├── README.md
└── subowner.py


/README.md:
--------------------------------------------------------------------------------
 1 | # subowner
 2 | 
 3 | SubOwner - A Simple tool check for subdomain takeovers. This tool is designed to check for subdomain takeovers by resolving the CNAME records and verifying them against known vulnerable services. If a subdomain is found to be vulnerable, it saves the vulnerable URL in a file.
 4 | 
 5 | ## Disclaimer
 6 | 
 7 | > [!WARNING]  
 8 | > This tool is intended only for educational purposes and for testing in authorized environments. https://twitter.com/nav1n0x/ and https://github.com/ifconfig-me take no responsibility for the misuse of this code. Use it at your own risk. Do not attack a target you don't have permission to engage with. This tool uses the publicly released payloads and methods. 
 9 | 
10 | 
11 | ![image](https://github.com/user-attachments/assets/bd3a0f26-4551-45db-9f69-022a9421e581)
12 | 
13 | 
14 | ## Features
15 | 
16 | - Supports multiple services for takeover (AWS S3, GitHub Pages, Heroku, Shopify, etc.).
17 | - Performs CNAME resolution and service-specific checks.
18 | - Outputs vulnerable subdomains to a file.
19 | - use the liste without schema (no http:// or https://)
20 | 
21 | 
22 | ### Upadte - 17/10/2024
23 | 
24 | Modifications:
25 | 
26 | 1. Updated the script with **ThreadPoolExecutor** to process subdomains concurrently.
27 | 2. The `-t` or `--threads` argument added to specify how many threads should be used.
28 | 3. Each subdomain is processed in a separate thread.
29 | 
30 | This script will now check subdomains faster by utilizing multiple threads. You can adjust the number of threads via the `-t` argument.
31 | 


--------------------------------------------------------------------------------
/subowner.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python3
  2 | import requests
  3 | import argparse
  4 | import dns.resolver
  5 | from bs4 import BeautifulSoup
  6 | from colorama import Fore, init
  7 | from urllib.parse import urlparse
  8 | from concurrent.futures import ThreadPoolExecutor, as_completed
  9 | 
 10 | def show_banner():
 11 |     banner = f"""
 12 |  {BOLD_BLUE} ███▄    █  ▄▄▄    ██▒   █▓ ███▄    █ {NC}
 13 |  {BOLD_BLUE} ██ ▀█   █ ▒████▄ ▓██░   █▒ ██ ▀█   █ {NC}
 14 |  {BOLD_BLUE}▓██  ▀█ ██▒▒██  ▀█▄▓██  █▒░▓██  ▀█ ██▒{NC}
 15 |  {BOLD_BLUE}▓██▒  ▐▌██▒░██▄▄▄▄██▒██ █░░▓██▒  ▐▌██▒{NC}
 16 |  {BOLD_BLUE}▒██░   ▓██░ ▓█   ▓██▒▒▀█░  ▒██░   ▓██░{NC}
 17 |  {BOLD_BLUE}░ ▒░   ▒ ▒  ▒▒   ▓▒█░░ ▐░  ░ ▒░   ▒ ▒ {NC}
 18 |  {BOLD_BLUE}░ ░░   ░ ▒░  ▒   ▒▒ ░░ ░░  ░ ░░   ░ ▒░{NC}
 19 |  {BOLD_BLUE}   ░   ░ ░   ░   ▒     ░░     ░   ░ ░ {NC}
 20 |  {BOLD_BLUE}         ░       ░  ░   ░           ░ {NC}
 21 |  {BOLD_BLUE}                       ░               {NC}
 22 |     """
 23 |     print(banner)
 24 | 
 25 | init(autoreset=True)
 26 | 
 27 | def get_page_title(content):
 28 |     try:
 29 |         soup = BeautifulSoup(content, 'html.parser')
 30 |         title = soup.title.string if soup.title else None
 31 |         if not title and '<?xml' in content.decode('utf-8', 'ignore'):
 32 |             soup = BeautifulSoup(content, 'lxml-xml')
 33 |             title = soup.find('title')
 34 |         return title.strip() if title else 'No title'
 35 |     except Exception as e:
 36 |         print(f"Error fetching title: {e}")
 37 |         return 'Error fetching title'
 38 | 
 39 | def get_cname(subdomain):
 40 |     try:
 41 |         print(f"Resolving CNAME for {subdomain}")
 42 |         parsed_url = urlparse(subdomain)
 43 |         domain = parsed_url.netloc or parsed_url.path
 44 |         answers = dns.resolver.query(domain, 'CNAME')
 45 |         cname = [rdata.target.to_text().rstrip('.') for rdata in answers]
 46 |         print(f"Resolved CNAME for {domain}: {cname}")
 47 |         try:
 48 |             ip_answers = dns.resolver.query(cname[0], 'A')
