | * the fingerprinted CNAME of a vulnerable cloud service.
21 | */
22 | func VerifyCNAME(subdomain string, config []Fingerprints) (match bool) {
23 | cname := resolve(subdomain)
24 | match = false
25 |
26 | VERIFY:
27 | for n := range config {
28 | for c := range config[n].Cname {
29 | if strings.Contains(cname, config[n].Cname[c]) {
30 | match = true
31 | break VERIFY
32 | }
33 | }
34 | }
35 |
36 | return match
37 | }
38 |
39 | func detect(url, output string, ssl, verbose, manual bool, timeout int, config []Fingerprints) {
40 | service := Identify(url, ssl, manual, timeout, config)
41 |
42 | if service != "" {
43 | result := fmt.Sprintf("[%s] %s\n", service, url)
44 | c := fmt.Sprintf("\u001b[32;1m%s\u001b[0m", service)
45 | out := strings.Replace(result, service, c, -1)
46 | fmt.Printf(out)
47 |
48 | if output != "" {
49 | if chkJSON(output) {
50 | writeJSON(service, url, output)
51 | } else {
52 | write(result, output)
53 | }
54 | }
55 | }
56 |
57 | if service == "" && verbose {
58 | result := fmt.Sprintf("[Not Vulnerable] %s\n", url)
59 | c := "\u001b[31;1mNot Vulnerable\u001b[0m"
60 | out := strings.Replace(result, "Not Vulnerable", c, -1)
61 | fmt.Printf(out)
62 |
63 | if output != "" {
64 | if chkJSON(output) {
65 | writeJSON(service, url, output)
66 | } else {
67 | write(result, output)
68 | }
69 | }
70 | }
71 | }
72 |
73 | /*
74 | * This function aims to identify whether the subdomain
75 | * is attached to a vulnerable cloud service and able to
76 | * be taken over.
77 | */
78 | func Identify(subdomain string, forceSSL, manual bool, timeout int, fingerprints []Fingerprints) (service string) {
79 | body := get(subdomain, forceSSL, timeout)
80 |
81 | cname := resolve(subdomain)
82 |
83 | if len(cname) <= 3 {
84 | cname = ""
85 | }
86 |
87 | service = ""
88 | nx := nxdomain(subdomain)
89 |
90 | IDENTIFY:
91 | for f := range fingerprints {
92 |
93 | // Begin subdomain checks if the subdomain returns NXDOMAIN
94 | if nx {
95 |
96 | // Check if we can register this domain.
97 | dead := available.Domain(cname)
98 | if dead {
99 | service = "DOMAIN AVAILABLE - " + cname
100 | break IDENTIFY
101 | }
102 |
103 | // Check if subdomain matches fingerprinted cname
104 | if fingerprints[f].Nxdomain {
105 | for n := range fingerprints[f].Cname {
106 | if strings.Contains(cname, fingerprints[f].Cname[n]) {
107 | service = strings.ToUpper(fingerprints[f].Service)
108 | break IDENTIFY
109 | }
110 | }
111 | }
112 |
113 | // Option to always print the CNAME and not check if it's available to be registered.
114 | if manual && !dead && cname != "" {
115 | service = "DEAD DOMAIN - " + cname
116 | break IDENTIFY
117 | }
118 | }
119 |
120 | // Check if body matches fingerprinted response
121 | for n := range fingerprints[f].Fingerprint {
122 | if bytes.Contains(body, []byte(fingerprints[f].Fingerprint[n])) {
123 | service = strings.ToUpper(fingerprints[f].Service)
124 | break
125 | }
126 | }
127 | }
128 |
129 | return service
130 | }
131 |
--------------------------------------------------------------------------------
/subjack/requests.go:
--------------------------------------------------------------------------------
1 | package subjack
2 |
3 | import (
4 | "crypto/tls"
5 | "github.com/valyala/fasthttp"
6 | "time"
7 | )
8 |
9 | func get(url string, ssl bool, timeout int) (body []byte) {
10 | req := fasthttp.AcquireRequest()
11 | req.SetRequestURI(site(url, ssl))
12 | req.Header.Add("Connection", "close")
13 | resp := fasthttp.AcquireResponse()
14 |
15 | client := &fasthttp.Client{TLSConfig: &tls.Config{InsecureSkipVerify: true}}
16 | client.DoTimeout(req, resp, time.Duration(timeout)*time.Second)
17 |
18 | return resp.Body()
19 | }
20 |
21 | func https(url string, ssl bool, timeout int) (body []byte) {
22 | newUrl := "https://" + url
23 | body = get(newUrl, ssl, timeout)
24 |
25 | return body
26 | }
27 |
28 | func site(url string, ssl bool) (site string) {
29 | site = "http://" + url
30 | if ssl {
31 | site = "https://" + url
32 | }
33 |
34 | return site
35 | }
36 |
--------------------------------------------------------------------------------
/subjack/subjack.go:
--------------------------------------------------------------------------------
1 | package subjack
2 |
3 | import (
4 | "log"
5 | "sync"
6 | )
7 |
8 | type Options struct {
9 | Domain string
10 | Wordlist string
11 | Threads int
12 | Timeout int
13 | Output string
14 | Ssl bool
15 | All bool
16 | Verbose bool
17 | Config string
18 | Manual bool
19 | Fingerprints []Fingerprints
20 | }
21 |
22 | type Subdomain struct {
23 | Url string
24 | }
25 |
26 | /* Start processing subjack from the defined options. */
27 | func Process(o *Options) {
28 | var list []string
29 | var err error
30 |
31 | urls := make(chan *Subdomain, o.Threads*10)
32 |
33 | if(len(o.Domain) > 0){
34 | list = append(list, o.Domain)
35 | } else {
36 | list, err = open(o.Wordlist)
37 | }
38 |
39 | if err != nil {
40 | log.Fatalln(err)
41 | }
42 |
43 | o.Fingerprints = fingerprints(o.Config)
44 |
45 | wg := new(sync.WaitGroup)
46 |
47 | for i := 0; i < o.Threads; i++ {
48 | wg.Add(1)
49 | go func() {
50 | for url := range urls {
51 | url.dns(o)
52 | }
53 |
54 | wg.Done()
55 | }()
56 | }
57 |
58 | for i := 0; i < len(list); i++ {
59 | urls <- &Subdomain{Url: list[i]}
60 | }
61 |
62 | close(urls)
63 | wg.Wait()
64 | }
65 |
--------------------------------------------------------------------------------