thelinuxvault blog

Sub404: A Comprehensive Guide to Checking Subdomain Takeover Vulnerabilities in Linux

Subdomain takeover vulnerabilities represent a significant security threat in modern web applications. When organizations abandon subdomains but forget to remove DNS records, attackers can claim these orphaned subdomains and potentially compromise the main domain's security. Sub404 is a powerful Python-based tool designed specifically to identify these vulnerabilities efficiently.

In this technical guide, we'll explore Sub404 in depth, covering installation, usage, best practices, and integration strategies for security professionals working in Linux environments.

2026-05

Table of Contents#

  1. Introduction
  2. What is Subdomain Takeover?
  3. Understanding Sub404
  4. Installation Guide
  5. Basic Usage and Examples
  6. Advanced Features and Options
  7. Best Practices for Subdomain Takeover Testing
  8. Common False Positives and How to Handle Them
  9. Integrating Sub404 into Security Workflows
  10. Conclusion
  11. References

What is Subdomain Takeover?#

A subdomain takeover occurs when a subdomain (e.g., cdn.example.com) points to a service (like AWS S3, GitHub Pages, or Azure) that is no longer in use. If an attacker registers the abandoned service, they can control content served from the subdomain, potentially leading to:

  • Phishing attacks
  • Session hijacking
  • Cross-site scripting (XSS)
  • Brand reputation damage
  • Data theft

How Subdomain Takeover Works#

  1. DNS Record Exists: A CNAME record points to a third-party service
  2. Service is Abandoned: The organization stops using the service
  3. Vulnerability Window: The DNS record remains active but points to nothing
  4. Exploitation: Attacker claims the abandoned service
  5. Compromise: Attacker controls content served from the subdomain

Understanding Sub404#

Sub404 is an open-source tool written in Python that automates the detection of subdomain takeover vulnerabilities. Key features include:

  • Multi-service Support: Detects takeovers across 30+ cloud services
  • Fast Scanning: Asynchronous requests for efficient scanning
  • Customizable: Various output formats and filtering options
  • False Positive Reduction: Intelligent verification mechanisms

Supported Services#

Sub404 can detect potential takeovers for services including:

  • AWS S3 buckets
  • GitHub Pages
  • Azure services
  • Google Cloud Storage
  • Heroku
  • Shopify
  • DigitalOcean Spaces
  • And many more...

Installation Guide#

Prerequisites#

Ensure you have the following installed on your Linux system:

# Check Python version (Python 3.6+ required)
python3 --version
 
# Check pip installation
pip3 --version

Installation from GitHub#

# Clone the repository
git clone https://github.com/r3curs1v3pr0xy/sub404.git
cd sub404
 
# Install dependencies
pip3 install -r requirements.txt
 
# Install the tool
python3 setup.py install

Dependency Installation#

If you encounter missing dependencies:

# Install required packages on Ubuntu/Debian
sudo apt update
sudo apt install python3 python3-pip git
 
# For CentOS/RHEL
sudo yum install python3 python3-pip git

Basic Usage and Examples#

Basic Single Domain Scan#

# Basic scan for a single domain
sub404 -d example.com
 
# Scan with verbose output
sub404 -d example.com -v
 
# Save results to a file
sub404 -d example.com -o results.txt

Scanning Multiple Domains#

# Scan multiple domains from a file
echo "example.com" > domains.txt
echo "test.org" >> domains.txt
sub404 -l domains.txt
 
# Direct multiple domain input
sub404 -d example.com,test.org,demo.net

Using Custom Subdomain Lists#

# Use a custom subdomain list
sub404 -d example.com -s subdomains.txt
 
# Generate subdomains with other tools and pipe to sub404
subfinder -d example.com | sub404 -d example.com

Example Output#

[*] Starting Sub404 v1.1.0
[*] Target: example.com
[*] Loaded 150 subdomains
[*] Scanning with 50 workers

[VULNERABLE] cdn.example.com
│   Service: AWS S3
│   CNAME: cdn.example.com.s3.amazonaws.com
│   Status: 404
│   Confirmation: Bucket does not exist

