Ticker

6/recent/ticker-posts

Subzy: Live Subdomain takeover vulnerability checker


Sub-domains play a vital role in how websites function, but they can also be points of vulnerability, posing significant security risks. Enter Subzy, a robust open-source tool designed to assist cybersecurity professionals in identifying live sub-domain takeover vulnerabilities before they can be exploited by malicious actors.

In this article, we’ll take a close look at how Subzy operates. If you’re a hacking enthusiast or a tool developer, you’ll find this guide packed with valuable insights.

What You Will Learn

1.What is a Sub-domain Takeover

2. How Subzy Works: Safeguarding Your Sub-domains

3. Installing Subzy

4. Help Menu and Commands 

5. Command Options and Practical Examples

6. Subzy Tool Source Code Breakdown   

7. Conclusion

What is Sub-domain Takeover?

Before diving into Subzy’s functionalities, it’s crucial to grasp what sub-domain takeover means. This occurs when a sub-domain of a website is left unclaimed, allowing malicious users to hijack it. Attackers can redirect these unclaimed sub-domains to their own harmful sites, putting unsuspecting visitors at risk.

Sub-domain takeovers typically happen when DNS records still exist for sub-domains, but the associated resources (like web services) are no longer available. This creates an opening that tools like Subzy can help detect and safeguard against.

How Subzy Works: Safeguarding Your Sub-domains

Subzy streamlines sub-domain security by automating the detection of takeover vulnerabilities. Here’s how it works:

1. Enumerating Sub-domains: Subzy scans your domain or sub-domains and analyzes their DNS records to pinpoint linked services like AWS, GitHub, or Heroku.

2. Checking for Vulnerabilities: It assesses whether these services are unclaimed or misconfigured, which could leave them vulnerable to takeover. Subzy utilizes a database of known service fingerprints for effective risk detection.

3. Claiming Vulnerable Sub-domains: If a vulnerability is identified, Subzy can automatically claim the sub-domain, preventing cybercriminals from taking advantage of it.

YOU MAY WANT TO READ ABOUT: Exploring OSINT Tools: How Ethical Hackers Gather Intelligence

Installing Subzy

Setting up Subzy is straightforward and can be done using npm, the package manager for JavaScript. Here’s how:

1. Ensure Node.js is Installed: If you don’t have Node.js yet, you can download it here

2. Install Subzy: Open your terminal and run:

npm install -g subzy

This installs Subzy globally, making it accessible from any directory.

3. Verify Installation: To confirm everything is set up correctly, run:

subzy --version

Help Menu and Commands

To effectively use Subzy, familiarize yourself with its commands and options. Access the help menu by running the `-h` or `--help` flag, which provides a list of available commands.

How to Access Subzy Help Menu:

subzy --help

Example Help Menu Output:

Subzy - A tool to detect subdomain takeover vulnerabilities

Usage:
  subzy [flags]

Flags:
  -d, --domain string        Target domain to check for subdomain takeover
  -f, --file string          File containing list of subdomains
  -t, --threads int          Number of threads to use (default 20)
  -e, --exclude string       Services to exclude from checks (comma separated)
  -v, --verbose              Show verbose output
  -a, --auto                 Automatically attempt to claim vulnerable subdomains
  -o, --output string        Output file for results
  -h, --help                 Show this help message

Subzy provides a comprehensive set of commands for scanning sub-domains and identifying potential vulnerabilities.

Command Options and Practical Examples

Here’s how you can utilize Subzy’s command-line options in real-world scenarios to enhance your security audits:

 a) Check a Single Domain

To check a specific sub-domain for takeover vulnerabilities, use the `--domain` flag:

subzy -d subdomain.example.com

This command scans the designated sub-domain for DNS misconfigurations that might lead to a takeover.

b) Check Multiple Subdomains from a File

To scan multiple sub-domains at once, provide a list in a text file and use the `--file` flag:

subzy -f subdomains.txt
This is especially useful for pen testers and security researchers managing large numbers of sub-domains. 

c) Use Multiple Threads for Faster Scanning

Speed up your scans by utilizing multiple threads:

subzy -f subdomains.txt -t 50
In this case, Subzy will employ 50 concurrent threads, enhancing the efficiency of your scanning process.