 49 |             ips = [ip.address for ip in ip_answers]
 50 |             print(f"CNAME {cname[0]} resolves to IP(s): {', '.join(ips)}")
 51 |         except (dns.resolver.NoAnswer, dns.resolver.NXDOMAIN):
 52 |             print(f"No A records found for CNAME {cname[0]}")
 53 |         return cname
 54 |     except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer, dns.exception.Timeout) as e:
 55 |         print(f"DNS resolution failed for {subdomain}: {e}")
 56 |         return []
 57 |     except Exception as e:
 58 |         print(f"Unknown error while resolving CNAME for {subdomain}: {e}")
 59 |         return []
 60 | 
 61 | def check_subdomain_takeover(subdomain, output_file):
 62 |     cname_records = get_cname(subdomain)
 63 |     if cname_records:
 64 |         for cname in cname_records:
 65 |             is_potentially_vulnerable = False
 66 |             for service in vulnerable_services:
 67 |                 for pattern in service["cname_patterns"]:
 68 |                     if pattern in cname:
 69 |                         is_potentially_vulnerable = True
 70 |                         result = f"[+] {subdomain} has CNAME {cname} matching {pattern}"
 71 |                         print(Fore.YELLOW + result)
 72 |                         check_service_takeover(subdomain, cname, service, output_file)
 73 |                         break
 74 |                 if is_potentially_vulnerable:
 75 |                     break
 76 |             if not is_potentially_vulnerable:
 77 |                 result = f"[-] {subdomain} has CNAME {cname} but no matching vulnerable service"
 78 |                 print(Fore.RED + result)
 79 |     else:
 80 |         result = f"[-] {subdomain} has no CNAME record"
 81 |         print(Fore.RED + result)
 82 | 
 83 | def check_service_takeover(subdomain, cname, service, output_file):
 84 |     try:
 85 |         for protocol in ['https://', 'http://']:
 86 |             url = f"{protocol}{subdomain}"
 87 |             print(f"Trying {url}")
 88 |             response = requests.get(url, timeout=10, verify=False)
 89 |             status_code = response.status_code
 90 |             title = get_page_title(response.content)
 91 |             response_text = response.text
 92 |             for error_msg in service["response_messages"]:
 93 |                 if error_msg.lower() in response_text.lower():
 94 |                     result = f"[+] {subdomain} [{status_code}] [{title}] [Vulnerable to {service['service']}]"
 95 |                     print(Fore.GREEN + result)
 96 |                     with open(output_file, 'a') as f:
 97 |                         f.write(f"{subdomain} [Vulnerable to {service['service']}]\n")
 98 |                     return
 99 |             print(f"Checked {subdomain}: {status_code} - Not vulnerable")
100 |         result = f"[-] {subdomain} [{status_code}] [{title}] [Not Vulnerable]"
101 |         print(Fore.RED + result)
102 |     except requests.exceptions.SSLError:
103 |         result = f"[-] {subdomain} [SSL Error]"
104 |         print(Fore.YELLOW + result)
105 |     except requests.exceptions.Timeout:
106 |         result = f"[-] {subdomain} [Timeout] [No response within 10 seconds]"
107 |         print(Fore.YELLOW + result)
108 |     except requests.exceptions.RequestException as e:
109 |         result = f"[-] {subdomain} [Error] [Could not connect: {e}]"
110 |         print(Fore.YELLOW + result)
111 | 
112 | def process_subdomain(subdomain, output_file):
113 |     check_subdomain_takeover(subdomain, output_file)
114 | 
115 | def main(file_path, output_file, threads):
116 |     with open(output_file, 'w') as f:
117 |         f.write("Vulnerable URLs:\n")
118 | 
119 |     try:
120 |         with open(file_path, 'r') as file:
121 |             domains = [line.strip() for line in file.readlines()]
122 |     except FileNotFoundError:
123 |         print(Fore.RED + f"[-] Error: File {file_path} not found.")
