-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathsubdomainTakeOver.ps1
122 lines (95 loc) · 3.86 KB
/
subdomainTakeOver.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
param(
[Parameter(Position=1)]
[string]$subDomainURLORTxtFilePath = ""
)
<#
Description:
BugBounty tool. This script automate the finding of potential subdomain that could be tookover by looking for a potential alias vulnerability in the subdomain DNS.
Entry(Not mendatory):
A specefic subdomain or a .TXT file with a list of subdomain.
Output:
A list of all the potential vulnerable subdomain found.
Command exemple :
.\subdomainTakeOver.ps1
.\subdomainTakeOver.ps1 .\subdomains.txt
.\subdomainTakeOver.ps1 subdomain.exemple.com
#>
Write-Host "
####################################################################################################
_____ _ ______ _
/ ___| | | | _ \ (_)
\ `--. _ _| |__ | | | |___ _ __ ___ __ _ _ _ __
`--. \ | | | '_ \| | | / _ \| '_ ` _ \ / _` | | '_ \
/\__/ / |_| | |_) | |/ / (_) | | | | | | (_| | | | | |
\____/ \__,_|_.__/|___/ \___/|_| |_| |_|\__,_|_|_| |_|
_____ _ _____ ___
|_ _| | | | _ | |__ \
| | __ _| | _____ | | | |_ _____ _ __ ) |
| |/ _` | |/ / _ \| | | \ \ / / _ \ '__/ /
| | (_| | < __/\ \_/ /\ V / __/ | |_|
\_/\__,_|_|\_\___| \___/ \_/ \___|_| (_)
______ ___ ___ _ __
| ___ \ _ | \/ | | | / |
| |_/ /_ _ (_) | . . |_ __ | | _____ __`| | ___
| ___ \ | | | | |\/| | '__| | |/ _ \ \ /\ / / | |/ __|
| |_/ / |_| | _ | | | | | _ | | __/\ V V / _| |\__ \
\____/ \__, | (_) \_| |_/_| (_) |_|\___| \_/\_/ \___/___/
__/ |
|___/
#####################################################################################################
"
$SubDomainsArray = @()
$DNSEntryArray = @()
$FilteredDomainArray = @()
$RecordsTypes = @("A","AAAA","NS","CNAME","CAA","MX","NS","PRT","SOA","SRV","TXT")
#$RecordsTypes = @("ALL")
if ($subDomainURLORTxtFilePath -eq "") {
$subDomainURLORTxtFilePath = Read-Host -Prompt ' A specefic subdomain or a .TXT file with a list of subdomains: '
}
if ($subDomainURLORTxtFilePath.Substring($subDomainURLORTxtFilePath.Length-4) -eq ".txt") {
$content = Get-content -Path $subDomainURLORTxtFilePath
foreach ($subdomain in $content){
$SubDomainsArray += $subdomain
}
}else{
$SubDomainsArray = @($subDomainURLORTxtFilePath)
}
foreach ($url in $SubDomainsArray){
try
{
$Response = Invoke-WebRequest -Uri $url -ErrorAction Stop
# This will only execute if the Invoke-WebRequest is successful.
Write-Host "$($url) is reachable...Subdomain Dropped" -ForegroundColor Red
}
catch
{
$FilteredDomainArray += $url
Write-Host "$($url) is unreachable...Subdomain Added" -ForegroundColor Green
}
}
Write-Host "[Looking For DNS records....]"-ForegroundColor Yellow
foreach ($element in $FilteredDomainArray) {
$DNSEntryObject = @{}
foreach($record in $RecordsTypes){
try{
$DNSEntryObject = Resolve-DnsName -Name $element -Type $record -erroraction silentlycontinue
if ($DNSEntryObject.Type -eq "CNAME"){
Write-Host "$($element) : CNAME response received" -ForegroundColor Green
$DNSEntryArray += $DNSEntryObject
}
}catch{Continue}
}
}
Write-Host "[Done.]
"-ForegroundColor Yellow
Write-Host "Potential Subdomain Takeover :" -ForegroundColor Cyan
if ($DNSEntryArray.Count -eq 0) {
Write-Host "None where found..."
}
else {
foreach ($element in $DNSEntryArray) {
if ($element.Type -eq "CNAME"){
Write-Host "URL: $($element.name) CNAME : $($element.NameHost)"
}
}
}