Subdominator is a dependable and fast open-source command-line interface tool to identify subdomain takeovers. It boasts superior accuracy and reliability, offering improvements compared to other tools.
“Initially, Subdominator was created internally because all the current subdomain takeover tools had gaps in their functionality. No tool had a complete set of accurate service fingerprints or features. As a cybersecurity company, we want to ensure our clients get consistent and comprehensive testing, so I developed a new tool to fill the gaps. While developing it, I discovered that there were features and optimizations that none of the existing tools had too, even if you used them in combination,” Colin Watson, CTO at Stratus Security, told Help Net Security.
Subdominator features
Service fingerprint accuracy: All of them have been vetted and consolidated, so they are all accurate. This was a big issue in other tools.
Fingerprint count: The tool has 97 service fingerprints. Stratus Security reviewed every other tool the internet offered, and the next best was 80. Most popular tools have less than 50.
Nested DNS support: Subdominator will check the entire CNAME chain until it finds an A record, making sure nothing is missed (None of the other tools went past the first CNAME).
Alternate DNS records: The fingerprints support A and AAAA record matching, finding takeovers that have never been detectable before.
Speed: The tool runs ~8x faster than existing tools, a test on ~100,000 records took 19 minutes for us and 2.5 hours for every other tool (give or take a few minutes for each tool).
Plans for the future
Watson told us they are currently adding support for additional fingerprints, more output formats, and validators. The validators, in particular, will be great for cutting down on false positives from services like Azure, which historically needed to be manually checked. They are also hoping for the community to suggest some features.
Subdominator is available for free on GitHub.
Must read:
FAQs
Subdominator is a dependable and fast open-source command-line interface tool to identify subdomain takeovers.
What are some measures that can be taken to prevent subdomain takeover attacks? ›
Regularly Audit and Clean DNS Records
Regular DNS configuration reviews, especially CNAME and TXT records, are crucial. Removing or updating any outdated or irrelevant subdomain entries that point to third-party services that are no longer in use prevents vulnerable subdomains that attackers could take advantage of.
What is a subdomain takeover vulnerability? ›
A subdomain takeover occurs when an attacker gains control over a subdomain of a target domain. Typically, this happens when the subdomain has a canonical name (CNAME) in the Domain Name System (DNS), but no host is providing content for it.
Is subdomain takeover illegal? ›
Subdomain takeover can have severe legal implications, as attackers may engage in illegal activities or host malicious content on compromised subdomains. It's crucial to report any such incidents to law enforcement authorities and take immediate steps to mitigate the risks to protect your reputation and users.
What is the best tool to find subdomains? ›
The Best Subdomain Enumeration Tools
- Google Dorking. Google Dorking is a passive subdomain enumeration technique using Google's advanced search operators, like "site:" to find information about a target, including subdomains. ...
- Sublist3r. ...
- Amass. ...
- Recon-ng. ...
- SubDomainizer. ...
- Pentest Tools Subdomain Finder. ...
- crt.sh. ...
- Shodan.
A subdomain takeover occurs when you take over the service that some DNS records are pointing to. A DNS takeover occurs when you take over the DNS server that is assigned to that host. DNS takeovers are typically more severe because they give the attacker more control.
How to find dangling subdomains? ›
To identify DNS entries within your organization that might be dangling, use Microsoft's GitHub-hosted PowerShell tools "Get-DanglingDnsRecords". This tool helps Azure customers list all domains with a CNAME associated to an existing Azure resource that was created on their subscriptions or tenants.
What are subdomains in cyber security? ›
Subdomains are an integral part of the domain naming system (DNS) and serve as a means to organize and compartmentalize web content. These subdomains, typically represented as "sub.example.com," extend the functionality of a primary domain and often house distinct web services, applications, or microsites.
What is DNSSEC support? ›
The Domain Name System Security Extensions (DNSSEC) is a feature of the Domain Name System (DNS) that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but prevents attackers from manipulating or poisoning the responses to DNS requests.
Who owns a subdomain? ›
Let's say you are making a pitch to a client to create their new website. You can create a subdomain that is specifically intended for them to give an idea of what their new website might look like. This is hosted on your own main domain, while retaining ownership of the subdomain.
Attackers can execute ATO attacks through various methods, including phishing, credential stuffing, malware, and exploiting security vulnerabilities. These techniques aim to steal or guess login credentials or exploit authenticated sessions.
What is a dangling subdomain? ›
A subdomain takeover can occur when you have a DNS record that points to a deprovisioned Azure resource. Such DNS records are also known as "dangling DNS" entries. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization's domain to a site performing malicious activity.
What can hackers do with subdomains? ›
Here are just the 11 most common ways cybercriminals use hacked subdomains:
- 1) Deface a website page and hurt a company's reputation. ...
- 2) Steal user data. ...
- 3) Create a “phishing” page on a credible subdomain. ...
- 4) Put a redirect to a malicious website. ...
- 5) Blackmail a company to get paid. ...
- 6) Steal the source code of a website.
to secure a subdomain you need to either generate a new certificate for each subdomain or use a wildcard SSL certificate. A wildcard SSL certificate will automatically secure the main domain and all subdomains. A wildcard SSL certificate can be generated by using the Let's Encrypt DNS verification method.
Can a subdomain be malicious? ›
Phishing: SubdoMailing attackers use compromised subdomains to send massive amounts of spam emails. These emails can appear legitimate, tricking recipients into clicking malicious links or opening attachments.
What is subdomain checker? ›
Guardio Labs' SubdoMailing Checker
Guardio released a SubdoMailing Checker tool that quickly allows users to check if a domain has been compromised. It flags the affected subdomain and the date it was hijacked, along with clear guidance on how to protect your domain in the future.
What is subdomain hijacking? ›
It's a cyber threat executed when an attacker gains control of a legitimate subdomain that's no longer in use, then cleverly exploits the forgotten or misconfigured dangling DNS to host their own content on the previously used zone.
What is subdomain enumeration tool? ›
Subdomain enumeration is the process of listing out all the valid subdomains that are part of the larger domain.
