jake/subtake
1
Fork 0
mirror of https://github.com/jakejarvis/subtake.git synced 2025-04-26 06:25:23 -04:00
Code Releases Activity

sonar.sh bug fixes

Browse Source
This commit is contained in:
Jake Jarvis 2019-03-04 13:04:23 -05:00
parent 5761a930dd
commit a8d04f1beb
No known key found for this signature in database
GPG Key ID: D36CB66F4002B25B
2 changed files with 21 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
README.md
View File

@ -29,16 +29,26 @@ Requires [Go](https://golang.org/dl/).
`fingerprints.json` can be modified to add or remove hosted platforms to probe for. Many obscure platforms are included, and removing fingerprints for services that are uninteresting to you can speed up the scan.
If you plan on using a high number of threads to speed the process up, you may need to [temporarily raise the `ulimit` of your shell](http://posidev.com/blog/2009/06/04/set-ulimit-parameters-on-ubuntu/):
```
ulimit -a # show current limit (usually 1024)
ulimit -n 10000 # set waaaaay higher
ulimit -a # check new limit
```
After generating a list of all vulnerable subdomains, you can use my [collection of domains invoked in bug bounty programs](https://github.com/jakejarvis/bounty-domains/blob/master/domains.txt) to narrow down valuable targets and possibly get some ca$h monie$$$.
### Examples
`./sonar.sh 2018-10-27-1540655191-fdns_cname.json.gz sonar_all_cnames.txt`
`subtake -f sonar_all_cnames.txt -t 50 -ssl -a -o vulnerable.txt`
## Subdomain Takeovers
## Subdomain Takeover Tips
- A great explanation of the risks of takeovers and steps to responsibly disclose takeovers to companies: https://0xpatrik.com/subdomain-takeover/
- A comprehensive list of what services are vulnerable and how to proceed once finding them: https://github.com/EdOverflow/can-i-take-over-xyz
- A comprehensive list of what services are vulnerable (and the basis of `fingerprints.json`), and how to proceed once finding them: https://github.com/EdOverflow/can-i-take-over-xyz
## Services Checked

19
sonar.sh
View File

@ -2,7 +2,7 @@
# Usage : ./sonar.sh <version number> <file>
# Example: ./sonar.sh 2018-10-27-1540655191-fdns_cname.json.gz cname_list.txt
# Premium
# Progress spinner
function ech() {
spinner=( "|" "/" "-" "\\" )
while true; do
@ -41,19 +41,18 @@ function run() {
# Gathering data from scans.io / Rapid7 Project Sonar
# Find the latest filename listed at https://opendata.rapid7.com/sonar.fdns_v2/ ending with fdns_cname.json.gz and pass in as first argument
#file=$(echo "2018-10-27-1540655191-fdns_cname.json.gz")
#latest=$(curl -s "https://opendata.rapid7.com/sonar.fdns_v2/" | grep "<td><a" | tail -1 | cut -d'"' -f2)
#file=$(echo $latest | cut -d'/' -f3)
#cmd="wget -q https://opendata.rapid7.com$latest"
#run "Downloading $file (This may take a while)." "$cmd" "Finished Downloading $file"
cmd="wget -q https://opendata.rapid7.com/sonar.fdns_v2/$1"
run "Downloading $1, this may take a while..." "$cmd" "Finished downloading $1."
# Example: 2018-10-27-1540655191-fdns_cname.json.gz
if [ ! -f $1 ]; then
cmd="wget -q https://opendata.rapid7.com/sonar.fdns_v2/$1"
run "Downloading $1, this may take a while..." "$cmd" "Finished downloading $1."
fi
# Parsing it into a file called cname_scanio
msg="Grepping for CNAME records."
ech $msg &
pid=$!
zcat < $file | grep 'type":"cname' | awk -F'":"' '{print $3, $5}' | \
zcat < $1 | grep 'type":"cname' | awk -F'":"' '{print $3, $5}' | \
awk -F'"' '{print $1, $3}' | sed -e s/" type "/" "/g >> cname_scanio
die $pid "CNAME records grepped." $msg
@ -122,7 +121,7 @@ cmd="grep -Ei '${DOMAINS}' cname_scanio >> cname_db"
run "Sorting CNAME records." "$cmd" "CNAME records sorted."
# Sorting the CNAME list
cmd="cat cname_db | cut -d' ' -f1 | sort | uniq >> $1"
cmd="cat cname_db | cut -d' ' -f1 | sort | uniq >> $2"
run "Cleaning up." "$cmd" "Cleaned up."
# RM files.