/baddns

Check subdomains for subdomain takeovers and other DNS tomfoolery

Primary LanguagePythonGNU General Public License v3.0GPL-3.0

BadDNS

Check subdomains for subdomain takeovers and other DNS tomfoolery

Black License tests codecov Pypi Downloads

BadDNS is a standalone tool and BBOT module for detecting domain/subdomain takeovers of all kinds, including other DNS issues like NSEC walks and Subdomain Takeovers.

Check out the introductory blog on the BLS substack!

Installation

We have a pypi package, so you can just do pip install baddns to make use of the library.

Or use pipx: pipx install git+https://github.com/blacklanternsecurity/baddns

Usage

After installing with pip, you can just run baddns from the command line.

usage: baddns [-h] [-n CUSTOM_NAMESERVERS] [-c CUSTOM_SIGNATURES] [-l] [-s] [-m MODULES] [-d] [target]

Check subdomains for subdomain takeovers and other DNS tomfoolery

positional arguments:
  target                subdomain to analyze

options:
  -h, --help            show this help message and exit
  -n CUSTOM_NAMESERVERS, --custom-nameservers CUSTOM_NAMESERVERS
                        Provide a list of custom nameservers separated by comma.
  -c CUSTOM_SIGNATURES, --custom-signatures CUSTOM_SIGNATURES
                        Use an alternate directory for loading signatures
  -l, --list-modules    List available modules and their descriptions.
  -s, --silent          Show only vulnerable targets
  -m MODULES, --modules MODULES
                        Comma separated list of module names to use. Ex: module1,module2,module3
  -d, --debug           Enable debug logging

Modules

Name Description
cname Check for dangling CNAME records and interrogate them for subdomain takeover opportunities
ns Check for dangling NS records, and interrogate them for takeover opportunities
mx Check for dangling MX records and assess their base domains for availability
nsec Enumerate subdomains by NSEC-walking
references Check HTML content for links or other references that contain a hijackable domain
txt Check TXT record contents for hijackable domains
zonetransfer Attempt a DNS zone transfer

Examples

  • Simple check
baddns subdomaintocheck.example.com
  • Specify Module(s)
baddns -m CNAME subdomaintocheck.example.com
baddns -m CNAME,NS subdomaintocheck.example.com
  • List available Modules
baddns -l
  • Custom Nameservers
baddns -n 1.1.1.1 subdomaintocheck.example.com

Documentation

Please visit our full documentation for many more details, including information about specific BadDNS modules.

Acknowledgements

BadDNS Signatures are sourced primarily from Nuclei Templates and from dnsReaper by Punk Security, although many have been modified or updated in BadDNS. Much of the research contained in the signatures was originally discussed on the issues page of can-i-take-over-xyz.