🎁 Get the FREE AI Skills Starter Guide β€” Subscribe β†’
BytesAgainBytesAgain
πŸ¦€ ClawHub

Subdomain Takeover Checker

by @hostilespider

Check subdomains for potential takeover vulnerabilities. Detects dangling DNS records pointing to unclaimed services (GitHub Pages, Heroku, AWS, etc.)

Versionv1.0.0
Downloads691
TERMINAL
clawhub install subdomain-takeover

πŸ“– About This Skill


name: subdomain-takeover description: Check subdomains for potential takeover vulnerabilities. Detects dangling DNS records pointing to unclaimed services (GitHub Pages, Heroku, AWS, etc.) metadata: {"openclaw":{"emoji":"🏴","requires":{"bins":["bash","dig"]}}}

Subdomain Takeover Checker

Detect dangling DNS records that could be hijacked. Checks if subdomains point to services that might be unclaimed.

Quick Start

# Check a list of subdomains
bash {baseDir}/scripts/check-takeover.sh -l subdomains.txt

Check single subdomain

bash {baseDir}/scripts/check-takeover.sh -d sub.example.com

Passive DNS only (no HTTP verification)

bash {baseDir}/scripts/check-takeover.sh -l subdomains.txt --passive

What It Checks

CNAME records pointing to known vulnerable services:

  • GitHub Pages (*.github.io, *.github.com)
  • Heroku (*.herokudns.com, *.herokuapp.com)
  • AWS (*.amazonaws.com, *.s3.amazonaws.com, *.cloudfront.net)
  • Azure (*.azurewebsites.net, *.cloudapp.azure.com)
  • Shopify (*.myshopify.com)
  • Fastly (*.fastly.net)
  • Pantheon (*.pantheonsite.io)
  • Surge (*.surge.sh)
  • Tumblr (*.tumblr.com)
  • WordPress (*.wordpress.com)
  • Zendesk (*.zendesk.com)
  • 50+ more services...
  • Options

  • -l FILE β€” File with subdomains (one per line)
  • -d DOMAIN β€” Single subdomain to check
  • --passive β€” DNS-only check (no HTTP requests)
  • --json β€” JSON output
  • --timeout SECS β€” DNS timeout (default: 5)
  • --output FILE β€” Write results to file
  • Output

    === Subdomain Takeover Scan ===
    Scanning 50 subdomains...

    ⚠️ VULNERABLE: blog.example.com β†’ example.github.io (GitHub Pages β€” claimable) old.example.com β†’ example.herokuapp.com (Heroku β€” claimable)

    βœ… SAFE: api.example.com β†’ cloudfront.net (AWS β€” active) www.example.com β†’ A record (direct)

    Summary: 2/50 potentially vulnerable

    Remediation

    If a subdomain is vulnerable: 1. Remove the DNS record, OR 2. Reclaim the service (re-register the GitHub repo, Heroku app, etc.) 3. Set up monitoring to catch future dangles

    πŸ’‘ Examples

    # Check a list of subdomains
    bash {baseDir}/scripts/check-takeover.sh -l subdomains.txt

    Check single subdomain

    bash {baseDir}/scripts/check-takeover.sh -d sub.example.com

    Passive DNS only (no HTTP verification)

    bash {baseDir}/scripts/check-takeover.sh -l subdomains.txt --passive

    βš™οΈ Configuration

  • -l FILE β€” File with subdomains (one per line)
  • -d DOMAIN β€” Single subdomain to check
  • --passive β€” DNS-only check (no HTTP requests)
  • --json β€” JSON output
  • --timeout SECS β€” DNS timeout (default: 5)
  • --output FILE β€” Write results to file