DNS Reaper is one more sub-domain takeover software, however with an emphasis on accuracy, pace and the variety of signatures in our arsenal!
We are able to scan round 50 subdomains per second, testing every one with over 50 takeover signatures. This implies most organisations can scan their whole DNS property in lower than 10 seconds.
You should utilize DNS Reaper as an attacker or bug hunter!
You possibly can run it by offering a listing of domains in a file, or a single area on the command line. DNS Reaper will then scan the domains with all of its signatures, producing a CSV file.
You should utilize DNS Reaper as a defender!
You possibly can run it by letting it fetch your DNS information for you! Sure that is proper, you may run it with credentials and take a look at all of your area config shortly and simply. DNS Reaper will hook up with the DNS supplier and fetch all of your information, after which take a look at them.
We at the moment help AWS Route53, Cloudflare, and Azure. Documentation on including your personal supplier might be discovered right here
You should utilize DNS Reaper as a DevSecOps Professional!
Punk Safety are a DevSecOps firm, and DNS Reaper has its roots in trendy safety finest apply.
You possibly can run DNS Reaper in a pipeline, feeding it a listing of domains that you simply intend to provision, and it’ll exit Non-Zero if it detects a takeover is feasible. You possibly can forestall takeovers earlier than they’re even attainable!
Utilization
To run DNS Reaper, you need to use the docker picture or run it with python 3.10.
Findings are returned within the output and extra element is supplied in a neighborhood “outcomes.csv” file. We additionally help json output as an possibility.
Run it with docker
docker run punksecurity/dnsreaper --help
Run it with python
pip set up -r necessities.txt
python essential.py --help
Frequent instructions
-
Scan AWS account:
docker run punksecurity/dnsreaper aws --aws-access-key-id <key> --aws-access-key-secret <secret>
For extra info, see the documentation for the aws supplier
-
Scan all domains from file:
docker run -v $(pwd):/and so forth/dnsreaper punksecurity/dnsreaper file --filename /and so forth/dnsreaper/<filename>
-
Scan single area
docker run punksecurity/dnsreaper single --domain <area>
-
Scan single area and output to stdout:
You need to both redirect the stderr output or save stdout output with >
docker run punksecurity/dnsreaper single --domain <area> --out stdout --out-format=json > output
Full utilization
____ __ _____ _ __
/ __ __ ______ / /__/ ___/___ _______ _______(_) /___ __
/ /_/ / / / / __ / //_/__ / _ / ___/ / / / ___/ / __/ / / /
/ ____/ /_/ / / / / ,< ___/ / __/ /__/ /_/ / / / / /_/ /_/ /
/_/ __,_/_/ /_/_/|_|/____/___/___/__,_/_/ /_/__/__, /
PRESENTS /____/
DNS Reaper ☠️Scan all of your DNS information for subdomain takeovers!
utilization:
.essential.py supplier [options]
output:
findings output to display screen and (by default) outcomes.csv
assist:
.essential.py --help
suppliers:
> aws - Scan a number of domains by fetching them from AWS Route53
> azure - Scan a number of domains by fetching t hem from Azure DNS providers
> bind - Learn domains from a dns BIND zone file, or path to a number of
> cloudflare - Scan a number of domains by fetching them from Cloudflare
> file - Learn domains from a file, one per line
> single - Scan a single area by offering a website on the commandline
> zonetransfer - Scan a number of domains by fetching information through DNS zone switch
positional arguments:
{aws,azure,bind,cloudflare,file,single,zonetransfer}
choices:
-h, --help Present this assist message and exit
--out OUT Output file (default: outcomes) - use 'stdout' to stream out
--out-format {csv,json}
--resolver RESOLVER
Present a customized DNS resolver (or a number of seperated by commas)
--parallelism PARALLELISM
Variety of domains to take a look at in parallel - too excessive and you might even see odd DNS outcomes (default: 30)
--disable-probable Don't verify for possible circumstances
--enable-unlikely Verify for extra circumstances, however with a excessive false optimistic fee
--signature SIGNATURE
Solely scan with this signature (a number of accepted)
--exclude-signature EXCLUDE_SIGNATURE
Don't scan with this signature (a number of accepted)
--pipeline Exit Non-Zero on detection (used to fail a pipeline)
-v, --verbose -v for verbose, -vv for additional verbose
--nocolour Turns off colored textual content
aws:
Scan a number of domains by fetching them from AWS Route53
--aws-access-key-id AWS_ACCESS_KEY_ID
Optionally available
--aws-access-key-secret AWS_ACCESS_KEY_SECRET
Optionally available
azure:
Scan a number of domains by fetching them from Azure DNS providers
--az-subscription-id AZ_SUBSCRIPTION_ID
Required
--az-tenant-id AZ_TENANT_ID
Required
--az-client-id AZ_CLIENT_ID
Required
--az-client-secret AZ_CLIENT_SECRET
Required
bind:
Learn domains from a dns BIND zone file, or path to a number of
--bind-zone-file BIND_ZONE_FILE
Required
cloudflare:
Scan a number of domains by fetching them from Cloudflare
--cloudflare-token CLOUDFLARE_TOKEN
Required
file:
Learn domains from a file, one per line
--filename FILENAME Required
single:
Scan a single area by offering a website on the commandline
--domain DOMAIN Required
zonetransfer:
Scan a number of domains by fetching information through DNS zone switch
--zonetransfer-nameserver ZONE TRANSFER_NAMESERVER
Required
--zonetransfer-domain ZONETRANSFER_DOMAIN
Required