Information Gatheringsubdomaintakeovercnamehijackreconnaissance

Subjack

Subjack is a subdomain takeover tool written in Go that scans a list of subdomains concurrently to identify ones that can be hijacked. It leverages Go's speed for efficient mass-testing and checks for subdomains on non-existent domains available for registration.

Description

Subjack is designed to detect subdomain takeovers by scanning subdomains for vulnerable CNAME records that point to services no longer controlled by the domain owner. This tool is particularly useful in reconnaissance phases of security assessments, allowing testers to identify potential hijacking opportunities across large lists of subdomains quickly.

With its concurrent scanning capabilities powered by Go, Subjack excels in mass-testing scenarios where speed and efficiency are critical. It stands out for handling high volumes of subdomains without significant performance degradation, making it ideal for bug bounty hunters and penetration testers targeting expansive domain infrastructures.

Users should always manually verify results to eliminate false positives, as automated detection may occasionally flag benign configurations. Additionally, Subjack checks for subdomains associated with NXDOMAIN responses, flagging domains that do not exist and could potentially be registered for takeover.

How It Works

Subjack operates by concurrently querying DNS records for a list of subdomains, focusing on CNAME entries that match known vulnerable fingerprints loaded from a JSON configuration file. It sends requests primarily to URLs with identified CNAMEs (unless -a is used) and checks against a database of takeover signatures for services like unclaimed AWS S3 buckets or GitHub pages. The tool flags valid CNAMEs pointing to dead or hijackable endpoints and handles NXDOMAIN cases for registrable domains.

Installation

bash

sudo apt install subjack

Flags

-aFind those hidden gems by sending requests to every URL. (Default: Requests are only sent to URLs with identified CNAMEs).

-c stringPath to configuration file. (default "/usr/share/subjack/fingerprints.json")

-d stringDomain.

-mFlag the presence of a dead record, but valid CNAME entry.

-o stringOutput results to file (Subjack will write JSON if file ends with '.json').

Examples

Display the help menu and usage information for all available flags.

subjack -h

Scan a single domain for subdomain takeover vulnerabilities.

subjack -d example.com

Scan a domain and output results to a text file.

subjack -d example.com -o results.txt

Scan a domain and output results to a JSON file.

subjack -d example.com -o results.json

Scan a domain and send requests to every URL, not just those with identified CNAMEs.

subjack -d example.com -a

Scan a domain and flag dead records with valid CNAME entries.

subjack -d example.com -m

Scan a domain using a custom configuration file for fingerprints.

subjack -c /path/to/custom/fingerprints.json -d example.com

Updated 2026-04-16kali.org ↗