A while ago I read some posts by Patrik Hudak (0xpatrick) about finding subdomain takeover candidates. At the time there was a tool called subjack that is supposed to automate the process of checking if a subdomain can be taken over. I say “supposed to” because subjack is written in Go and I am far, far too dumb to figure out how to get Go to work on my system and how to compile Go binaries or use “go get” to download the binary. I guess you can consider this “Infosec professionals posting their Ls” and I don’t care. Your laughter only makes me weaker.
So anyway I decided to write my own script in Python following 0xpatrick’s posts. I wrote it in Python2. Under no circumstances will I ever update it to Python3. Python is dead to me now, and this script will live on feasting upon Python2’s deprecated carcass. Update it yourself if you care!!!
The script also contains a lot of useless debug output. It is slow as it makes 1 DNS request at a time. I also will not update these things.
Anyway, the script can be found on github. You provide a list of hostnames, and optionally the nameserver to make requests against (if you don’t provide a nameserver, the script uses 18.104.22.168), and it checks for CNAME records for those hostnames. Look, some example output!
It’s possible this script finds nothing but false-positive candidates. Good luck!