Skip to content

Subdover is a MultiThreaded Subdomain Takeover Vulnerability Scanner Written In Python3

Notifications You must be signed in to change notification settings

PushpenderIndia/subdover

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

76 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SubDover

Subdover is a MultiThreaded Subdomain Takeover Vulnerability Scanner Written In Python3, Which has more than 88+ Fingerprints of potentially vulnerable services. Uses CNAME record for verification of findings.

Built-in Subdomain Enumeration Feature & Auto HTTP prober [Uses Open Source Tool for Subdomain Enum & HTTP probing i.e. findomain & httpx]

Total_Fingerprints(Aquatone + Subjack + Subzy + SubOver) <<< Total_Fingerprints(SubDover)

Disclaimer

đź’» This project was created only for good purposes and personal use.

THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. YOU MAY USE THIS SOFTWARE AT YOUR OWN RISK. THE USE IS COMPLETE RESPONSIBILITY OF THE END-USER. THE DEVELOPERS ASSUME NO LIABILITY AND ARE NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE CAUSED BY THIS PROGRAM.

Features

  • More than 70+ Fingerprints of potentially vulnerable services
  • Uses CNAME record for verification of findings
  • Built-in Subdomain Enumeration Method [Used findomain for Subdomain Enum]
  • Can Scan targets from subdomain list
  • Can Test Single Target for Subdomain Takeover
  • MultiThread, Extermely Fast Scanner [Default Threads: 10]
  • You can choose number of threads
  • You can save result in TXT file
  • Extremely Clean Output
  • OS Independent [Can be used on any OS which supports Python3]
  • Auto Command Line Updater

Tested On

Kali) Kali Linux - ROLLING EDITION

Windows) Windows 10

Windows) Windows 8.1 - Pro

Prerequisite

  • Python 3.X
  • Few External Modules

How To Use in Linux

# Navigate to the /opt directory (optional)
$ cd /opt/

# Clone this repository
$ git clone https://github.com/PushpenderIndia/subdover.git

# Navigate to subdover folder
$ cd subdover

# Installing dependencies
$ chmod +x installer_linux.py
$ sudo python3 installer_linux.py

# Giving Executable Permission & Checking Help Menu
$ chmod +x subdover.py
$ sudo python3 subdover.py --help

# Testing Single Target [Running Without Giving Parameter]
$ sudo python3 subdover.py

# Enumerating Subdomain & Testing them for Subdomain Takeover
$ sudo python3 subdover.py -d target.com 

# Testing targets for Subdomain Takeover from subdomain list
$ sudo python3 subdover.py --list example_target.txt 

# Changing Number of Threads
$ sudo python3 subdover.py --thread 30 -d target.com

# Saving Result
$ sudo python3 subdover.py -d target.com -o result.txt

# Show Fingerprints & Exit
$ sudo python3 subdover.py -s

How To Use in Windows

# Download this project as zip

# Navigate to subdover folder
$ cd subdover

# Installing dependencies
$ python -m pip install -r requirements.txt

# Checking Help Menu
$ python subdover.py --help

# Testing Single Target [Running Without Giving Parameter]
$ python subdover.py

# Enumerating Subdomain & Testing them for Subdomain Takeover
$ python subdover.py -d target.com 

# Testing targets for Subdomain Takeover from subdomain list
$ python subdover.py --list example_target.txt 

# Changing Number of Threads
$ python subdover.py --thread 30 -d target.com

# Saving Result
$ python subdover.py -d target.com -o result.txt

# Show Fingerprints & Exit
$ python subdover.py -s

How to Install Subdover in PentestBox

# Navigate to C:\PentestBox\bin\customtools Directory
$ cd C:\PentestBox\bin\customtools

# Clone This GitHub Repo
$ git clone https://github.com/PushpenderIndia/subdover.git

# Navigate to subdover folder
$ cd subdover

# Install Python Dependencies
$ python -m pip install -r requirements.txt

# Add Console Shortcut/Alias In PentestBox
$ echo subdover=python "%pentestbox_ROOT%\bin\customtools\subdover\subdover.py" $* >> ../customaliases

Available Arguments

  • Optional Arguments
Short Hand Full Hand Description
-h --help show this help message and exit
-t --thread Number of Threads to Used. Default=10
-o --output Save Result in TXT file
-skip --skip-httpx Skip HTTP/HTTPS Protocal Resolution (HTTP Probing) [NOTE]: You must manually use httpx/httprobe on your subdomain list & then provide that final subdomains list using --list or -l flag
-s --fingerprints Show Available Fingerprints & Exit
  • Required Arguments
Short Hand Full Hand Description
-d --domain Target Wildcard Domain [For AutoSubdomainEnumeration], ex:- google.com
-l --list Target Subdomain List, ex:- google_subdomain.txt

Available Fingerprints & CNAMES of potentially vulnerable services

No. Service Name Status CNAME Fingerprints
1. Acquia Vulnerable ['acquia-test.co'] The site you are looking for could not be found.
2. ActiveCampaign Vulnerable ['activehosted.com'] alt="LIGHTTPD - fly light."
3. AfterShip Vulnerable ['aftership.com'] Oops.</h2><p class="text-muted text-tight">The page you're looking for doesn't exist.
4. AgileCRM Vulnerable ['cname.agilecrm.com', 'agilecrm.com'] Sorry, this page is no longer available.
5. Aha Vulnerable ['ideas.aha.io'] There is no portal here ... sending you back to Aha!
6. Airee.ru Vulnerable ['cdn.airee.com', 'airee.com'] LaterADD
7. Anima Vulnerable ['NOT_AVAILABLE'] If this is your website and you've just created it, try refreshing in a minute
8. Apigee Vulnerable ['-portal.apigee.net']
9. AWS/S3 Vulnerable ['amazonaws'] The specified bucket does not exist
10. Bigcartel Vulnerable ['bigcartel.com'] <h1>Oops! We could&#8217;t find that page.</h1>
11. Bitbucket Vulnerable ['bitbucket.io'] Repository not found
12. Brightcove Vulnerable ['bcvp0rtal.com', 'brightcovegallery.com', 'gallery.video'] <p class="bc-gallery-error-code">Error Code: 404</p>
13. Canny.io Vulnerable ['cname.canny.io'] There is no such company. Did you enter the right URL?
14. CampaignMonitor Vulnerable ['createsend.com', 'name.createsend.com'] Double check the URL or <a href="mailto:help@createsend.com
15. Cargo Vulnerable ['cargocollective.com'] If you're moving your domain away from Cargo you must make this configuration through your registrar's DNS control panel.
16. CargoCollective Vulnerable ['subdomain.cargocollective.com'] 404 Not Found
17. Cloudfront Edge case ['cloudfront.net'] Bad Request: ERROR: The request could not be satisfied
18. Desk Not vulnerable ['desk.com'] Please try again or try Desk.com free for 14 days.
19. ElasticBeanstalk_AWS_service Vulnerable ['elasticbeanstalk.com']
20. Fastly Edge case ['fastly.net'] Fastly error: unknown domain:
21. Feedpress Vulnerable ['redirect.feedpress.me'] The feed has not been found.
22. Freshdesk Vulnerable ['freshdesk.com'] May be this is still fresh!
23. Frontify Vulnerable ['frontify.com'] 404 - Page Not Found</h1>
24. GetResponse Vulnerable ['.gr8.com'] With GetResponse Landing Pages, lead generation has never been easier
25. Ghost Vulnerable ['ghost.io'] The thing you were looking for is no longer here, or never was
26. Github Vulnerable ['github.io'] There isn't a GitHub Pages site here.
27. Help Juice Vulnerable ['helpjuice.com'] We could not find what you're looking for
28. Helprace Vulnerable ['helprace.com'] Admin of this Helprace account needs to set up domain alias
