dnsReaper
identify subdomain takeovers
dnsReaper is yet another sub-domain takeover tool, but with an emphasis on accuracy, speed and the number of signatures in our arsenal! dnsReaper can be provided with domains to test or fetch your DNS records for you. dnsReaper will connect to your DNS provider and fetch all your records, and then test them.
We wrote dnsReaper as we have worked with numerous clients who suffered subdomain takeovers, allowing attackers to serve malicious content from their domains. We managed the bug bounty program for one of our clients, providing expertise and support to their triaging process. We were surprised with the frequency of reports for subdomain takeover vulnerabilities, which was costing them thousands of dollars.
Subdomain takeovers are a serious risk, so we set out building a tool that would automatically detect and alert on the DNS misconfiguration our clients were prone to. We then extended it to support over 50 signatures and opensourced it.
Most existing subdomain takeover tools require you to provide the domain list, which is fine for bug bounty hunting but not for auditing your own DNS. dnsReaper can fetch your domains through multiple mechanisms, or you can feed it a list of domains.
We’ve even used it ourselves to identify subdomain takeover vulnerabilities in public bug bounty programs!
You can use dnsReaper as an attacker or bug hunter!
You can run it by providing a list of domains in a file, or a single domain on the command line. dnsReaper will then scan the domains with all of its signatures, producing a CSV file.
You can use dnsReaper as a defender!
You can run it by letting it fetch your DNS records for you! Yes that’s right, you can run it with credentials and test all your domain config quickly and easily. dnsReaper will connect to the DNS provider and fetch all your records, and then test them.
We currently support AWS Route53, Azure, BIND, Cloudflare, and Digital Ocean. Documentation on all our providers, and adding your own provider, can be found on github
You can use dnsReaper as a DevSecOps Pro!
Punk Security are a DevSecOps company, and dnsReaper has its roots in modern security best practice.
You can run dnsReaper in a pipeline, feeding it a list of domains that you intend to provision, and it will exit Non-Zero if it detects a takeover is possible. You can prevent takeovers before they are even possible!
For AWS Route53 checks, you can grant the lambda Route53 IAM access and dnsReaper will automatically detect all Route53 DNS records.