Subdomain takeover scanner
Current count of fingerprints: 80
acquia
activecampaign
aftership
agilecrm
aha
airee
anima
announcekit
aws/s3
bigcartel
bitbucket
brightcove
campaignmonitor
canny
cargo
cargocollective
cloudfront
desk
fastly
feedpress
flexbe
flywheel
frontify
gemfury
getresponse
ghost
gitbook
github
hatenablog
helpjuice
helprace
helpscout
heroku
hubspot
intercom
jazzhr
jetbrains
kajabi
kinsta
launchrock
mashery
netlify
ngrok
pagewiz
pantheon
pingdom
proposify
readme
readthedocs
s3bucket
shopify
shortio
simplebooklet
smartjob
smartling
smugmug
sprintful
statuspage
strikingly
surge
surveygizmo
surveysparrow
tave
teamwork
thinkific
tictail
tilda
tumbler
uberflip
unbounce
uptimerobot
uservoice
vend
webflow
wishpond
wix
wordpress
worksites.net
wufoo
zendesk
to use as python library
pip install sdto
to use as a CLI tool
pip install sdto[cli]
or:
git clone https://github.com/scanfactory/sdto.git
cd sdto
poetry install
Examples:
python3 -m sdto -t www.domain.com
python3 -m sdto -t www.domain.com -f path/to/custom-fingerprints-file.json
python3 -m sdto -t https://www.domain.com/
python3 -m sdto -t http://www.domain.com/
python3 -m sdto -t www.domain.com --no-ssl
python3 -m sdto -t www.domain.com -v --timeout 30
python3 -m sdto -t www.domain.com -H "user-agent" "your-custom-user-agent" -H "another-header" "header-value"
python3 -m sdto -t www.domain.com -F json
python3 -m sdto -t www.domain.com -o output.txt
python3 -m sdto -t www.domain.com -F json -o output.json
python3 -m sdto -t www.domain.com -F txt -o output.txt
python3 -m sdto -t www.domain.com -p http://127.0.0.1:8080
python3 -m sdto -l subdomains-list.txt
Build the image:
docker build -t sdto .
Run the container:
docker run -it --rm sdto -t www.domain.com -v
You can specify custom fingerprints file via -f path/to/file.json
parameter.
The expected json file format:
{
"AWS/S3": {"pattern": "The specified bucket does not exist"},
"BitBucket": {"pattern": "Repository not found"},
"Fastly": {"pattern": "Fastly pattern\\: unknown domain\\:", "process_200": true}
}
Note that pattern
value is expected to be a python regexp.
Example:
import re
from aiohttp import ClientSession
from sdto import check_target, RegexFingerprint
async def main():
async with ClientSession() as cs:
fingerprint = await check_target(
cs=cs,
target="sub.domain.com",
ssl=True,
proxy=None,
fingerprints=[
RegexFingerprint(
"Github",
re.compile(r"There isn\'t a Github Pages site here\."),
process_200=False,
)
]
)
if not fingerprint:
print("No match")
else:
print(fingerprint.name)