[VULNERABLE] api-staging.example.com
│   Service: Heroku
│   CNAME: example-staging.herokuapp.com
│   Status: 404
│   Confirmation: App not found

[*] Scan completed in 45.2 seconds
[*] 2 potential takeovers found

Advanced Features and Options#

Thread Control and Performance Tuning#

# Adjust thread count for performance
sub404 -d example.com -t 100  # Increase threads for faster scanning
sub404 -d example.com -t 20   # Decrease threads for limited resources
 
# Set request timeout
sub404 -d example.com --timeout 10

Output Formats#

# JSON output for automation
sub404 -d example.com -o results.json -f json
 
# CSV format for spreadsheet analysis
sub404 -d example.com -o results.csv -f csv
 
# Simple text output
sub404 -d example.com -o results.txt -f text

Filtering and Specific Scans#

# Scan only specific services
sub404 -d example.com --services aws,github
 
# Exclude certain services
sub404 -d example.com --exclude shopify,azure
 
# Custom User-Agent
sub404 -d example.com --user-agent "Mozilla/5.0 (Custom Scanner)"

Integration with Other Tools#

# Chain with subdomain enumeration tools
subfinder -d example.com | tee subdomains.txt | sub404 -d example.com
 
# Use with amass for comprehensive scanning
amass enum -passive -d example.com | sub404 -d example.com
 
# Process results with jq (JSON output)
sub404 -d example.com -f json | jq '.vulnerable[]'

Best Practices for Subdomain Takeover Testing#

1. Proper Scoping and Authorization#

# Always ensure you have permission to scan
# Use dedicated test domains for practice
sub404 -d test.example.com
 
# Respect robots.txt and rate limits
sub404 -d example.com --delay 1  # Add delay between requests

2. Comprehensive Subdomain Discovery#

# Combine multiple enumeration methods
subfinder -d example.com > subs1.txt
amass enum -passive -d example.com > subs2.txt
assetfinder example.com > subs3.txt
 
# Merge and deduplicate
cat subs1.txt subs2.txt subs3.txt | sort -u > all_subs.txt
sub404 -d example.com -s all_subs.txt

3. Verification and False Positive Reduction#

# Use confirmation checks
sub404 -d example.com --confirm
 
# Manual verification script
#!/bin/bash
for domain in $(cat vulnerable_subs.txt); do
    echo "Checking $domain"
    curl -I "https://$domain"
    dig CNAME "$domain"
done

4. Regular Monitoring#

# Create a cron job for continuous monitoring
# Add to crontab: 0 2 * * * /usr/local/bin/sub404 -d example.com -o /var/log/sub404-$(date +\%Y\%m\%d).json -f json
 
# Weekly scan script
#!/bin/bash
DATE=$(date +%Y%m%d)
sub404 -d example.com -o "/opt/scans/sub404_${DATE}.json" -f json

Common False Positives and How to Handle Them#

1. Custom 404 Pages#

Problem: Some services return 200 status codes for custom 404 pages.

Solution:

# Use content analysis along with status codes
    sub404 -d example.com --confirm
 
# Manual verification checklist:
# - Check page content for "not found" patterns
# - Verify CNAME resolution
# - Test service-specific endpoints

2. DNS Propagation Issues#

Problem: Recent DNS changes might not be propagated.

Solution:

# Use specific DNS servers
sub404 -d example.com --dns-servers 8.8.8.8,1.1.1.1
 
# Re-test after some time
sleep 3600 && sub404 -d example.com

3. Rate Limiting and Blocks#

Problem: Services may block aggressive scanning.