124 |         return
125 |     
126 |     if domains:
127 |         print(f"[+] Found {len(domains)} subdomains to check.")
128 |         
129 |         with ThreadPoolExecutor(max_workers=threads) as executor:
130 |             futures = [executor.submit(process_subdomain, subdomain, output_file) for subdomain in domains]
131 |             for future in as_completed(futures):
132 |                 future.result() 
133 |     else:
134 |         print(Fore.RED + "[-] No domains found in the file.")
135 | 
136 | if __name__ == "__main__":
137 |     print('''  
138 | By nav1n - https://x.com/nav1n0x  
139 | This tool is intended only for educational purposes and for testing in authorized environments. 
140 | https://twitter.com/nav1n0x/ and https://github.com/ifconfig-me take no responsibility 
141 | for the misuse of this code. Use it at your own risk. Do not attack a target you don't have 
142 | permission to engage with. This tool uses the publicly released payloads and methods.
143 |  ''')
144 | 
145 |     parser = argparse.ArgumentParser(description="Subdomain Takeover Checker")
146 |     parser.add_argument("-f", "--file", help="Path to the file containing subdomains", required=True)
147 |     parser.add_argument("-t", "--threads", help="Number of threads to use", type=int, default=5)
148 |     args = parser.parse_args()
149 | 
150 |     output_file = "takeoverable.txt"
151 | 
152 |     vulnerable_services = [
153 |         {
154 |             "service": "AWS S3",
155 |             "cname_patterns": ["s3.amazonaws.com", "amazonaws.com"],
156 |             "response_messages": ["NoSuchBucket", "The specified bucket does not exist"]
157 |         },
158 |         {
159 |             "service": "GitHub Pages",
160 |             "cname_patterns": ["github.io"],
161 |             "response_messages": ["There isn't a GitHub Pages site here."]
162 |         },
163 |         {
164 |             "service": "Heroku",
165 |             "cname_patterns": ["herokudns.com", "herokussl.com", "herokuapp.com"],
166 |             "response_messages": ["No such app", "no-such-app"]
167 |         },
168 |         {
169 |             "service": "Shopify",
170 |             "cname_patterns": ["myshopify.com"],
171 |             "response_messages": ["Sorry, this shop is currently unavailable."]
172 |         },
173 |         {
174 |             "service": "Tumblr",
175 |             "cname_patterns": ["domains.tumblr.com"],
176 |             "response_messages": ["There's nothing here."]
177 |         },
178 |         {
179 |             "service": "Azure",
180 |             "cname_patterns": ["azurewebsites.net", "cloudapp.net"],
181 |             "response_messages": ["Error 404 - Web app not found."]
