theoffsecgirl/takeovflow

GitHub: theoffsecgirl/takeovflow

一款先进的子域接管扫描器，通过被动与主动探测结合 CNAME 指纹识别易受接管的服务。

Stars: 1 | Forks: 1

# takeovflow **Advanced Subdomain Takeover Scanner** ![Language](https://img.shields.io/badge/Python-3.7+-9E4AFF?style=flat-square&logo=python&logoColor=white) ![Version](https://img.shields.io/badge/version-1.3.0-9E4AFF?style=flat-square) ![License](https://img.shields.io/badge/License-MIT-9E4AFF?style=flat-square) ![Category](https://img.shields.io/badge/Category-Bug%20Bounty%20%7C%20Recon-111111?style=flat-square) *by [theoffsecgirl](https://github.com/theoffsecgirl)*

## 它做什么？ Combines passive discovery, active resolution, fingerprinting and CNAME pattern detection to identify subdomains vulnerable to takeover. Resilient: if an external tool is missing, it continues with the available ones. **v1.3.0 highlights:** concurrent CNAME analysis, 55 service fingerprints, deduplication, severity filtering, configurable timeout/retries, custom DNS resolvers and flexible output directory. ## 外部工具 `subfinder` `assetfinder` `dnsx` `httpx` `subjack` `nuclei` `dig` `jq` `curl` The script checks availability at startup and skips phases for missing tools — **does not abort**. ## 安装 ``` git clone https://github.com/theoffsecgirl/takeovflow.git cd takeovflow chmod +x takeovflow.py ``` ## 用法 ``` # 单域名 python3 takeovflow.py -d example.com -v # 域名文件 python3 takeovflow.py -f scope.txt # 仅被动阶段（发现） python3 takeovflow.py -d example.com --passive-only # 仅已知子域的活动阶段 python3 takeovflow.py --active-only --subs-file subdomains.txt -d example.com # 自定义解析器 + 输出目录 + 仅高严重性 python3 takeovflow.py -d example.com --resolvers resolvers.txt --output-dir ./reports --min-severity HIGH # 自定义 nuclei 模板、JSON 输出、100 线程 python3 takeovflow.py -f scope.txt -t 100 -v --json-output --nuclei-templates ./takeover-templates/ # 显示版本 python3 takeovflow.py --version ``` ## 技术流程 ``` [PASSIVE] subfinder + assetfinder → deduplication [ACTIVE] dnsx → httpx → subjack → nuclei → CNAME patterns (concurrent) [OUTPUT] takeovflow_report_YYYYMMDD_HHMM.md + JSON (optional) ``` Services detected via CNAME (55 total): AWS S3/CloudFront/Beanstalk, Azure Web Apps/Traffic Manager/Blob, Heroku, GitHub Pages, Fastly, Akamai, Netlify, Vercel, Webflow, GitBook, Shopify, Ghost, Surge, Statuspage, Bitbucket Pages, Pantheon, Kinsta, HubSpot, Freshdesk, Intercom, Cargo, Wix, Weebly, Tilda, Zendesk, and more. ## 参数 ``` Targets: -d, --domain Single domain -f, --file File with domains (one per line) -l, --list Comma-separated domains Mode: --passive-only Passive discovery only --active-only Active phase only (requires --subs-file or --file) --subs-file PATH Subdomains file for active phase Scan: -t, --threads N Threads (default: 50) -r, --rate N Rate limit (default: 2) --timeout N Per-tool timeout in seconds (default: 30) --retries N Retries on failure (default: 2) --resolvers FILE Custom DNS resolvers file for dnsx -v, --verbose Verbose mode --no-color Disable emoji/color output --json-output Generate JSON report --output-dir DIR Output directory for reports (default: CWD) --nuclei-templates PATH Path to custom nuclei templates --min-severity LEVEL Minimum severity to include in report: HIGH | MEDIUM | LOW | INFO (default: INFO) --version Show version ``` ## 严重级别 | Level | Meaning | |-------|---------| | 🔴 HIGH | Very likely vulnerable, immediate action recommended | | 🟡 MEDIUM | Needs manual verification | | 🟢 LOW | Informational, low risk | | ⚪ INFO | Context only | ## 道德使用 For bug bounty, labs and authorized audits only. ## 许可证 MIT · [theoffsecgirl](https://theoffsecgirl.com)

标签：assetfinder, Bug Bounty, CNAME指纹识别, CNAME模式检测, curl, dig, dnsx, DNS指纹, httpx, jq, nuclei, Python, subfinder, subjack, TIP, 严重性过滤, 主动解析, 二进制发布, 去重, 反取证, 可自定义解析器, 可配置超时, 外部工具缺失容错, 多服务指纹, 子域名接管, 子域名接管扫描, 安全评估, 并发分析, 开源工具, 接管检测, 无后门, 灵活输出, 被动发现, 运行时操纵, 逆向工具