DNS Reaper is yet another sub-domain takeover tool, but with an emphasis on accuracy, speed and the number of signatures in our arsenal!
We can scan around 50 subdomains per second, testing each one with over 50 takeover signatures. This means most organisations can scan their entire DNS estate in less than 10 seconds.
You can run it by providing a list of domains in a file, or a single domain on the command line. DNS Reaper will then scan the domains with all of its signatures, producing a CSV file.
You can run it by letting it fetch your DNS records for you! Yes that’s right, you can run it with credentials and test all your domain config quickly and easily. DNS Reaper will connect to the DNS provider and fetch all your records, and then test them.
We currently support AWS Route53, Cloudflare, and Azure. Documentation on adding your own provider can be found here
Punk Security are a DevSecOps company, and DNS Reaper has its roots in modern security best practice.
You can run DNS Reaper in a pipeline, feeding it a list of domains that you intend to provision, and it will exit Non-Zero if it detects a takeover is possible. You can prevent takeovers before they are even possible!
To run DNS Reaper, you can use the docker image or run it with python 3.10.
Findings are returned in the output and more detail is provided in a local “results.csv” file. We also support json output as an option.
docker run punksecurity/dnsreaper –help
Run it with python
pip install -r requirements.txt
python main.py –help
docker run punksecurity/dnsreaper aws --aws-access-key-id <key> --aws-access-key-secret <secret>
For more information, see the documentation for the aws providerdocker run -v $(pwd):/etc/dnsreaper punksecurity/dnsreaper file --filename /etc/dnsreaper/<filename>
docker run punksecurity/dnsreaper single --domain <domain>
docker run punksecurity/dnsreaper single --domain <domain> --out stdout --out-format=json > output
Full usage
____ __ _____ _ __
/ __ \__ ______ / /__/ ___/___ _______ _______(_) /___ __
/ /_/ / / / / __ \/ //_/\__ \/ _ \/ ___/ / / / ___/ / __/ / / /
/ ____/ /_/ / / / / ,< ___/ / __/ /__/ /_/ / / / / /_/ /_/ /
/_/ \__,_/_/ /_/_/|_|/____/\___/\___/\__,_/_/ /_/\__/\__, /
PRESENTS /____/
DNS Reaper ☠️
Scan all your DNS records for subdomain takeovers!
usage:
.\main.py provider [options]
output:
findings output to screen and (by default) results.csv
help:
.\main.py –help
providers:
aws – Scan multiple domains by fetching them from AWS Route53
azure – Scan multiple domains by fetching them from Azure DNS services
bind – Read domains from a dns BIND zone file, or path to multiple
cloudflare – Scan multiple domains by fetching them from Cloudflare
file – Read domains from a file, one per line
single – Scan a single domain by providing a domain on the commandline
zonetransfer – Scan multiple domains by fetching records via DNS zone transfer
positional arguments:
{aws,azure,bind,cloudflare,file,single,zonetransfer}
options:
h, –help Show this help message and exit
out OUT Output file (default: results) – use ‘stdout’ to stream out
out-format {csv,json}
resolver RESOLVER
Provide a custom DNS resolver (or multiple seperated by commas)
parallelism PARALLELISM
Number of domains to test in parallel – too high and you may see odd DNS results (default: 30)
disable-probable Do not check for probable conditions
enable-unlikely Check for more conditions, but with a high false positive rate
signature SIGNATURE
Only scan with this signature (multiple accepted)
exclude-signature EXCLUDE_SIGNATURE
Do not scan with this signature (multiple accepted)
pipeline Exit Non-Zero on detection (used to fail a pipeline)
v, –verbose -v for verbose, -vv for extra verbose
nocolour Turns off coloured text
aws:
Scan multiple domains by fetching them from AWS Route53
aws-access-key-id AWS_ACCESS_KEY_ID
Optional
aws-access-key-secret AWS_ACCESS_KEY_SECRET
Optionalazure:
Scan multiple domains by fetching them from Azure DNS services
az-subscription-id AZ_SUBSCRIPTION_ID
Required
az-tenant-id AZ_TENANT_ID
Required
az-client-id AZ_CLIENT_ID
Required
az-client-secret AZ_CLIENT_SECRET
Required
bind:
Read domains from a dns BIND zone file, or path to multiple
bind-zone-file BIND_ZONE_FILE
Required
cloudflare:
Scan multiple domains by fetching them from Cloudflare
cloudflare-token CLOUDFLARE_TOKEN
Required
file:
Read domains from a file, one per line
filename FILENAME Required
single:
Scan a single domain by providing a domain on the commandline
domain DOMAIN Required
zonetransfer:
Scan multiple domains by fetching records via DNS zone transfer
zonetransfer-nameserver ZONETRANSFER_NAMESERVER
Required
zonetransfer-domain ZONETRANSFER_DOMAIN
Required
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…
Embark on the journey of becoming a certified Red Team professional with our definitive guide.…
This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…
This took me like 4 days (+2 days for an update), but I got it…
MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…