Subdomain Takeover is a type of risk which exists when a DNS entry (subdomain) of an organization points to an External Service (ex. Heroku, Github, Bitbucket, Desk, Squarespace, Shopify, etc) but the service is no longer utilized (deleted or migrated). We have complied a list of Top Open Source Tools to detect Subdomain takeover risk.
A well-known case of this was discovered by Szymon Gruszecki, an independent security researcher, in 2014. He found that the subdomain racing.msn.com had a CNAME record pointing to msnbrickyardsweeps.com. This domain had expired and he was able to register it for himself. Read More
Following are the some tools which scan subdomains and Identify possibilities of Subdomain Takeover Vulnerability by perform enumeration of subdomains.
Hostile Sub Bruteforcer
This app is one of the best app for checking subdomain takeover risk. Hostile Sub Bruteforcer will bruteforce for existing subdomains and provide the information like IP addresses, hosts, and the 3rd party host has been properly setup or not. (for example if site.example.com is pointing to a non-existing Heroku subdomain, it’ll alert you)
It has limitation, and currently only works with AWS, Github, Heroku, shopify, tumblr, blogspot/blogger and squarespace.
Also there may be some false positives depending on the host configurations. To know more click here.