Subjack is a DNS takeover scanner written in Go designed to scan a list of domains concurrently and identify ones that are able to be hijacked. With Go's speed and efficiency, this tool really stands out when it comes to mass-testing. Always double check the results manually to rule out false positives. Subjack detects: Requires Go Subjack can read domains from stdin, making it easy to pipe output from other tools: With the Expired NS domains: Checks if any of a domain's nameservers have expired and are available for purchase. An attacker who registers an expired nameserver can take full control of all DNS for that domain — they can point any record anywhere, intercept email, issue certificates, and more. Dangling NS delegations: Detects when a domain's NS records point to cloud DNS providers but the hosted zone has been deleted. Subjack queries each nameserver directly for an SOA record — if all return With the Subjack identifies the cloud provider (AWS, GCP, Azure, DigitalOcean, Linode, Vultr, Oracle) when possible, making it easier to target the right platform. Detection uses ICMP ping (requires root) with a TCP fallback on ports 80/443. Results are flagged as With the Results are flagged as With the SPF include takeover: Parses SPF TXT records and checks if any MX record takeover: Checks if any MX record targets are expired and available for registration. An attacker who controls the mail server can intercept all inbound email — password resets, 2FA codes, and more. These checks run automatically on every scan: CNAME chain takeover: Follows multi-level CNAME chains (up to 10 deep) and checks if any intermediate target is claimable. Standard CNAME detection only checks the first hop — chains catch deeper takeover opportunities. SRV record takeover: Checks common SRV records (SIP, XMPP, LDAP, Kerberos, IMAP, CalDAV, etc.) for targets that are expired and available for registration. You can use scanio.sh which is kind of a PoC script to mass-locate vulnerable subdomains using results from Rapid7's Project Sonar. This script parses and greps through the dump for desired CNAME records and makes a large list of subdomains to check with subjack if they're vulnerable to hostile subdomain takeover. Please use this responsibly. Your wordlist should include a list of subdomains, one per line: Extra information about DNS takeovers:
DNS Takeover Scannerinclude: directives enabling email spoofinggo install github.com/haccer/subjack@latest
subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl
Flag Description Default -dSingle domain to check -wPath to wordlist of subdomains -tNumber of concurrent threads 10-timeoutSeconds to wait before connection timeout 10-oOutput results to file (use .json extension for JSON output)-sslForce HTTPS connections (may increase accuracy) false-aSend requests to every URL, not just those with identified CNAMEs (recommended) false-mFlag dead CNAME records even if the domain is not available for registration false-rPath to a list of DNS resolvers (one IP per line, falls back to 8.8.8.8 on failure)-nsCheck for NS takeovers (expired NS domains + dangling cloud DNS delegations) false-arCheck for stale A records pointing to dead IPs (may require root for ICMP) false-axfrCheck for zone transfers (AXFR) including NS bruteforce false-mailCheck for SPF include and MX record takeovers false-vDisplay more information per request falsesubfinder -d example.com | subjack -ssl -o results.json
cat domains.txt | subjack -t 20 -o results.txt
-ns flag, subjack performs two types of nameserver takeover checks:SERVFAIL or REFUSED, the zone is gone and potentially claimable. Supported providers:ns-*.awsdns-*)ns-cloud-*.googledomains.com)ns*-*.azure-dns.*)ns*.digitalocean.com)ns*.vultr.com)ns*.linode.com)subjack -w subdomains.txt -ns -o results.json
-ar flag, subjack will resolve A records and check if the IP address is actually alive. When a company terminates a cloud server but forgets to remove the DNS A record, the IP gets released back to the provider's pool. An attacker can spin up new instances on that provider until they land on the same IP, gaining control of the subdomain.sudo subjack -w subdomains.txt -ar -o results.json
STALE A RECORD and should be verified manually — a non-responding IP doesn't always mean it's reclaimable.-axfr flag, subjack will attempt DNS zone transfers (AXFR) which can expose an entire domain's DNS records. Subjack goes beyond just testing the domain's official nameservers — it also bruteforces common nameserver hostnames (ns1, dns-0, ns-backup, etc.) because hidden or forgotten nameservers are often left unsecured even after the primary ones have been locked down.subjack -d example.com -axfr -o results.json
subjack -w domains.txt -axfr -o results.json
ZONE TRANSFER with the vulnerable nameserver and number of records exposed.-mail flag, subjack checks for two email-based takeover vectors:include: domains are expired and available for registration. An attacker who registers the included domain can send fully authenticated emails as the target, bypassing SPF and DMARC.subjack -w domains.txt -mail -o results.json
assets.xen.world
assets.github.com
b.xen.world
big.example.com
cdn.xen.world
dev.xen.world
dev2.twitter.com