Automatic finder for subdomains vulnerable to takeover. Written in Go, based on @haccer's subjack.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Jake Jarvis 8d1112fe1f
Delete .travis.yml
2 years ago
.github/workflows Update go.yml 2 years ago
subtake Initial commit 3 years ago
LICENSE Initial commit 3 years ago Update 2 years ago
fingerprints.json vastly faster 3 years ago
main.go Initial commit 3 years ago better handling of clearing temp files ( 3 years ago


Build Status

Based on @haccer's subjack script for subdomain takeover recon.


Requires Go.

go get



  • -f to-check.txt is the path to your list of subdomains to check. One subdomain per line. Required.
  • -t is the number of threads to use. (Default: 10)
  • -a skips CNAME check and sends requests to every URL. (Default: false, but Highly recommended.)
  • -timeout is the number seconds to wait before timing out a check (Default: 10).
  • -o results.txt is a filename to output results to. If the file ends with .json, subtake will automatically switch to JSON format.
  • -v enables verbose mode. Displays all checks including not vulnerable URLs.
  • -c Path to file containing JSON fingerprint configuration. (Default: ./fingerprints.json)
  • -ssl enforces HTTPS requests which may return a different set of results and increase accuracy.

Resources can be used first to gather a list of CNAMEs collected by Rapid7/'s Project Sonar. This list can then be passed into subtake to return subdomains not in use. is based off of

fingerprints.json can be modified to add or remove hosted platforms to probe for. Many obscure platforms are included, and removing fingerprints for services that are uninteresting to you can speed up the scan.

If you plan on using a high number of threads to speed the process up, you may need to temporarily raise the ulimit of your shell:

ulimit -a          # show current limit (usually 1024)
ulimit -n 10000    # set waaaaay higher
ulimit -a          # check new limit

After generating a list of all vulnerable subdomains, you can use my collection of domains invoked in bug bounty programs to narrow down valuable targets and possibly get some ca$h monie$$$.


./ 2018-10-27-1540655191 sonar_all_cnames.txt

subtake -f sonar_all_cnames.txt -t 50 -ssl -a -o vulnerable.txt

Subdomain Takeover Tips

Services Checked

  • Amazon S3
  • Amazon CloudFront (no longer vulnerable?)
  • Microsoft Azure
  • Heroku
  • GitHub Pages
  • Fastly
  • Shopify
  • Tumblr
  • Ghost
  • Surge
  • Statuspage
  • Bitbucket Pages
  • UserVoice
  • Zendesk
  • Brightcove
  • Big Cartel
  • Acquia
  • MaxCDN
  • Apigee
  • Smugmug


  • Integrate into the main Go script as an option instead of input file.
  • All-in-one Docker image to automatically download the latest FDNS Project Sonar file and check for takeover possibilities.
  • Have pull domains to check for from fingerprints.json, instead of hard-coding them.