Subdover is a MultiThreaded Subdomain Takeover Vulnerability Scanner Written In Python3, Which has more than 88+ Fingerprints of potentially vulnerable services. Uses CNAME record for verification of findings.
Built-in Subdomain Enumeration Feature & Auto HTTP prober [Uses Open Source Tool for Subdomain Enum & HTTP probing i.e. findomain & httpx]
Total_Fingerprints(Aquatone + Subjack + Subzy + SubOver) <<< Total_Fingerprints(SubDover)
đź’» This project was created only for good purposes and personal use.
THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. YOU MAY USE THIS SOFTWARE AT YOUR OWN RISK. THE USE IS COMPLETE RESPONSIBILITY OF THE END-USER. THE DEVELOPERS ASSUME NO LIABILITY AND ARE NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE CAUSED BY THIS PROGRAM.
- More than 70+ Fingerprints of potentially vulnerable services
- Uses CNAME record for verification of findings
- Built-in Subdomain Enumeration Method [Used findomain for Subdomain Enum]
- Can Scan targets from subdomain list
- Can Test Single Target for Subdomain Takeover
- MultiThread, Extermely Fast Scanner [Default Threads: 10]
- You can choose number of threads
- You can save result in TXT file
- Extremely Clean Output
- OS Independent [Can be used on any OS which supports Python3]
- Auto Command Line Updater
- Python 3.X
- Few External Modules
# Navigate to the /opt directory (optional)
$ cd /opt/
# Clone this repository
$ git clone https://github.com/PushpenderIndia/subdover.git
# Navigate to subdover folder
$ cd subdover
# Installing dependencies
$ chmod +x installer_linux.py
$ sudo python3 installer_linux.py
# Giving Executable Permission & Checking Help Menu
$ chmod +x subdover.py
$ sudo python3 subdover.py --help
# Testing Single Target [Running Without Giving Parameter]
$ sudo python3 subdover.py
# Enumerating Subdomain & Testing them for Subdomain Takeover
$ sudo python3 subdover.py -d target.com
# Testing targets for Subdomain Takeover from subdomain list
$ sudo python3 subdover.py --list example_target.txt
# Changing Number of Threads
$ sudo python3 subdover.py --thread 30 -d target.com
# Saving Result
$ sudo python3 subdover.py -d target.com -o result.txt
# Show Fingerprints & Exit
$ sudo python3 subdover.py -s
# Download this project as zip
# Navigate to subdover folder
$ cd subdover
# Installing dependencies
$ python -m pip install -r requirements.txt
# Checking Help Menu
$ python subdover.py --help
# Testing Single Target [Running Without Giving Parameter]
$ python subdover.py
# Enumerating Subdomain & Testing them for Subdomain Takeover
$ python subdover.py -d target.com
# Testing targets for Subdomain Takeover from subdomain list
$ python subdover.py --list example_target.txt
# Changing Number of Threads
$ python subdover.py --thread 30 -d target.com
# Saving Result
$ python subdover.py -d target.com -o result.txt
# Show Fingerprints & Exit
$ python subdover.py -s
# Navigate to C:\PentestBox\bin\customtools Directory
$ cd C:\PentestBox\bin\customtools
# Clone This GitHub Repo
$ git clone https://github.com/PushpenderIndia/subdover.git
# Navigate to subdover folder
$ cd subdover
# Install Python Dependencies
$ python -m pip install -r requirements.txt
# Add Console Shortcut/Alias In PentestBox
$ echo subdover=python "%pentestbox_ROOT%\bin\customtools\subdover\subdover.py" $* >> ../customaliases
- Optional Arguments
Short Hand | Full Hand | Description |
---|---|---|
-h | --help | show this help message and exit |
-t | --thread | Number of Threads to Used. Default=10 |