29. Help Scout Vulnerable ['helpscoutdocs.com'] No settings were found for this company
30. Heroku Edge case ['herokuapp'] No such app
31. Hubspot Vulnerable ['sites.hubspot.net'] Domain Not found
32. Instapage Vulnerable ['pageserve.co', 'secure.pageserve.co', 'instapage.com'] You've Discovered A Missing Link. Our Apologies!
33. InterCom Vulnerable ['custom.intercom.help'] <h1 class="headline"Uh oh. That page doesn't exist.</h1>
34. JetBrains Vulnerable ['myjetbrains.com'] is not a registered InCloud YouTrack
35. Kajabi Vulnerable ['endpoint.mykajabi.com'] <h1>The page you were looking for doesn't exist.</h1>
36. Landingi Vulnerable ['cname.landingi.com'] <p>The page you are looking for is not found.</p>
37. LaunchRock Vulnerable ['launchrock.com'] It looks like you may have taken a wrong turn somewhere. Don't worry...it happens to all of us.
38. LeadPages.com Vulnerable ['custom-proxy.leadpages.net', 'leadpages.net'] Double check that you have the right web address and give it another go!</p>
39. Mashery Edge Case ['mashery.com'] Unrecognized domain
40. MicrosoftAzure Vulnerable ['cloudapp.net', 'cloudapp.azure.com', 'azurewebsites.net', 'blob.core.windows.net', 'cloudapp.azure.com', 'azure-api.net', 'azurehdinsight.net', 'azureedge.net', 'azurecontainer.io', 'database.windows.net', 'azuredatalakestore.net', 'search.windows.net', 'azurecr.io', 'redis.cache.windows.net', 'azurehdinsight.net', 'servicebus.windows.net', 'visualstudio.com'] 404 Web Site not found
41. Ngrok Vulnerable ['ngrok.io'] ngrok.io not found
42. Pantheon Vulnerable ['pantheonsite.io'] The gods are wise, but do not know of the site which you seek.
43. Pingdom Vulnerable ['stats.pingdom.com'] This public report page has not been activated by the user
44. Proposify Vulnerable ['proposify.biz'] If you need immediate assistance, please contact <a href="mailto:support@proposify.biz
45. Readme.io Vulnerable ['readme.io'] Project doesnt exist... yet!
46. ReadTheDocs.org Vulnerable ['readthedocs.io'] is unknown to Read the Docs
47. Shopify Edge Case ['myshopify.com'] Sorry, this shop is currently unavailable
48. SimpleBooklet Vulnerable ['simplebooklet.com'] We can't find this <a href="https://simplebooklet.com
49. Smartling Vulnerable ['smartling.com'] Domain is not configured
50. Smugmug Vulnerable ['domains.smugmug.com']
51. StatusPage Vulnerable ['statuspage.io'] You are being <a href="https://www.statuspage.io">redirected
52. Strikingly Vulnerable ['.s.strikinglydns.com'] But if you're looking to build your own website,
53. Surge.sh Vulnerable ['surge.sh'] project not found
54. Surveygizmo Vulnerable ['privatedomain.sgizmo.com', 'privatedomain.surveygizmo.eu', 'privatedomain.sgizmoca.com'] data-html-name
55. Tave Vulnerable ['clientaccess.tave.com'] <h1>Error 404: Page Not Found</h1>
56. Teamwork Vulnerable ['teamwork.com'] Oops - We didn't find your site.
57. Thinkific Vulnerable ['thinkific.com'] You may have mistyped the address or the page may have moved.
58. Tictail Vulnerable ['domains.tictail.com'] to target URL: <a href="https://tictail.com
59. Tilda Edge Case ['tilda.ws'] Please renew your subscription
60. Tumblr Vulnerable ['domains.tumblr.com'] Whatever you were looking for doesn't currently exist at this address
