subdomain-takeover-hunt

Community

Scan subdomains for unclaimed cloud takeover risk.

Authoruphiago
Version1.0.0
Installs0

System Documentation

What problem does it solve?

This Skill addresses the risk of attackers exploiting dangling CNAME records that point to unclaimed third-party cloud services to take over a target's subdomains, which can enable phishing, cookie theft, and full origin impersonation of the target's web properties.

Core Features & Use Cases

  • CNAME Record Filtering: Extracts and filters CNAME records for common user-registrable cloud services including Heroku, S3, Azure, GitHub Pages, and Shopify from subdomain enumeration results.
  • Automated Vulnerability Scanning: Integrates with standard security tools like subzy, subjack, and nuclei to rapidly scan large subdomain lists for takeover indicators.
  • Manual Verification & Fingerprinting: Provides service-specific error page checks and a reference table of 16 common cloud services to confirm claimable resources and reduce false positives.
  • Use Case: During an authorized penetration test, after generating a list of alive subdomains for a target, use this Skill to quickly identify any subdomains at risk of takeover by unclaimed cloud resources.

Quick Start

Use the subdomain-takeover-hunt skill to scan your list of alive subdomains and identify any that are vulnerable to takeover via unclaimed cloud service CNAMEs.

Dependency Matrix

Required Modules

None required

Components

Standard package

💻 Claude Code Installation

Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.

Please help me install this Skill:
Name: subdomain-takeover-hunt
Download link: https://github.com/uphiago/recon-skills/archive/main.zip#subdomain-takeover-hunt

Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
View Source Repository

Agent Skills Search Helper

Install a tiny helper to your Agent, search and equip skill from 536,000+ vetted skills library on demand.