Headline
DNSTake - A Fast Tool To Check Missing Hosted DNS Zones That Can Lead To Subdomain Takeover
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-LGMSUcdo2JM/YUK0T3V-wmI/AAAAAAAAumU/6VQzYIHfowQkYRjUfQivB78oB7xET-I8QCNcBGAsYHQ/s1218/DNSTake.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="307" data-original-width="1218" height="162" src="https://1.bp.blogspot.com/-LGMSUcdo2JM/YUK0T3V-wmI/AAAAAAAAumU/6VQzYIHfowQkYRjUfQivB78oB7xET-I8QCNcBGAsYHQ/w640-h162/DNSTake.png" width="640" /></a></div><p><br /></p> <p>A fast tool to check missing hosted DNS zones that can lead to subdomain takeover.</p> <br /><span style="font-size: large;"><b>What is a DNS takeover?</b></span><br /> <p>DNS takeover <a href="https://www.kitploit.com/search/label/vulnerabilities" target="_blank" title="vulnerabilities">vulnerabilities</a> occur when a subdomain (subdomain.example.com) or domain has its authoritative nameserver set to a provider (e.g. AWS Route 53, Akamai, Microsoft Azure, etc.) but the hosted zone has been removed or deleted. Consequently, when making a <a href="https://www.diggui.com/#type=A&hostname=github.technology&nameserver=public&public=8.8.8.8&specify=&clientsubnet=&tcp=def&transport=def&mapped=def&nssearch=def&trace=def&recurse=def&edns=def&dnssec=def&subnet=def&cookie=def&all=def&cmd=def&question=def&answer=def&authority=def&additional=def&comments=def&stats=def&multiline=def&short=def&colorize=on" rel="nofollow" target="_blank" title="request for DNS records">request for DNS records</a> the server responds with a <code>SERVFAIL</code> error. This allo ws an attacker to create the missing hosted zone on the service that was being used and thus control all DNS records for that (sub)domain.¹</p><span><a name=’more’></a></span><div><br /></div><span style="font-size: large;"><b>Installation</b></span><br /> <br /><b>from Binary</b><br /> <p>The ez way! You can download a pre-built binary from <a href="https://github.com/pwnesia/dnstake/releases" rel="nofollow" target="_blank" title="releases page">releases page</a>, just unpack and run!</p> <br /><b>from Source</b><br /> <table> <tbody><tr><td><b>NOTE:</b> <a href="https://golang.org/doc/install" rel="nofollow" target="_blank" title="Go 1.16+ compiler">Go 1.16+ compiler</a> should be installed & configured!</td> </tr></tbody></table> <p>Very quick & clean!</p> <div class="highlight highlight-source-shell position-relative" data-snippet-clipboard-copy-content="▶ go install github.com/pwnesia/dnstake/cmd/dnstake@latest “><pre><code>▶ go install github.com/pwnesia/dnstake/cmd/dnstake@latest</code></pre></div> <br /><b>— or</b><br /> <p>Manual building executable from source code:</p> <div class="highlight highlight-source-shell position-relative” data-snippet-clipboard-copy-content="▶ git clone https://github.com/pwnesia/dnstake ▶ cd dnstake/cmd/dnstake ▶ go build . ▶ (sudo) mv dnstake /usr/local/bin “><pre><code>▶ git clone https://github.com/pwnesia/dnstake<br />▶ cd dnstake/cmd/dnstake<br />▶ go build .<br />▶ (sudo) mv dnstake /usr/local/bin</code></pre></div> <br /><span style="font-size: large;"><b>Usage</b></span><br /> <div class="highlight highlight-text-shell-session position-relative” data-snippet-clipboard-copy-content="$ dnstake -h ·▄▄▄▄ ▐ ▄ .▄▄ ·▄▄▄▄▄ ▄▄▄· ▄ •▄ ▄▄▄ . ██▪ ██ •█▌▐█▐█ ▀.•██ ▐█ ▀█ █▌▄▌▪▀▄.▀· ▐█· ▐█▌▐█▐▐▌▄▀▀▀█▄▐█.▪▄█▀▀█ ▐▀▀▄·▐▀▀▪▄ ██. ██ ██▐█▌▐█▄▪▐█▐█▌·▐█ ▪▐▌▐█.