61. Uberflip Vulnerable ['read.uberflip.com', 'uberflip.com'] Non-hub domain, The URL you've accessed does not provide a hub. Please check the URL and try again.
62. Unbounce Edge Case ['unbouncepages.com'] The requested URL was not found on this server
63. UptimeRobot Vulnerable ['stats.uptimerobot.com'] This public status page <b>does not seem to exist</b>.
64. UserVoice Vulnerable ['uservoice.com'] This UserVoice subdomain is currently available
65. Vend Vulnerable ['vendecommerce.com'] Looks like you've traveled too far into cyberspace
66. WebFlow Vulnerable ['proxy.webflow.com', 'proxy-ssl.webflow.com'] <p class="description">The page you are looking for doesn't exist or has been moved.</p>
67. WishPond Vulnerable ['wishpond.com'] https://www.wishpond.com/404?campaign=true
68. Worksites.net Vulnerable ['NOT_AVAILABLE'] Hello! Sorry, but the website you&rsquo;re looking for doesn&rsquo;t exist.
69. Wordpress Vulnerable ['wordpress.com'] Do you want to register
70. Zendesk Not Vulnerable ['zendesk.com'] Help Center Closed
71. Appery.io Vulnerable [''] <p>This page will be updated automatically when your app is published.</p>
72. Vercel.com Vulnerable [''] The deployment could not be found on Vercel.
73. Datocms.com Vulnerable [''] <!doctype html><html><head><meta charset=\"utf-8\"><title>Loading...</title>
74. Jazzhr Edge Case ["jazzhr.com"] "This account no longer active"
75. Kinsta Vulnerable ["kinsta.com"] "No Site For Domain"
76. Smartjob Vulnerable ["smartjobboard.com", "mysmartjobboard.com"] "This job board website is either expired or its domain name is invalid"
77. Wufoo Vulnerable ["www.wufoo.com", "subdomain.wufoo.com", "hello.wufoo.com", "pizzapalace.wufoo.com"] "Hmmm....something is not right."
78. Wix Vulnerable ["wixdns.net"] "Error ConnectYourDomain occurred"
79. Sprintful Vulnerable ["proxy.sprintful.com", "cname.sprintful.com", "sprintful.com"] "This domain name does not have a default page configured."
80. Short-io Vulnerable ["cname.short.io"] "This domain is not configured on Short.io"
81. Pagewiz Vulnerable ["s1.pagewiz.net"] "pagewiz"
82. Netlify Edge case ["cname.netlify.app", "cname.netlify.com", "netlify.com", "netlify.app"] "Not found - Request ID:"
83. Gitbook Vulnerable ["gitbook.io"] "Domain not found"
84. Flywheel Vulnerable ["getflywheel.com"] "We're sorry, you've landed on a page that is hosted by Flywheel"
85. Announcekit Vulnerable ["cname.announcekit.app"] "Error 404 - AnnounceKit"
86. Flexbe Edge Case ["flexbe.com"] "flexbe"
87. Gemfury Vulnerable ["furyns.com"] "404: This page could not be found."
88. Hatenablog Vulnerable ["hatenablog.com"] "404 Blog is not found"
  • NOTE: Make sure to confirm Vulnerable Subdomain
  • If you got a false positive result, then you can open a issue in this repo with that false +ve
  • It will help us to decrease the false +ve count & will improve detection mechanism

Screenshots

Help Menu

Scan Single Target

Enumerate Subdomain & Scan

Scan Targets from SubdomainList

Saving Result

Result of Scan

Contribute

  • All Contributors are welcome, this repo needs contributors who will improve this tool to make it best.

TODO

  • Add More Fingerprints & CNAMES
  • If in future exisiting Vulnerable become Edge Case or Not Vulnerable, then please tell me know by opening a issue

Contributers

  • Pushpender (@PushpenderIndia)
  • gauravdrago (@gauravdrago)