Home

Awesome

BadDNS

Check subdomains for subdomain takeovers and other DNS tomfoolery

Black License tests codecov Pypi Downloads

<p align="left"><img width="300" height="300" src="https://github.com/blacklanternsecurity/baddns/assets/24899338/2ca1fe25-e834-4df8-8b02-8bf8f60f6e31"></p>

BadDNS is a standalone tool and BBOT module for detecting domain/subdomain takeovers of all kinds, including other DNS issues like NSEC walks and Subdomain Takeovers.

Check out the introductory blog on the BLS substack!

Installation

We have a pypi package, so you can just do pip install baddns to make use of the library.

Or use pipx: pipx install git+https://github.com/blacklanternsecurity/baddns

Usage

After installing with pip, you can just run baddns from the command line.

usage: baddns [-h] [-n CUSTOM_NAMESERVERS] [-c CUSTOM_SIGNATURES] [-l] [-s] [-m MODULES] [-d] [target]

Check subdomains for subdomain takeovers and other DNS tomfoolery

positional arguments:
  target                subdomain to analyze

options:
  -h, --help            show this help message and exit
  -n CUSTOM_NAMESERVERS, --custom-nameservers CUSTOM_NAMESERVERS
                        Provide a list of custom nameservers separated by comma.
  -c CUSTOM_SIGNATURES, --custom-signatures CUSTOM_SIGNATURES
                        Use an alternate directory for loading signatures
  -l, --list-modules    List available modules and their descriptions.
  -s, --silent          Show only vulnerable targets
  -m MODULES, --modules MODULES
                        Comma separated list of module names to use. Ex: module1,module2,module3
  -d, --debug           Enable debug logging

Modules

NameDescription
cnameCheck for dangling CNAME records and interrogate them for subdomain takeover opportunities
nsCheck for dangling NS records, and interrogate them for takeover opportunities
mxCheck for dangling MX records and assess their base domains for availability
nsecEnumerate subdomains by NSEC-walking
referencesCheck HTML content for links or other references that contain a hijackable domain
txtCheck TXT record contents for hijackable domains
zonetransferAttempt a DNS zone transfer

Examples

baddns subdomaintocheck.example.com
baddns -m CNAME subdomaintocheck.example.com
baddns -m CNAME,NS subdomaintocheck.example.com
baddns -l
baddns -n 1.1.1.1 subdomaintocheck.example.com

Documentation

Please visit our full documentation for many more details, including information about specific BadDNS modules.

Acknowledgements

BadDNS Signatures are sourced primarily from Nuclei Templates and from dnsReaper by Punk Security, although many have been modified or updated in BadDNS. Much of the research contained in the signatures was originally discussed on the issues page of can-i-take-over-xyz.