 d) Exclude Specific Services

If you wish to exclude certain cloud services known to generate false positives, use the `--exclude` flag:

subzy -f subdomains.txt -e github,heroku
This command ensures you focus solely on the most relevant services.

 e) Auto-Claim Vulnerable Subdomains

In ethical hacking or legal penetration testing, you might want to automatically claim any vulnerable sub-domains discovered. Subzy can handle this with the `--auto` flag:

subzy -f subdomains.txt --auto
Note: Only do this with the domain owner's proper authorization, as it can have legal implications.

f) Save Scan Results to a File

To save your scan results for later review or reporting, use the `--output` flag:

subzy -f subdomains.txt -o results.txt
This command creates a file called `results.txt` containing all your scan results.

g) Enable Verbose Output for Detailed Information

For a more in-depth output, enable verbose mode with the `--verbose` flag:

subzy -f subdomains.txt --verbose
This command provides detailed insights into the vulnerabilities detected by Subzy.


Subzy Tool Source Code Breakdown

Built with GoLang, Subzy harnesses the power of this high-performance programming language to handle concurrency efficiently, making it an ideal choice for scanning multiple sub-domains simultaneously. Here’s a brief look at some critical components of Subzy’s source code:

1. Main Function

The entry point of Subzy, responsible for parsing command-line arguments, loading configurations, and initiating the scanning process:

func main() {
    args := ParseArgs()
    config := LoadConfig(args)
    ScanSubdomains(config)
}

2. Concurrency with Goroutines

Subzy’s speed is largely due to Goroutines, which allow for parallel scanning of multiple sub-domains:

func ScanSubdomains(config Config) {
    subdomains := LoadSubdomains(config.File)
    var wg sync.WaitGroup

    for _, subdomain := range subdomains {
        wg.Add(1)
        go func(domain string) {
            defer wg.Done()
            CheckSubdomainTakeover(domain)
        }(subdomain)
    }
    wg.Wait()
}

3. Subdomain Takeover Detection Logic

Subzy identifies vulnerable subdomains by checking DNS records and HTTP responses:

func CheckSubdomainTakeover(subdomain string) bool {
    cnameRecord, err := net.LookupCNAME(subdomain)
    if err != nil {
        log.Printf("Failed to resolve CNAME for %s: %v\n", subdomain, err)
        return false
    }

    vulnerable := CheckVulnerableService(cnameRecord)
    if vulnerable {
        log.Printf("Subdomain %s is vulnerable!\n", subdomain)
        return true
    }
    return false
}

4. Output and Reporting

Subzy enables you to save scan results to a file for easy analysis:

func SaveResults(results []string, outputFile string) error {
    file, err := os.Create(outputFile)
    if err != nil {
        return fmt.Errorf("Error creating output file: %v", err)
    }
    defer file.Close()

    for _, result := range results {
        _, err := file.WriteString(result + "\n")
        if err != nil {
            return fmt.Errorf("Error writing to output file: %v", err)
        }
    }

    log.Printf("Results saved to %s\n", outputFile)
    return nil
}

5. Command-Line Interface (CLI)

Subzy features a user-friendly CLI interface, enabling easy command and flag usage:

var rootCmd = &cobra.Command{
    Use:   "subzy",
    Short: "Subzy - Detect subdomain takeover vulnerabilities",
    Long:  `Subzy is a powerful tool to detect subdomain takeover vulnerabilities across cloud platforms.`,
    Run: func(cmd *cobra.Command, args []string) {
        // Main program logic
    },
}

func init() {
    rootCmd.PersistentFlags().StringP("domain", "d", "", "Target domain to check")
    rootCmd.PersistentFlags().StringP("file", "f", "", "File containing list of subdomains")
    rootCmd.PersistentFlags().IntP("threads", "t", 20, "Number of threads to use")
}

Conclusion

Subzy is an indispensable tool for ethical hackers and cybersecurity professionals eager to secure web applications from sub-domain takeover vulnerabilities. With its straightforward installation process and practical applications, it’s a valuable addition to any penetration testing toolkit.

By regularly checking your sub-domains with Subzy, you can thwart potential attacks and safeguard your web presence. Make sure to integrate this tool into your routine security checks.

Social Media Share: If you found this guide useful, don’t forget to share it on your social media to help others in the hacking community

Follow us on our OFFICIAL handles to help our community grow stronger and giving us motivation to provide more tools and information.