haccer / subjack

subjack DNS Takeover Scanner Subjack is a DNS takeover scanner written in Go designed to scan a list of domains concurrently and identify ones that are able to be hijacked. With Go's speed and efficiency, this tool really stands out when it comes to mass-testing. Always double check the results manually to rule out false positives. Subjack detects: • **CNAME takeovers** — dangling CNAMEs pointing to unclaimed third-party services • **NS delegation takeovers** — expired nameserver domains and dangling cloud DNS zones (Route 53, Google Cloud DNS, Azure DNS, DigitalOcean, Vultr, Linode) • **Stale A records** — A records pointing to dead IPs on cloud providers (AWS, GCP, Azure, DigitalOcean, Linode, Vultr, Oracle) • **Zone transfers (AXFR)** — misconfigured nameservers leaking entire zone files, with NS hostname bruteforcing • **SPF include takeovers** — expired domains in SPF directives enabling email spoofing • **MX record takeovers** — expired mail server domains enabling email interception • **CNAME chain takeovers** — multi-level CNAME chains where intermediate targets are claimable • **SRV record takeovers** — SRV records pointing to expired/registrable domains • **NXDOMAIN registration** — domains that don't exist and are available to be registered Installing Requires Go Usage | Flag | Description | Default | |------|-------------|---------| | | Single domain to check | | | | Path to wordlist of subdomains | | | | Number of concurrent threads | | | | Seconds to wait before connection timeout | | | | Output results to file (use extension for JSON output) | | | | Force HTTPS connections (may increase accuracy) | | | | Send requests to every URL, not just those with identified CNAMEs **(recommended)** | | | | Flag dead CNAME records even if the domain is not available for registration | | | | Path to a list of DNS resolvers (one IP per line, falls back to on failure) | | | | Check for NS takeovers (expired NS domains + dangling cloud DNS delegations) | | | | Check for stale A records pointing to dead IPs (may require root for ICMP) | | | | Check for zone transfers (AXFR) including NS bruteforce | | | | Check for SPF include and MX record takeovers | | | | Display more information per request | | Stdin Support Subjack can read domains from stdin, making it easy to pipe output from other tools: Nameserver Takeover With the flag, subjack performs two types of nameserver takeover checks: **Expired NS domains**: Checks if any of a domain's nameservers have expired and are available for purchase. An attacker who registers an expired nameserver can take full control of all DNS for that domain — they can point any record anywhere, intercept email, issue certificates, and more. **Dangling NS delegations**: Detects when a domain's NS records point to cloud DNS providers but the hosted zone has been deleted. Subjack queries each nameserver directly for an SOA record — if all return or , the zone is gone and potentially claimable. Supported providers: • AWS Route 53 ( ) • Google Cloud DNS ( ) • Azure DNS ( ) • DigitalOcean DNS ( ) • Vultr DNS ( ) • Linode DNS ( ) Stale A Record Detection With the flag, subjack will resolve A records and check if the IP address is actually alive. When a company terminates a cloud server but forgets to remove the DNS A record, the IP gets released back to the provider's pool. An attacker can spin up new instances on that provider until they land on the same IP, gaining control of the subdomain. Subjack identifies the cloud provider (AWS, GCP, Azure, DigitalOcean, Linode, Vultr, Oracle) when possible, making it easier to target the right platform. Detection uses ICMP ping (requires root) with a TCP fallback on ports 80/443. Results are flagged as and should be verified manually — a non-responding IP doesn't always mean it's reclaimable. Zone Transfer Detection With the flag, subjack will attempt DNS zone transfers (AXFR) which can expose an entire domain's DNS records. Subjack goes beyond just testing the domain's official nameservers — it also bruteforces common nameserver hostnames ( , , , etc.) because hidden or forgotten nameservers are often left unsecured even after the primary ones have been locked down. Results are flagged as with the vulnerable nameserver and number of records exposed. Email Takeover Detection With the flag, subjack checks for two email-based takeover vectors: **SPF include takeover**: Parses SPF TXT records and checks if any domains are expired and available for registration. An attacker who registers the included domain can send fully authenticated emails as the target, bypassing SPF and DMARC. **MX record takeover**: Checks if any MX record targets are expired and available for registration. An attacker who controls the mail server can intercept all inbound email — password resets, 2FA codes, and more. CNAME Chain and SRV Detection These checks run automatically on every scan: **CNAME chain takeover**: Follows multi-level CNAME chains (up to 10 deep) and checks if any intermediate target is claimable. Standard CNAME detection only checks the first hop — chains catch deeper takeover opportunities. **SRV record takeover**: Checks common SRV records (SIP, XMPP, LDAP, Kerberos, IMAP, CalDAV, etc.) for targets that are expired and available for registration. Practical Use You can use scanio.sh which is kind of a PoC script to mass-locate vulnerable subdomains using results from Rapid7's Project Sonar. This script parses and greps through the dump for desired CNAME records and makes a large list of subdomains to check with subjack if they're vulnerable to hostile subdomain takeover. **Please use this responsibly.** Wordlist Format Your wordlist should include a list of subdomains, one per line: References Extra information about DNS takeovers: • Can I take over XYZ? • Hostile Subdomain Takeover using Heroku/GitHub/Desk + More • Can I take over DNS?