DNSTake takeover vulnerabilities occur when a subdomain (subdomain.example.com) or domain has its authoritative nameserver set to a provider (e.g. AWS Route 53, Akamai, Microsoft Azure, etc.) but the hosted zone has been removed or deleted. Consequently, when making a request for DNS records the server responds with a SERVFAIL
error. This allows an attacker to create the missing hosted zone on the service that was being used and thus control all DNS records for that (sub)domain.¹
The ez way! You can download a pre-built binary from releases page, just unpack and run!
NOTE: Go 1.16+ compiler should be installed & configured! |
Very quick & clean!
▶ go install github.com/pwnesia/dnstake/cmd/dnstake@latest
— or
Manual building executable from source code:
▶ git clone https://github.com/pwnesia/dnstake
▶ cd dnstake/cmd/dnstake
▶ go build .
▶ (sudo) mv dnstake /usr/local/bin
Usage
$ dnstake -h
·▄▄▄▄ ▐ ▄ .▄▄ ·▄▄▄▄▄ ▄▄▄· ▄ •▄ ▄▄▄ .
██▪ ██ •█▌▐█▐█ ▀.•██ ▐█ ▀█ █▌▄▌▪▀▄.▀·
▐█· ▐█▌▐█▐▐▌▄▀▀▀█▄▐█.▪▄█▀▀█ ▐▀▀▄·▐▀▀▪▄
██. ██ ██▐█▌▐█▄▪▐█▐█▌·▐█ ▪▐▌▐█.█▌▐█▄▄▌
▀▀▀▀▀• ▀▀ █▪ ▀▀▀▀ ▀▀▀ ▀ ▀ ·▀ ▀ ▀▀▀
(c) pwnesia.org — v0.0.1
Usage:
[stdin] | dnstake [options]
dnstake -t HOSTNAME [options]
Options:
-t, –target Define single target host/list to check
-c, –concurrent Set the concurrency level (default: 25)
-s, –silent Suppress errors and/or clean output
-h, –help Display its help
Examples:
dnstake -t (sub.)domain.tld
dnstake -t hosts.txt
cat hosts.txt | dnstake
subfinder -silent -d domain.tld | dnstake