Saturday, August 20, 2022
HomeHackerSubdomain Takeover Device For Attackers, Bug Bounty Hunters And The Blue Staff!

Subdomain Takeover Device For Attackers, Bug Bounty Hunters And The Blue Staff!




DNS Reaper is one more sub-domain takeover software, however with an emphasis on accuracy, pace and the variety of signatures in our arsenal!

We are able to scan round 50 subdomains per second, testing every one with over 50 takeover signatures. This implies most organisations can scan their whole DNS property in lower than 10 seconds.

You should utilize DNS Reaper as an attacker or bug hunter!

You possibly can run it by offering a listing of domains in a file, or a single area on the command line. DNS Reaper will then scan the domains with all of its signatures, producing a CSV file.

You should utilize DNS Reaper as a defender!

You possibly can run it by letting it fetch your DNS information for you! Sure that is proper, you may run it with credentials and take a look at all of your area config shortly and simply. DNS Reaper will hook up with the DNS supplier and fetch all of your information, after which take a look at them.

We at the moment help AWS Route53, Cloudflare, and Azure. Documentation on including your personal supplier might be discovered right here

You should utilize DNS Reaper as a DevSecOps Professional!

Punk Safety are a DevSecOps firm, and DNS Reaper has its roots in trendy safety finest apply.

You possibly can run DNS Reaper in a pipeline, feeding it a listing of domains that you simply intend to provision, and it’ll exit Non-Zero if it detects a takeover is feasible. You possibly can forestall takeovers earlier than they’re even attainable!

Utilization

To run DNS Reaper, you need to use the docker picture or run it with python 3.10.

Findings are returned within the output and extra element is supplied in a neighborhood “outcomes.csv” file. We additionally help json output as an possibility.

Run it with docker

docker run punksecurity/dnsreaper --help

Run it with python

pip set up -r necessities.txt
python essential.py --help

Frequent instructions

  • Scan AWS account:

    docker run punksecurity/dnsreaper aws --aws-access-key-id <key> --aws-access-key-secret <secret>

    For extra info, see the documentation for the aws supplier

  • Scan all domains from file:

    docker run -v $(pwd):/and so forth/dnsreaper punksecurity/dnsreaper file --filename /and so forth/dnsreaper/<filename>

  • Scan single area

    docker run punksecurity/dnsreaper single --domain <area>

  • Scan single area and output to stdout:

    You need to both redirect the stderr output or save stdout output with >

    docker run punksecurity/dnsreaper single --domain <area> --out stdout --out-format=json > output

Full utilization

          ____              __   _____                      _ __
/ __ __ ______ / /__/ ___/___ _______ _______(_) /___ __
/ /_/ / / / / __ / //_/__ / _ / ___/ / / / ___/ / __/ / / /
/ ____/ /_/ / / / / ,< ___/ / __/ /__/ /_/ / / / / /_/ /_/ /
/_/ __,_/_/ /_/_/|_|/____/___/___/__,_/_/ /_/__/__, /
PRESENTS /____/
DNS Reaper ☠️

Scan all of your DNS information for subdomain takeovers!

utilization:
.essential.py supplier [options]

output:
findings output to display screen and (by default) outcomes.csv

assist:
.essential.py --help

suppliers:
> aws - Scan a number of domains by fetching them from AWS Route53
> azure - Scan a number of domains by fetching t hem from Azure DNS providers
> bind - Learn domains from a dns BIND zone file, or path to a number of
> cloudflare - Scan a number of domains by fetching them from Cloudflare
> file - Learn domains from a file, one per line
> single - Scan a single area by offering a website on the commandline
> zonetransfer - Scan a number of domains by fetching information through DNS zone switch

positional arguments:
{aws,azure,bind,cloudflare,file,single,zonetransfer}

choices:
-h, --help Present this assist message and exit
--out OUT Output file (default: outcomes) - use 'stdout' to stream out
--out-format {csv,json}
--resolver RESOLVER
Present a customized DNS resolver (or a number of seperated by commas)
--parallelism PARALLELISM
Variety of domains to take a look at in parallel - too excessive and you might even see odd DNS outcomes (default: 30)
--disable-probable Don't verify for possible circumstances
--enable-unlikely Verify for extra circumstances, however with a excessive false optimistic fee
--signature SIGNATURE
Solely scan with this signature (a number of accepted)
--exclude-signature EXCLUDE_SIGNATURE
Don't scan with this signature (a number of accepted)
--pipeline Exit Non-Zero on detection (used to fail a pipeline)
-v, --verbose -v for verbose, -vv for additional verbose
--nocolour Turns off colored textual content

aws:
Scan a number of domains by fetching them from AWS Route53

--aws-access-key-id AWS_ACCESS_KEY_ID
Optionally available
--aws-access-key-secret AWS_ACCESS_KEY_SECRET
Optionally available

azure:
Scan a number of domains by fetching them from Azure DNS providers

--az-subscription-id AZ_SUBSCRIPTION_ID
Required
--az-tenant-id AZ_TENANT_ID
Required
--az-client-id AZ_CLIENT_ID
Required
--az-client-secret AZ_CLIENT_SECRET
Required

bind:
Learn domains from a dns BIND zone file, or path to a number of

--bind-zone-file BIND_ZONE_FILE
Required

cloudflare:
Scan a number of domains by fetching them from Cloudflare

--cloudflare-token CLOUDFLARE_TOKEN
Required

file:
Learn domains from a file, one per line

--filename FILENAME Required

single:
Scan a single area by offering a website on the commandline

--domain DOMAIN Required

zonetransfer:
Scan a number of domains by fetching information through DNS zone switch

--zonetransfer-nameserver ZONE TRANSFER_NAMESERVER
Required
--zonetransfer-domain ZONETRANSFER_DOMAIN
Required



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments