Search
Find Subdomain Takeover with Amass + SubJack
1 min read

Find Subdomain Takeover with Amass + SubJack

HAHWUL's Picture
HAHWUL in security

Subdomain takeover was once a very popular vulnerability. It’s still constantly being discovered. Of course, there are so many hackers running automated code that it’s hard to actually find it. but you’ll find it with lucky. and from the corporate security point of view, you have to check it out. so i share it.

So I just use it for reference in the subdomain. It’s… it’s almost never there on popular target, and it’s often duplicated if it’s vulnerable.

TLDR

amass enum -norecursive -noalts -d {target_domain} > {target_domain}.txt ; subjack -w {target_domain}.txt -t 100 -timeout 30 -ssl -c ~/subjack/fingerprints.json -v 3

Replace {target_domain} to your target! (It’s convenient to be an editor like IDE or geany)

Pre-install

Amass

Install Amass

on Mac
brew tap caffix/amass; brew install amass

or(on ubuntu with apt)

apt-get install amass

or(on docker)

docker build -t amass https://github.com/OWASP/Amass.git
docker run -v ~/amass:/amass/ amass enum --list

or(with snapcraft)
snap install amass

https://github.com/OWASP/Amass/blob/master/doc/install.md https://www.hahwul.com/2019/09/owasp-amass-dns-enumnetwork-mapping.html

running command: $ amass enum -d [target domain]

Subjack

Install subjack on goget!

go get github.com/haccer/subjack

set alias

alias subjack='~/go/bin/subjack'

running command: subjack -w target.txt -c config_file

I’ve added some more content after watching this(https://twitter.com/C5pider/status/1185672360717893633). thank you, guys!

Write oneline command.

write result file on amass

amass enum -norecursive -noalts -d {target_domain} > {target_domain}.txt

read subdomain list(-w options) on subjack

subjack -w {target_domain}.txt -t 100 -timeout 30 -ssl -c ~/subjack/fingerprints.json -v 3

PPAP

amass enum -norecursive -noalts -d {target_domain} > {target_domain}.txt ; subjack -w {target_domain}.txt -t 100 -timeout 30 -ssl -c ~/subjack/fingerprints.json -v 3

Conclusion

The majority of bounty hunters are turning all the domains in the Bergbounty scope. It’s a perfect time fight.

https://github.com/arkadiyt/bounty-targets-data

and … If you use FDSN(https://opendata.rapid7.com/sonar.fdns_v2/), you can get a lot of domains.


You may also like

ZAP에서 우아하게 Cookie 기반 Auth 테스팅하기
3 min read

ZAP에서 우아하게 Cookie 기반 Auth 테스팅하기

HAHWUL's Picture
HAHWUL in security zap
Hello Caido 👋🏼
2 min read

Hello Caido 👋🏼

HAHWUL's Picture
HAHWUL in security
CORS Bypass via dot
1 min read

CORS Bypass via dot

HAHWUL's Picture
HAHWUL in security develop

Latest Posts

ZAP에서 우아하게 Cookie 기반 Auth 테스팅하기
3 min read

ZAP에서 우아하게 Cookie 기반 Auth 테스팅하기

HAHWUL's Picture
HAHWUL
Hello Caido 👋🏼
2 min read

Hello Caido 👋🏼

HAHWUL's Picture
HAHWUL

Explore Tags

cullinan develop go jekyll metasploit oast rails ruby security system zap