Subjack
Subjack Subjack is the Go-based fingerprint scanner that probes subdomains for takeover vulns, matching DNS records against 50+ service signatures like AWS S3 or Heroku for dangling assets. Run its binary with -w for subdomain lists, outputting vulnerable ones with takeover instructions for quick claims. Open-source from haccer, it's the subdomain surgeon for pentesters excising forgotten hosts before attackers do.
Explore →Subzy
Subzy Subzy checks subdomains against 'Can I Take Over XYZ' fingerprints, verifying claimable services like GitHub Pages or Azure for passive takeover detection in recon. Launch its Go CLI with --targets for lists, resolving CNAMEs for confirmed danglers with remediation steps. Open-source from pentestgeek, it's the takeover triage for auditors templating subdomain cleanup.
Explore →SubOver
SubOver SubOver is the DNS resolver that scans for subdomain takeovers by checking CNAMEs against vulnerable services, automating verification for AWS or Fastly danglers in bulk checks. Run its Go script with -l for inputs, outputting JSON for integrated workflows. Open-source from icedterminal, it's the CNAME clarifier for recon pros spotting hijack risks.
Explore →dnsReaper
dnsReaper dnsReaper is the high-accuracy takeover detector with a vast signature set, probing subdomains for stale records and providing exploitation guidance for services like Netlify. Configure via Go CLI with -l for lists, filtering false positives with custom thresholds. Open-source from d3mondev, it's the reaper rig for pentesters harvesting vulnerable subs.
Explore →Subdominator
Subdominator Subdominator is the efficient checker for subdomain takeovers, validating against common providers with dependency verification for accurate risk assessment in asset monitoring. Run its Python script with -d for domains, exporting CSV for remediation queues. Open-source from d3mondev, it's the dominator detective for auditors templating takeover triage.
Explore →Takeover
Takeover Takeover is the Python scanner for LFI/RFI tied to subdomain checks, but shines in validating takeover candidates with file inclusion probes for immediate exploitation. Decompile via script with --list for inputs, dumping paths for manual claims. Open-source from community, it's the takeover tester for pentesters confirming subs with active verification.
Explore →BadDNS
BadDNS BadDNS audits DNS records for takeover risks across providers, flagging dangling CNAMEs with automated verification for services like Heroku or Azure. Run its Python tool with -d for domains, outputting reports for cleanup. Open-source from vavkamil, it's the DNS doctor for security teams templating record health checks.
Explore →Nuclei Takeover Templates
Nuclei Takeover Templates Nuclei Takeover Templates use YAML rules to probe subdomains for takeover fingerprints, matching responses for claimable services like GitHub Pages in scalable scans. Clone the pack, run via CLI on lists for severity alerts with steps. Open-source from projectdiscovery, it's the template trapper for bulk takeover detections.
Explore →HostileSubBruteforcer
HostileSubBruteforcer HostileSubBruteforcer bruteforces subdomains and checks for takeover vulns, resolving with DNS for stale records in aggressive recon. Run its Ruby script with -d for domains and -w for wordlists, outputting candidates for verification. Open-source from RHsasso, it's the brute bouncer for pentesters wordlisting subs into takeover targets.
Explore →Subjack