Find Subdomain Takeover with Amass + SubJack

Subdomain takeover was once a very popular vulnerability. It’s still constantly being discovered.
Of course, there are so many hackers running automated code that it’s hard to actually find it. but you’ll find it with lucky. and from the corporate security point of view, you have to check it out. so i share it.

So I just use it for reference in the subdomain. It’s… it’s almost never there on popular target, and it’s often duplicated if it’s vulnerable.


$ amass enum -norecursive -noalts -d {target_domain} > {target_domain}.txt ; subjack -w {target_domain}.txt -t 100 -timeout 30 -ssl -c ~/subjack/fingerprints.json -v 3

Replace {target_domain} to your target! (It's convenient to be an editor like IDE or geany)



Install Amass
on Mac
$ brew tap caffix/amass; brew isntall amass

or(on ubuntu with apt)

$ apt-get install amass

or(on docker)

$ docker build -t amass
$ docker run -v ~/amass:/amass/ amass enum --list

or(with snapcraft)
$ snap install amass

running command: $ amass enum -d [target domain]


Install subjack on goget!
go get

set alias
alias subjack='~/go/bin/subjack'

running command: subjack -w target.txt -c config_file

I've added some more content after watching this( thank you, guys!

Write oneline command.

write result file on amass
$ amass enum -norecursive -noalts -d {target_domain} > {target_domain}.txt

read subdomain list(-w options) on subjack
$ subjack -w {target_domain}.txt -t 100 -timeout 30 -ssl -c ~/subjack/fingerprints.json -v 3


$ amass enum -norecursive -noalts -d {target_domain} > {target_domain}.txt ; subjack -w {target_domain}.txt -t 100 -timeout 30 -ssl -c ~/subjack/fingerprints.json -v 3


The majority of bounty hunters are turning all the domains in the Bergbounty scope. It’s a perfect time fight.

and ... If you use FDSN(, you can get a lot of domains.