DNS Reaper is yet another sub-domain takeover tool, but with an emphasis on accuracy, speed and the number of signatures in our arsenal!
We can scan around 50 subdomains per second, testing each one with over 50 takeover signatures. This means most organisations can scan their entire DNS estate in less than 10 seconds.
To make it easier to get started, we've built a cheeky little web version that will scan a dns zone file, a comma-separated list, or up to 100 subdomains we find from ProjectDiscovery.
Check it out: dnsreaper web
Of course the CLI tool is much more EPIC, and its faster.
You can run it by providing a list of domains in a file, or a single domain on the command line. DNS Reaper will then scan the domains with all of its signatures, producing a CSV file.
You can run it by letting it fetch your DNS records for you! Yes that's right, you can run it with credentials and test all your domain config quickly and easily. DNS Reaper will connect to the DNS provider and fetch all your records, and then test them.
We currently support AWS Route53, Cloudflare, and Azure. Documentation on adding your own provider can be found here
Punk Security are a DevSecOps company, and DNS Reaper has its roots in modern security best practice.
You can run DNS Reaper in a pipeline, feeding it a list of domains that you intend to provision, and it will exit Non-Zero if it detects a takeover is possible. You can prevent takeovers before they are even possible!
To run DNS Reaper, you can use the docker image or run it with python 3.11.
Findings are returned in the output and more detail is provided in a local "results.csv" file. We also support json output as an option.
docker run punksecurity/dnsreaper --help
pip install -r requirements.txt
python main.py --help
-
Scan AWS account:
docker run punksecurity/dnsreaper aws --aws-access-key-id <key> --aws-access-key-secret <secret>
For more information, see the documentation for the aws provider
-
Scan all domains from file:
docker run -it --rm -v $(pwd):/etc/dnsreaper punksecurity/dnsreaper file --filename /etc/dnsreaper/<filename>
-
Scan single domain
docker run -it --rm punksecurity/dnsreaper single --domain <domain>
-
Scan single domain and output to stdout:
You should either redirect the stderr output or save stdout output with >
docker run -it --rm punksecurity/dnsreaper single --domain <domain> --out stdout --o