Solution:

# Implement respectful scanning
sub404 -d example.com --delay 2 --timeout 10 -t 20
 
# Use rotating User-Agents
sub404 -d example.com --random-agent

Integrating Sub404 into Security Workflows#

Continuous Integration Pipeline#

# Example GitHub Actions workflow
name: Subdomain Takeover Scan
on:
  schedule:
    - cron: '0 2 * * 1'  # Weekly on Monday at 2 AM
  push:
    branches: [main]
 
jobs:
  subdomain-scan:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Set up Python
      uses: actions/setup-python@v2
      with:
        python-version: '3.8'
    - name: Install Sub404
      run: |
        git clone https://github.com/r3curs1v3pr0xy/sub404.git
        cd sub404
        pip3 install -r requirements.txt
        python3 setup.py install
    - name: Run Subdomain Scan
      run: |
        sub404 -d example.com -f json -o results.json
    - name: Upload results
      uses: actions/upload-artifact@v2
      with:
        name: sub404-results
        path: results.json

Automated Reporting Script#

#!/usr/bin/env python3
import json
import subprocess
import smtplib
from email.mime.text import MimeText
from datetime import datetime
 
def run_sub404(domain):
    """Run Sub404 scan and return results"""
    cmd = f"sub404 -d {domain} -f json"
    result = subprocess.run(cmd.split(), capture_output=True, text=True)
    
    if result.returncode == 0:
        return json.loads(result.stdout)
    else:
        raise Exception(f"Scan failed: {result.stderr}")
 
def generate_report(data):
    """Generate HTML report from scan results"""
    report = f"""
    <html>
    <head><title>Subdomain Takeover Report - {datetime.now().date()}</title></head>
    <body>
    <h1>Subdomain Takeover Scan Report</h1>
    <p>Generated: {datetime.now()}</p>
    <h2>Vulnerable Subdomains: {len(data.get('vulnerable', []))}</h2>
    """
    
    for vuln in data.get('vulnerable', []):
        report += f"""
        <div style="border: 1px solid red; margin: 10px; padding: 10px;">
        <h3>{vuln['subdomain']}</h3>
        <p>Service: {vuln['service']}</p>
        <p>CNAME: {vuln['cname']}</p>
        </div>
        """
    
    report += "</body></html>"
    return report
 
# Usage
if __name__ == "__main__":
    domain = "example.com"
    results = run_sub404(domain)
    report = generate_report(results)
    
    with open(f"sub404_report_{datetime.now().date()}.html", "w") as f:
        f.write(report)

Monitoring Dashboard Integration#

#!/bin/bash
# Script to run Sub404 and update monitoring dashboard
 
DOMAIN="example.com"
TIMESTAMP=$(date +%s)
RESULTS_FILE="/var/www/html/sub404/results_${TIMESTAMP}.json"
 
# Run scan
sub404 -d $DOMAIN -f json -o $RESULTS_FILE
 
# Update summary for dashboard
jq '{timestamp: now, vulnerable: .vulnerable | length, total: .scanned | length}' $RESULTS_FILE >> /var/www/html/sub404/summary.json
 
# Cleanup old files (keep last 30 days)
find /var/www/html/sub404 -name "results_*.json" -mtime +30 -delete

Conclusion#

Sub404 is an essential tool in the modern security professional's arsenal for identifying subdomain takeover vulnerabilities. Its ease of use, comprehensive service coverage, and flexibility make it suitable for both ad-hoc testing and integrated security monitoring.

Key Takeaways:#

  1. Regular scanning is crucial as infrastructure changes frequently
  2. Combine Sub404 with other enumeration tools for comprehensive coverage
  3. Always verify potential findings to avoid false positives
  4. Integrate into CI/CD pipelines for continuous security monitoring
  5. Maintain proper documentation of findings and remediation actions

Next Steps:#

  • Practice using Sub404 on test domains with known vulnerabilities
  • Integrate into your organization's security monitoring workflow
  • Contribute to the project by reporting bugs or adding new service detectors
  • Stay updated with new releases and feature additions

References#

Official Resources#

  • Subfinder - Subdomain discovery tool
  • Amass - In-depth attack surface mapping
  • Aquatone - Visual inspection tool

Further Reading#

  • "Bug Bounty Bootcamp" by Vickie Li
  • "Real-World Bug Hunting" by Peter Yaworski
  • OWASP Testing Guide: Subdomain Takeover Testing

Security Standards#

Note: Always ensure you have proper authorization before conducting security testing. Unauthorized testing may be illegal and unethical.