DNSTake - A Fast Tool To Check Missing Hosted DNS Zones That Can Lead To Subdomain Takeover


[![](https://1.bp.blogspot.com/-LGMSUcdo2JM/YUK0T3V-wmI/AAAAAAAAumU/6VQzYIHfowQkYRjUfQivB78oB7xET-I8QCNcBGAsYHQ/w640-h162/DNSTake.png)](<https://1.bp.blogspot.com/-LGMSUcdo2JM/YUK0T3V-wmI/AAAAAAAAumU/6VQzYIHfowQkYRjUfQivB78oB7xET-I8QCNcBGAsYHQ/s1218/DNSTake.png>) A fast tool to check missing hosted DNS zones that can lead to subdomain takeover. **What is a DNS takeover?** DNS takeover [vulnerabilities](<https://www.kitploit.com/search/label/vulnerabilities> "vulnerabilities" ) occur when a subdomain (subdomain.example.com) or domain has its authoritative nameserver set to a provider (e.g. AWS Route 53, Akamai, Microsoft Azure, etc.) but the hosted zone has been removed or deleted. Consequently, when making a [request for DNS records](<https://www.diggui.com/#type=A&hostname=github.technology&nameserver=public&public=> "request for DNS records" ) the server responds with a `SERVFAIL` error. This allo ws an attacker to create the missing hosted zone on the service that was being used and thus control all DNS records for that (sub)domain.¹ **Installation** **from Binary** The ez way! You can download a pre-built binary from [releases page](<https://github.com/pwnesia/dnstake/releases> "releases page" ), just unpack and run! **from Source** **NOTE:** [Go 1.16+ compiler](<https://golang.org/doc/install> "Go 1.16+ compiler" ) should be installed & configured! --- Very quick & clean! ▶ go install github.com/pwnesia/dnstake/cmd/some-email@example.com **— or** Manual building executable from source code: ▶ git clone https://github.com/pwnesia/dnstake ▶ cd dnstake/cmd/dnstake ▶ go build . ▶ (sudo) mv dnstake /usr/local/bin **Usage** $ dnstake -h ·▄▄▄▄ ▐ ▄ .▄▄ ·▄▄▄▄▄ ▄▄▄· ▄ •▄ ▄▄▄ . ██▪ ██ •█▌▐█▐█ ▀.•██ ▐█ ▀█ █▌▄▌▪▀▄.▀· ▐█· ▐█▌▐█▐▐▌▄▀▀▀█▄▐█.▪▄█▀▀█ ▐▀▀▄·▐▀▀▪▄ ██. ██ ██▐█▌▐█▄▪▐█▐█▌·▐█ ▪▐▌▐█.█▌▐█▄▄▌ ▀▀▀▀▀• ▀&#9600 ; █▪ ▀▀▀▀ ▀▀▀ ▀ ▀ ·▀ ▀ ▀▀▀ (c) pwnesia.org — v0.0.1 Usage: [stdin] | dnstake [options] dnstake -t HOSTNAME [options] Options: -t, --target <HOST/FILE> Define single target host/list to check -c, --concurrent <i> Set the concurrency level (default: 25) -s, --silent Suppress errors and/or clean output -h, --help Display its help Examples: dnstake -t (sub.)domain.tld dnstake -t hosts.txt cat hosts.txt | dnstake subfinder -silent -d domain.tld | dnstake **Workflow** **DNSTake** use [RetryableDNS client library](<https://github.com/projectdiscovery/retryabledns> "RetryableDNS client library" ) to send DNS queries. Initial engagement using Google & Cloudflare DNS as the resolver, then check & [fingerprinting](<https://www.kitploit.com/search/label/Fingerprinting> "fingerprinting" ) the nameservers of target host — if there is one, it will resolving the target host again with its nameserver IPs as resolver, if it gets weird DNS status response (other than `NOERROR`/`NXDOMAIN`), then it's [vulnerable](<https://www.kitploit.com/search/label/Vulnerable> "vulnerable" ) to be taken over. More or less [like this](<https://0xpatrik.com/content/images/2018/08/ns_automation-2.png> "like this" ) in form of a diagram. Currently supported DNS providers, see [here](<https://github.com/indianajson/can-i-take-over-dns/blob/97104102c8ce911fd978521c703f26e1c547c613/README.md#dns-providers> "here" ). **References** * [1] <https://github.com/indianajson/can-i-take-over-dns#what-is-a-dns-takeover> * <https://0xpatrik.com/subdomain-takeover-ns/> **License** **DNSTake** is [distributed](<https://www.kitploit.com/search/label/Distributed> "distributed" ) under MIT. See `LICENSE`. **[Download Dnstake](<https://github.com/pwnesia/dnstake> "Download Dnstake" )**