tko-subs – Detect & Takeover Subdomains With Dead DNS Records


tko-subs is a tool that helps you to detect & takeover subdomains with dead DNS records, this could be dangling CNAMEs point to hosting services or to nothing at all or NS records that are mistyped.

tko-subs - Detect & Takeover Subdomains With Dead DNS Records


What does tko-subs – Detect & Takeover Subdomains With Dead DNS Records Do?

This tool allows you:

  • To check whether a subdomain can be taken over because it has:
    • a dangling CNAME pointing to a CMS provider (Heroku, Github, Shopify, Amazon S3, Amazon CloudFront, etc.) that can be taken over.
    • a dangling CNAME pointing to a non-existent domain name
    • one or more wrong/typoed NS records pointing to a nameserver that can be taken over by an attacker to gain control of the subdomain’s DNS records
  • To actually take over those subdomain by providing a flag -takeover. Currently, take over is only supported for Github Pages and Heroku Apps and by default the take over functionality is off.
  • To specify your own CMS providers and check for them via the providers-data.csv file. In that file, you would mention the CMS name, their CNAME value, their string that you want to look for and whether it only works over HTTP or not. Check it out for some examples.

How to install tko-subs to takeover subdomains with dead DNS records

You need GO installed. Once you have GO, just type go get github.com/anshumanbh/tko-subs to download the tool.

Once the tool is downloaded, type tko-subs -h.

The next thing we need to do is to get the following information:

  • Github’s Personal Access Token – Make sure this token has the rights to create repositories, references, contents, etc. You can create this token here – https://github.com/settings/tokens
  • Heroku Username and API key
  • Heroku app name – You can create a static app on Heroku with whatever you want to be displayed on its homepage by following the instructions here – https://gist.github.com/wh1tney/2ad13aa5fbdd83f6a489. Once you create that app, use that app name in the flag (see below). We will use that app to take over the domain (with the dangling CNAME to another Heroku app).

NOTE – You only need these values if you want to take over subdomains. By default, that’s not required.

Required Go Packages to build.

You can download tko-subs here:

tko-subs-master.zip

Or read more here.

Posted in: Hacking Tools


Latest Posts:


Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.


One Response to tko-subs – Detect & Takeover Subdomains With Dead DNS Records

  1. randy October 14, 2020 at 2:24 am #

    hi