-o | --output | Save Result in TXT file |
-skip | --skip-httpx | Skip HTTP/HTTPS Protocal Resolution (HTTP Probing) [NOTE]: You must manually use httpx/httprobe on your subdomain list & then provide that final subdomains list using --list or -l flag |
-s | --fingerprints | Show Available Fingerprints & Exit |
- Required Arguments
Short Hand | Full Hand | Description |
---|---|---|
-d | --domain | Target Wildcard Domain [For AutoSubdomainEnumeration], ex:- google.com |
-l | --list | Target Subdomain List, ex:- google_subdomain.txt |
No. | Service Name | Status | CNAME | Fingerprints |
---|---|---|---|---|
1. | Acquia | Vulnerable | ['acquia-test.co'] |
The site you are looking for could not be found. |
2. | ActiveCampaign | Vulnerable | ['activehosted.com'] |
alt="LIGHTTPD - fly light." |
3. | AfterShip | Vulnerable | ['aftership.com'] |
Oops.</h2><p class="text-muted text-tight">The page you're looking for doesn't exist. |
4. | AgileCRM | Vulnerable | ['cname.agilecrm.com', 'agilecrm.com'] |
Sorry, this page is no longer available. |
5. | Aha | Vulnerable | ['ideas.aha.io'] |
There is no portal here ... sending you back to Aha! |
6. | Airee.ru | Vulnerable | ['cdn.airee.com', 'airee.com'] |
LaterADD |
7. | Anima | Vulnerable | ['NOT_AVAILABLE'] |
If this is your website and you've just created it, try refreshing in a minute |
8. | Apigee | Vulnerable | ['-portal.apigee.net'] |
|
9. | AWS/S3 | Vulnerable | ['amazonaws'] |
The specified bucket does not exist |
10. | Bigcartel | Vulnerable | ['bigcartel.com'] |
<h1>Oops! We could’t find that page.</h1> |
11. | Bitbucket | Vulnerable | ['bitbucket.io'] |
Repository not found |
12. | Brightcove | Vulnerable | ['bcvp0rtal.com', 'brightcovegallery.com', 'gallery.video'] |
<p class="bc-gallery-error-code">Error Code: 404</p> |
13. | Canny.io | Vulnerable | ['cname.canny.io'] |
There is no such company. Did you enter the right URL? |
14. | CampaignMonitor | Vulnerable | ['createsend.com', 'name.createsend.com'] |
Double check the URL or <a href="mailto:help@createsend.com |
15. | Cargo | Vulnerable | ['cargocollective.com'] |
If you're moving your domain away from Cargo you must make this configuration through your registrar's DNS control panel. |
16. | CargoCollective | Vulnerable | ['subdomain.cargocollective.com'] |
404 Not Found |
17. | Cloudfront | Edge case | ['cloudfront.net'] |
Bad Request: ERROR: The request could not be satisfied |
18. | Desk | Not vulnerable | ['desk.com'] |
Please try again or try Desk.com free for 14 days. |
19. | ElasticBeanstalk_AWS_service | Vulnerable | ['elasticbeanstalk.com'] |
|
20. | Fastly | Edge case | ['fastly.net'] |
Fastly error: unknown domain: |
21. | Feedpress | Vulnerable | ['redirect.feedpress.me'] |
The feed has not been found. |
22. | Freshdesk | Vulnerable | ['freshdesk.com'] |
May be this is still fresh! |
23. | Frontify | Vulnerable | ['frontify.com'] |
404 - Page Not Found</h1> |
24. | GetResponse | Vulnerable | ['.gr8.com'] |
With GetResponse Landing Pages, lead generation has never been easier |
25. | Ghost | Vulnerable | ['ghost.io'] |
The thing you were looking for is no longer here, or never was |
26. | Github | Vulnerable | ['github.io'] |
There isn't a GitHub Pages site here. |
27. | Help Juice | Vulnerable | ['helpjuice.com'] |
We could not find what you're looking for |
28. | Helprace | Vulnerable | ['helprace.com'] |
Admin of this Helprace account needs to set up domain alias |
29. | Help Scout | Vulnerable | ['helpscoutdocs.com'] |
No settings were found for this company |
30. | Heroku | Edge case | ['herokuapp'] |
No such app |
31. | Hubspot | Vulnerable | ['sites.hubspot.net'] |
Domain Not found |
32. | Instapage | Vulnerable | ['pageserve.co', 'secure.pageserve.co', 'instapage.com'] |
You've Discovered A Missing Link. Our Apologies! |
33. | InterCom | Vulnerable | ['custom.intercom.help'] |
<h1 class="headline"Uh oh. That page doesn't exist.</h1> |
34. | JetBrains | Vulnerable | ['myjetbrains.com'] |
is not a registered InCloud YouTrack |
35. | Kajabi | Vulnerable | ['endpoint.mykajabi.com'] |
<h1>The page you were looking for doesn't exist.</h1> |
36. | Landingi | Vulnerable | ['cname.landingi.com'] |
<p>The page you are looking for is not found.</p> |
37. | LaunchRock | Vulnerable | ['launchrock.com'] |
It looks like you may have taken a wrong turn somewhere. Don't worry...it happens to all of us. |
38. | LeadPages.com | Vulnerable | ['custom-proxy.leadpages.net', 'leadpages.net'] |
Double check that you have the right web address and give it another go!</p> |
39. | Mashery | Edge Case | ['mashery.com'] |
Unrecognized domain |
40. | MicrosoftAzure | Vulnerable | ['cloudapp.net', 'cloudapp.azure.com', 'azurewebsites.net', 'blob.core.windows.net', 'cloudapp.azure.com', 'azure-api.net', 'azurehdinsight.net', 'azureedge.net', 'azurecontainer.io', 'database.windows.net', 'azuredatalakestore.net', 'search.windows.net', 'azurecr.io', 'redis.cache.windows.net', 'azurehdinsight.net', 'servicebus.windows.net', 'visualstudio.com'] |
404 Web Site not found |
41. | Ngrok | Vulnerable | ['ngrok.io'] |
ngrok.io not found |
42. | Pantheon | Vulnerable | ['pantheonsite.io'] |
The gods are wise, but do not know of the site which you seek. |
43. | Pingdom | Vulnerable | ['stats.pingdom.com'] |
This public report page has not been activated by the user |
44. | Proposify | Vulnerable | ['proposify.biz'] |
If you need immediate assistance, please contact <a href="mailto:support@proposify.biz |
45. | Readme.io | Vulnerable | ['readme.io'] |
Project doesnt exist... yet! |
46. | ReadTheDocs.org | Vulnerable | ['readthedocs.io'] |
is unknown to Read the Docs |
47. | Shopify | Edge Case | ['myshopify.com'] |
Sorry, this shop is currently unavailable |
48. | SimpleBooklet | Vulnerable | ['simplebooklet.com'] |
We can't find this <a href="https://simplebooklet.com |
49. | Smartling | Vulnerable | ['smartling.com'] |
Domain is not configured |
50. | Smugmug | Vulnerable | ['domains.smugmug.com'] |
|
51. | StatusPage | Vulnerable | ['statuspage.io'] |
You are being <a href="https://www.statuspage.io">redirected |
52. | Strikingly | Vulnerable | ['.s.strikinglydns.com'] |
But if you're looking to build your own website, |
53. | Surge.sh | Vulnerable | ['surge.sh'] |
project not found |
54. | Surveygizmo | Vulnerable | ['privatedomain.sgizmo.com', 'privatedomain.surveygizmo.eu', 'privatedomain.sgizmoca.com'] |
data-html-name |
55. | Tave | Vulnerable | ['clientaccess.tave.com'] |
<h1>Error 404: Page Not Found</h1> |
56. | Teamwork | Vulnerable | ['teamwork.com'] |
Oops - We didn't find your site. |
57. | Thinkific | Vulnerable | ['thinkific.com'] |
You may have mistyped the address or the page may have moved. |
58. | Tictail | Vulnerable | ['domains.tictail.com'] |
to target URL: <a href="https://tictail.com |
59. | Tilda | Edge Case | ['tilda.ws'] |
Please renew your subscription |
60. | Tumblr | Vulnerable | ['domains.tumblr.com'] |