182 |         },
183 |         {
184 |             "service": "Bitbucket",
185 |             "cname_patterns": ["bitbucket.io"],
186 |             "response_messages": ["Repository not found"]
187 |         },
188 |         {
189 |             "service": "Fastly",
190 |             "cname_patterns": ["fastly.net", "fastlylb.net"],
191 |             "response_messages": ["Fastly error: unknown domain", "Fastly error: unknown app"]
192 |         },
193 |         {
194 |             "service": "Ghost",
195 |             "cname_patterns": ["ghost.io"],
196 |             "response_messages": ["The thing you were looking for is no longer here"]
197 |         },
198 |         {
199 |             "service": "Pantheon",
200 |             "cname_patterns": ["pantheon.io"],
201 |             "response_messages": ["The gods are wise, but do not know of the site which you seek"]
202 |         },
203 |         {
204 |             "service": "Surge.sh",
205 |             "cname_patterns": ["surge.sh"],
206 |             "response_messages": ["project not found"]
207 |         },
208 |         {
209 |             "service": "Zendesk",
210 |             "cname_patterns": ["zendesk.com"],
211 |             "response_messages": ["Help Center Closed"]
212 |         },
213 |         {
214 |             "service": "Amazon CloudFront",
215 |             "cname_patterns": ["cloudfront.net"],
216 |             "response_messages": ["Bad request", "ERROR: The request could not be satisfied"]
217 |         },
218 |         {
219 |             "service": "Squarespace",
220 |             "cname_patterns": ["squarespace.com"],
221 |             "response_messages": ["No Such Account"]
222 |         },
223 |         {
224 |             "service": "Unbounce",
225 |             "cname_patterns": ["unbouncepages.com"],
226 |             "response_messages": ["The requested URL was not found on this server"]
227 |         },
228 |         {
229 |             "service": "WordPress.com",
230 |             "cname_patterns": ["wordpress.com"],
231 |             "response_messages": ["Do you want to register"]
232 |         },
233 |         {
234 |             "service": "Intercom",
235 |             "cname_patterns": ["custom.intercom.help"],
236 |             "response_messages": ["This page is reserved for a Intercom customer"]
237 |         },
238 |         {
239 |             "service": "Desk.com",
240 |             "cname_patterns": ["desk.com"],
241 |             "response_messages": ["Please try again or try Desk.com free for 14 days."]
242 |         },
243 |         {
244 |             "service": "Cargo Collective",
245 |             "cname_patterns": ["cargocollective.com"],
246 |             "response_messages": ["404 Not Found"]
247 |         },
248 |         {
249 |             "service": "Statuspage",
250 |             "cname_patterns": ["statuspage.io"],
251 |             "response_messages": ["Status page configured incorrectly"]
252 |         },
253 |         {
254 |             "service": "SmartJobBoard",
255 |             "cname_patterns": ["smartjobboard.com"],
256 |             "response_messages": ["This job board website is either expired or its domain name is invalid"]
257 |         },
258 |         {
259 |             "service": "Help Scout",
260 |             "cname_patterns": ["helpscoutdocs.com"],
261 |             "response_messages": ["No settings were found for this company:"]
262 |         },
263 |         {
264 |             "service": "Tictail",
265 |             "cname_patterns": ["tictail.com"],
266 |             "response_messages": ["Starting your own Tictail store is easy"]
267 |         },
268 |         {
269 |             "service": "Campaign Monitor",
270 |             "cname_patterns": ["createsend.com"],
271 |             "response_messages": ["Trying to access your account?"]
272 |         },
273 |         {
274 |             "service": "Acquia",
275 |             "cname_patterns": ["acquia-test.co"],
276 |             "response_messages": ["Web Site Not Found"]
277 |         },
278 |         {
279 |             "service": "Proposify",
280 |             "cname_patterns": ["proposify.biz"],
281 |             "response_messages": ["If you need immediate assistance, please contact Proposify Support"]
282 |         },
283 |         {
284 |             "service": "Amazon Elastic Beanstalk",
285 |             "cname_patterns": ["elasticbeanstalk.com"],
286 |             "response_messages": ["404 Not Found"]
287 |         },
288 |         {
289 |             "service": "Readme.io",
290 |             "cname_patterns": ["readme.io"],
291 |             "response_messages": ["Project doesnt exist... yet!"]
292 |         },
293 |         
294 |     ]
295 | 
296 |     requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
297 | 
298 |     main(args.file, output_file, args.threads)
299 | 


--------------------------------------------------------------------------------