SubSnipe: Open-source tool for finding subdomains vulnerable to takeover

July 17, 2024

SubSnipe is an open-source, multi-threaded tool to help find subdomains vulnerable to takeover. It’s simpler, produces better output, and has more fingerprints than other subdomain takeover tools.

vulnerable subdomains

“SubSnipe does some additional verification after the fingerprinting to find candidates more likely to be takeoverable. Say I found that static.example.com is a CNAME for an S3 bucket called “static-example”. The fingerprinting tells me it’s an S3 bucket, and S3 buckets are theoretically takeoverable. But of course, it is only if the bucket name is available. So, my tool runs DNS and HTTP requests and tries to determine if resources are available for takeover,” SubSnipe creator Florian Walter told Help Net Security.

The tool can be used in two different ways:

Provide a domain as input, and the tool then searches crt.sh to search for known subdomains.
Provide the path to a file that already contains subdomains.

“The most challenging part of finding subdomain takeovers is knowing which domains can be taken over and how to verify if the takeover is possible. During the development and while using the tool, I realized that some domains exist, e.g., in Azure, that should be takeoverable, but I never could take them over. I’m not 100% sure why this is, but I assume these cloud services constantly change. Until researchers reflect new changes in the fingerprints, there may always be false positives,” Walter said.

Future plans and download

“The main thing that could be improved is adding more fingerprints (but first, one needs to find good fingerprints, verify them, etc.). I spent much time looking for fingerprints, which should be done periodically. Also, while CNAMEs are the most common method of subdomain takeover, there are other methods, and I want to make my tool reflect this and check for that,” Walter concluded.

SubSnipe is available for free download on GitHub.