█▌▐█▄▄▌ ▀▀▀▀▀• ▀▀ █▪ ▀▀▀▀ ▀▀▀ ▀ ▀ ·▀ ▀ ▀▀▀ © pwnesia.org — v0.0.1 Usage: [stdin] | dnstake [options] dnstake -t HOSTNAME [options] Options: -t, --target <HOST/FILE> Define single target host/list to check -c, --concurrent <i> Set the concurrency level (default: 25) -s, --silent Suppress errors and/or clean output -h, --help Display its help Examples: dnstake -t (sub.)domain.tld dnstake -t hosts.txt cat hosts.txt | dnstake subfinder -silent -d domain.tld | dnstake “><pre><code>$ dnstake -h<br /><br /> ·▄▄▄▄ ▐ ▄ .▄▄ ·▄▄▄▄▄ ▄▄▄· ▄ •▄ ▄▄▄ .<br /> ██▪ ██ •█▌▐█▐█ ▀.•██ ▐█ ▀█ █▌▄▌▪▀▄.▀·<br /> ▐█· ▐█▌▐█▐▐▌▄▀▀▀█▄▐█.▪▄█▀▀█ ▐▀▀▄·▐▀▀▪▄<br /> ██. ██ ██▐█▌▐█▄▪▐█▐█▌·▐█ ▪▐▌▐█.█▌▐█▄▄▌<br /> ▀▀▀▀▀• ▀▀ ; █▪ ▀▀▀▀ ▀▀▀ ▀ ▀ ·▀ ▀ ▀▀▀<br /><br /> © pwnesia.org — v0.0.1<br /><br />Usage:<br /> [stdin] | dnstake [options]<br /> dnstake -t HOSTNAME [options]<br /><br />Options:<br /> -t, --target <HOST/FILE> Define single target host/list to check<br /> -c, --concurrent <i> Set the concurrency level (default: 25)<br /> -s, --silent Suppress errors and/or clean output<br /> -h, --help Display its help<br /><br />Examples:<br /> dnstake -t (sub.)domain.tld<br /> dnstake -t hosts.txt<br /> cat hosts.txt | dnstake<br /> subfinder -silent -d domain.tld | dnstake</code></pre></div> <br /><span style="font-size: large;"><b>Workflow</b></span><br /> <p><strong>DNSTake</strong> use <a href="https://github.com/projectdiscovery/retryabledns” rel="nofollow" target="_blank" title="RetryableDNS client library">RetryableDNS client library</a> to send DNS queries. Initial engagement using Google & Cloudflare DNS as the resolver, then check & <a href="https://www.kitploit.com/search/label/Fingerprinting" target="_blank" title="fingerprinting">fingerprinting</a> the nameservers of target host — if there is one, it will resolving the target host again with its nameserver IPs as resolver, if it gets weird DNS status response (other than <code>NOERROR</code>/<code>NXDOMAIN</code>), then it’s <a href="https://www.kitploit.com/search/label/Vulnerable" target="_blank" title="vulnerable">vulnerable</a> to be taken over. More or less <a href="https://0xpatrik.com/content/images/2018/08/ns_automation-2.png" rel="nofollow" target="_blank" title="like this">like this</a> in form of a diagram.</p> <p>Currently supported DNS providers, see <a href="https://github.com/indianajson/can-i-take-over-dns/blob/97104102c8ce911fd978521c703f26e1c547c613/README.md#dns-providers" rel="nofollow" target="_blank" title="here">here</a>.</p> <br /><span style="font-size: large;"><b>References</b></span><br /> <ul> <li>[1] <a href="https://github.com/indianajson/can-i-take-over-dns#what-is-a-dns-takeover" rel="nofollow" target="_blank" title="https://github.com/indianajson/can-i-take-over-dns#what-is-a-dns-takeover">https://github.com/indianajson/can-i-take-over-dns#what-is-a-dns-takeover</a></li> <li><a href="https://0xpatrik.com/subdomain-takeover-ns/" rel="nofollow" target="_blank" title="https://0xpatrik.com/subdomain-takeover-ns/">https://0xpatrik.com/subdomain-takeover-ns/</a></li> </ul> <br /><span style="font-size: large;"><b>License</b></span><br /> <p><strong>DNSTake</strong> is <a href="https://www.kitploit.com/search/label/Distributed" target="_blank" title="distributed">distributed</a> under MIT. See <code>LICENSE</code>.</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/pwnesia/dnstake" rel="nofollow" target="_blank" title="Download Dnstake">Download Dnstake</a></span></b></div>