A fast and efficient subdomain hijacking scanner that checks for takeover vulnerabilities by matching HTTP response bodies against predefined service fingerprints.
- 🚀 Fast Concurrent Scanning: Configurable concurrency for parallel subdomain checking
- 🎨 Colored Output: Beautiful colored terminal output for easy result identification
- 📊 JSON Output: Export results in JSON format for programmatic processing
- 💾 File Output: Save unique results to a file with automatic deduplication
- 🔍 Protocol Fallback: Automatically tries HTTPS first, then HTTP if HTTPS fails
- 🎯 Service Filtering: Include or exclude specific services from checking
- 📁 Auto Configuration: Automatically downloads fingerprints.json if missing
- 🔧 Customizable: Extensive flag options for fine-grained control
Using Go:
go install github.com/rix4uni/subhijack@latest
Pre-built Binaries:
wget https://github.com/rix4uni/subhijack/releases/download/v0.0.1/subhijack-linux-amd64-0.0.1.tgz
tar -xvzf subhijack-linux-amd64-0.0.1.tgz
mv subhijack ~/go/bin/
From Source:
git clone --depth 1 https://github.com/rix4uni/subhijack.git
cd subhijack; go install
# Single URL
echo "https://example.com" | subhijack
# Multiple URLs from file
cat subdomains.txt | subhijackThe default output format is:
[service] [severity] url [fingerprint]Example:
[Github] [high] https://achangpro.com [There isn't a GitHub Pages site here.]
[AWS/S3] [high] https://bucket.s3.amazonaws.com [The specified bucket does not exist, BucketName]| Flag | Short | Description | Default |
|---|---|---|---|
--timeout |
Timeout in seconds for HTTP requests | 30 |
|
--User-Agent |
-H |
Custom User-Agent header for HTTP requests | Chrome User-Agent string |
--concurrency |
Number of concurrent subdomain checks | 50 |
|
--fingerprints |
Custom path to fingerprints.json file | ~/.config/subhijack/fingerprints.json |
|
--verbose |
Show verbose information | false |
|
--version |
Print version and exit | false |
|
--silent |
Silent mode (no banner) | false |
| Flag | Short | Description |
|---|---|---|
--json |
Output results in JSON format | |
--output |
Save unique output results to a file | |
--nc |
Disable colored output |
| Flag | Description | Example |
|---|---|---|
--es |
Exclude services (case-sensitive, comma-separated) | --es "Cargo Collective, Clever Cloud" |
--onlycheck |
Only check specific services (case-sensitive, comma-separated) | --onlycheck "Github, AWS/S3" |
Note: --es and --onlycheck cannot be used together.
# Scan a single URL
echo "https://achangpro.com" | subhijack
# Scan multiple URLs
cat subdomains.txt | subhijackcat subdomains.txt | subhijack --timeout 60 --concurrency 100echo "https://example.com" | subhijack --es "Cargo Collective, Clever Cloud" --verboseOutput with --verbose:
[*] Excluded services: Cargo Collective, Clever Cloudecho "https://example.com" | subhijack --onlycheck "Github, AWS/S3" --verboseOutput with --verbose:
[*] Only checking services: Github, AWS/S3cat subdomains.txt | subhijack --jsonJSON Output Format:
[
{
"service": "Github",
"severity": "high",
"url": "https://achangpro.com",
"fingerprint": ["There isn't a GitHub Pages site here."]
},
{
"service": "AWS/S3",
"severity": "high",
"url": "https://bucket.s3.amazonaws.com",
"fingerprint": ["The specified bucket does not exist", "BucketName"]
}
]cat subdomains.txt | subhijack --output results.txt --verboseThe --output flag:
- Saves unique results (deduplicated by URL+Service combination)
- Writes to both stdout and file
- Shows count of unique results with
--verbose
cat subdomains.txt | subhijack -H "MyCustomUserAgent/1.0"cat subdomains.txt | subhijack --fingerprints /path/to/custom/fingerprints.jsoncat subdomains.txt | subhijack --nccat subdomains.txt | subhijack --silentcat subdomains.txt | subhijack --verboseVerbose output shows:
- Config directory path (if created)
- Download status of fingerprints.json
- Excluded/only-checked services
- Number of unique results saved (if using --output)
By default, subhijack stores fingerprints.json at:
~/.config/subhijack/fingerprints.jsonIf the fingerprints.json file doesn't exist at the default location:
- The
~/.config/subhijack/directory is created automatically - fingerprints.json is downloaded from:
https://raw.githubusercontent.com/rix4uni/subhijack/refs/heads/main/fingerprints.json
You can use a custom fingerprints.json file:
subhijack --fingerprints /path/to/custom/fingerprints.jsonThe fingerprints.json file contains service fingerprints with the following structure:
[
{
"service": "Github",
"severity": "high",
"url": "https://example.com",
"fingerprint": [
"There isn't a GitHub Pages site here.",
"For root URLs (like http://example.com/) you must provide an index.html file"
],
"matchcondition": "ANY"
},
{
"service": "AWS/S3",
"severity": "high",
"url": "https://another.example.com",
"fingerprint": [
"The specified bucket does not exist",
"BucketName"
],
"matchcondition": "ALL"
}
]- ANY: Matches if any fingerprint string is found in the response body
- ALL: Matches only if all fingerprint strings are found in the response body
When a URL is provided without a protocol scheme:
- First attempt: Try
https:// - Fallback: If HTTPS fails, try
http:// - Skip: If both fail, move to the next domain
Example:
Input: example.com
Tries: https://example.com (first)
http://example.com (if https fails)