Subdomain Takeover Checker
by @hostilespider
Check subdomains for potential takeover vulnerabilities. Detects dangling DNS records pointing to unclaimed services (GitHub Pages, Heroku, AWS, etc.)
clawhub install subdomain-takeoverπ About This Skill
name: subdomain-takeover description: Check subdomains for potential takeover vulnerabilities. Detects dangling DNS records pointing to unclaimed services (GitHub Pages, Heroku, AWS, etc.) metadata: {"openclaw":{"emoji":"π΄","requires":{"bins":["bash","dig"]}}}
Subdomain Takeover Checker
Detect dangling DNS records that could be hijacked. Checks if subdomains point to services that might be unclaimed.
Quick Start
# Check a list of subdomains
bash {baseDir}/scripts/check-takeover.sh -l subdomains.txtCheck single subdomain
bash {baseDir}/scripts/check-takeover.sh -d sub.example.comPassive DNS only (no HTTP verification)
bash {baseDir}/scripts/check-takeover.sh -l subdomains.txt --passive
What It Checks
CNAME records pointing to known vulnerable services:
Options
-l FILE β File with subdomains (one per line)-d DOMAIN β Single subdomain to check--passive β DNS-only check (no HTTP requests)--json β JSON output--timeout SECS β DNS timeout (default: 5)--output FILE β Write results to fileOutput
=== Subdomain Takeover Scan ===
Scanning 50 subdomains...β οΈ VULNERABLE:
blog.example.com β example.github.io (GitHub Pages β claimable)
old.example.com β example.herokuapp.com (Heroku β claimable)
β
SAFE:
api.example.com β cloudfront.net (AWS β active)
www.example.com β A record (direct)
Summary: 2/50 potentially vulnerable
Remediation
If a subdomain is vulnerable: 1. Remove the DNS record, OR 2. Reclaim the service (re-register the GitHub repo, Heroku app, etc.) 3. Set up monitoring to catch future dangles
π‘ Examples
# Check a list of subdomains
bash {baseDir}/scripts/check-takeover.sh -l subdomains.txtCheck single subdomain
bash {baseDir}/scripts/check-takeover.sh -d sub.example.comPassive DNS only (no HTTP verification)
bash {baseDir}/scripts/check-takeover.sh -l subdomains.txt --passive
βοΈ Configuration
-l FILE β File with subdomains (one per line)-d DOMAIN β Single subdomain to check--passive β DNS-only check (no HTTP requests)--json β JSON output--timeout SECS β DNS timeout (default: 5)--output FILE β Write results to file