Whatever you were looking for doesn't currently exist at this address |
61. | Uberflip | Vulnerable | ['read.uberflip.com', 'uberflip.com'] |
Non-hub domain, The URL you've accessed does not provide a hub. Please check the URL and try again. |
62. | Unbounce | Edge Case | ['unbouncepages.com'] |
The requested URL was not found on this server |
63. | UptimeRobot | Vulnerable | ['stats.uptimerobot.com'] |
This public status page <b>does not seem to exist</b>. |
64. | UserVoice | Vulnerable | ['uservoice.com'] |
This UserVoice subdomain is currently available |
65. | Vend | Vulnerable | ['vendecommerce.com'] |
Looks like you've traveled too far into cyberspace |
66. | WebFlow | Vulnerable | ['proxy.webflow.com', 'proxy-ssl.webflow.com'] |
<p class="description">The page you are looking for doesn't exist or has been moved.</p> |
67. | WishPond | Vulnerable | ['wishpond.com'] |
https://www.wishpond.com/404?campaign=true |
68. | Worksites.net | Vulnerable | ['NOT_AVAILABLE'] |
Hello! Sorry, but the website you’re looking for doesn’t exist. |
69. | Wordpress | Vulnerable | ['wordpress.com'] |
Do you want to register |
70. | Zendesk | Not Vulnerable | ['zendesk.com'] |
Help Center Closed |
71. | Appery.io | Vulnerable | [''] |
<p>This page will be updated automatically when your app is published.</p> |
72. | Vercel.com | Vulnerable | [''] |
The deployment could not be found on Vercel. |
73. | Datocms.com | Vulnerable | [''] |
<!doctype html><html><head><meta charset=\"utf-8\"><title>Loading...</title> |
74. | Jazzhr | Edge Case | ["jazzhr.com"] |
"This account no longer active" |
75. | Kinsta | Vulnerable | ["kinsta.com"] |
"No Site For Domain" |
76. | Smartjob | Vulnerable | ["smartjobboard.com", "mysmartjobboard.com"] |
"This job board website is either expired or its domain name is invalid" |
77. | Wufoo | Vulnerable | ["www.wufoo.com", "subdomain.wufoo.com", "hello.wufoo.com", "pizzapalace.wufoo.com"] |
"Hmmm....something is not right." |
78. | Wix | Vulnerable | ["wixdns.net"] |
"Error ConnectYourDomain occurred" |
79. | Sprintful | Vulnerable | ["proxy.sprintful.com", "cname.sprintful.com", "sprintful.com"] |
"This domain name does not have a default page configured." |
80. | Short-io | Vulnerable | ["cname.short.io"] |
"This domain is not configured on Short.io" |
81. | Pagewiz | Vulnerable | ["s1.pagewiz.net"] |
"pagewiz" |
82. | Netlify | Edge case | ["cname.netlify.app", "cname.netlify.com", "netlify.com", "netlify.app"] |
"Not found - Request ID:" |
83. | Gitbook | Vulnerable | ["gitbook.io"] |
"Domain not found" |
84. | Flywheel | Vulnerable | ["getflywheel.com"] |
"We're sorry, you've landed on a page that is hosted by Flywheel" |
85. | Announcekit | Vulnerable | ["cname.announcekit.app"] |
"Error 404 - AnnounceKit" |
86. | Flexbe | Edge Case | ["flexbe.com"] |
"flexbe" |
87. | Gemfury | Vulnerable | ["furyns.com"] |
"404: This page could not be found." |
88. | Hatenablog | Vulnerable | ["hatenablog.com"] |
"404 Blog is not found" |
- NOTE: Make sure to confirm Vulnerable Subdomain
- If you got a false positive result, then you can open a issue in this repo with that false +ve
- It will help us to decrease the false +ve count & will improve detection mechanism
- All Contributors are welcome, this repo needs contributors who will improve this tool to make it best.
- Add More Fingerprints & CNAMES
- If in future exisiting
Vulnerable
becomeEdge Case
orNot Vulnerable
, then please tell me know by opening a issue
- Pushpender (@PushpenderIndia)
- gauravdrago (@gauravdrago)