SDTKO Audit is an auditing SDK and Whitebox tool that can be used in conjunction with Cloudflare to audit for subdomain takeovers. To use the audit.py, you will need your domain's DNS to be managed by Cloudflare.
The SDK utilizes two tools:
Using these 2 tools, we can check for any potential dangling nxdomain subdomain takeovers as well as 3rd party HTTP subdomain takeover.
As an example, we have implemented audit.py that checks for subdomain takeover, sends slack notifications and also generates report.
✅ Checks for Subdomain Takeovers using Nuclei Scanner and takemeon.
✅ Integration with Cloudflare API.
✅ Support for sending notifications via slack.
✅ Allows generating a report with custom template Jinja2
-
Install Golang
-
Install Nuclei Scanner
GO111MODULE=on go get -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei- Install Takemeon
~# go get -u github.com/milindpurswani/takemeon- Git clone the project
~# git clone https://github.com/MilindPurswani/SDTKO-Audit.git- Install requirements.txt
~# pip3 install -r requirements.txt- Setup
CF_API_KEY- This is the most important aspect of this project, one needs their Cloudflare API Key to get all the CNAME records from their zone file. Kindly follow this guide to obtain the API KEY. The API needs to have atleast read-only permission for the DNS Zone for the domain supplied for auditing. If you attempt to supply an API_KEY without permission to the DNS Zone of the domain, the script will throw an error.
~# echo "export CF_API_KEY=\"your-cf-api-key\"" > ~/.bashrc- Setup
SLACK_WEBHOOK_URL- Slack webhook url is needed to get slack notification for scanning updates. To get your slack webhook url, follow the guide here.
echo "export SLACK_WEBHOOK_URL=\"https://hooks.slack.com/services/XXXXXXXXXXX/XXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXX\"" > ~/.bashrcTo use the Whitebox SDTKO-Audit tool, simply run the following command:
python3 audit.py <your-domain-name.com>If you have not created any environment variables, use the following command:
~# CF_API_KEY="your-cf-api-key" SLACK_WEBHOOK_URL="https://hooks.slack.com/services/XXXXXXXXXXX/XXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXX" python3 audit.py <your-domain-name.com>For more information on documentation checkout docs.md
The audit.py can be automated by creating a service something like this:
- Create a service with user, group and relevant environment variables. We need to set the
CF_API_KEYandSLACK_WEBHOOK_URLenv variables. Make sure to edit theWorkingDirectoryandExecStartattributes and point them to your cloned repo location.
~# cat <<EOF >> /lib/systemd/system/sdtko-audit.service
[Unit]
Description=Subdomain Takeover Auditing service
After=multi-user.target
[email protected]
[Service]
Type=simple
User=root
group=root
Environment="CF_API_KEY=<your-api-key>"
Environment="SLACK_WEBHOOK_URL=https://hooks.slack.com/services/XXXXXXXXXXX/XXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXX"
Environment="PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/go/bin:/root/go/bin:/usr/local/go/bin:/root/go/bin"
WorkingDirectory=/root/project/SDTKO-Audit/
ExecStart=/usr/bin/python3 /root/project/SDTKO-Audit/audit.py xve.io
StandardInput=tty-force
[Install]
WantedBy=multi-user.target
EOF
- Reload the daemon
~# systemctl daemon-reload- Enable the service
~# systemctl enable sdtko-audit.service- Start the service
~# systemctl start sdtko-audit.service- Add Daily schedule to crontab
~# crontab -e- Add the following entry to your crontab to run the task daily at 9:30 AM in the morning
30 9 * * * service sdtko-audit start