Security News > 2024 > July > SubSnipe: Open-source tool for finding subdomains vulnerable to takeover
SubSnipe is an open-source, multi-threaded tool to help find subdomains vulnerable to takeover.
It's simpler, produces better output, and has more fingerprints than other subdomain takeover tools.
The fingerprinting tells me it's an S3 bucket, and S3 buckets are theoretically takeoverable.
My tool runs DNS and HTTP requests and tries to determine if resources are available for takeover," SubSnipe creator Florian Walter told Help Net Security.
"The most challenging part of finding subdomain takeovers is knowing which domains can be taken over and how to verify if the takeover is possible. During the development and while using the tool, I realized that some domains exist, e.g., in Azure, that should be takeoverable, but I never could take them over. I'm not 100% sure why this is, but I assume these cloud services constantly change. Until researchers reflect new changes in the fingerprints, there may always be false positives," Walter said.
Future plans and download. "The main thing that could be improved is adding more fingerprints. I spent much time looking for fingerprints, which should be done periodically. Also, while CNAMEs are the most common method of subdomain takeover, there are other methods, and I want to make my tool reflect this and check for that," Walter concluded.