Allows you to discover subdomains of a target organization which point to external services (ex. Amazon S3, Heroku, Github, etc) and are not claimed - leaving them vulnerable to hostile takeover.
Subdomain Takeover is a classic well paid vulnerability in Bug Bounty programs. This tool allows you to discover such vulnerabilities and get paid for them.
Review Your DNS Entries
As a system administrator, you can use this tool to perform an external inventary of the existing DNS entries of your organization.
Discover Attack Surface
Since it also discovers the subdomains of the target domain, this tool allows you to have a better view of the attack surface of your target organization.
Subdomain Takeover is a type of vulnerability which appears when an organization has configured a DNS CNAME entry for one of its subdomains pointing to an external service (ex. Heroku, Github, Bitbucket, Desk, Squarespace, Shopify, etc) but the service is no longer utilized by that organization. An attacker could register to the external service and claim the affected subdomain.
As a result, the attacker could host malicious code (ex. for stealing HTTP cookies) on the organization's subdomain and use it to attack legitimate users.
This is a domain name (ex. yahoo.com) which will be searched for subdomains vulnerable to takeover.
How it works
The tool uses all the techniques from Find Subdomains tool to identify existing subdomains for the target domain. Then it searches for CNAME DNS entries pointing to external services and it tries to visit the web pages at those locations. If the pages contain some specific keywords (depending on the external service), the subdomain is declared as vulnerable.
This tool costs 50 credits but you have 40 credits left.