Subdominator is a dependable and fast open-source command-line interface tool to identify subdomain takeovers. It boasts superior accuracy and reliability, offering improvements compared to other tools.
“Initially, Subdominator was created internally because all the current subdomain takeover tools had gaps in their functionality. No tool had a complete set of accurate service fingerprints or features. As a cybersecurity company, we want to ensure our clients get consistent and comprehensive testing, so I developed a new tool to fill the gaps. While developing it, I discovered that there were features and optimizations that none of the existing tools had too, even if you used them in combination,” Colin Watson, CTO at Stratus Security, told Help Net Security.
Subdominator features
Service fingerprint accuracy: All of them have been vetted and consolidated, so they are all accurate. This was a big issue in other tools.
Fingerprint count: The tool has 97 service fingerprints. Stratus Security reviewed every other tool the internet offered, and the next best was 80. Most popular tools have less than 50.
Nested DNS support: Subdominator will check the entire CNAME chain until it finds an A record, making sure nothing is missed (None of the other tools went past the first CNAME).
Alternate DNS records: The fingerprints support A and AAAA record matching, finding takeovers that have never been detectable before.
Speed: The tool runs ~8x faster than existing tools, a test on ~100,000 records took 19 minutes for us and 2.5 hours for every other tool (give or take a few minutes for each tool).
Plans for the future
Watson told us they are currently adding support for additional fingerprints, more output formats, and validators. The validators, in particular, will be great for cutting down on false positives from services like Azure, which historically needed to be manually checked. They are also hoping for the community to suggest some features.
Subdominator is available for free on GitHub.
More open-source tools to consider: