Takeover — Subdomain Takeover Scanner — OSINT

Scan Target

DoH:

Concurrency:

Fingerprints: 65 rules

Results

0 Total Scanned

0 Vulnerable

0 Potential

0 No CNAME

⚠ HTTP body verification is restricted by browser CORS policy. CNAME-matched findings are marked Potential unless the error page body is confirmed. Verify with curl -sI https://<subdomain> or a server-side tool.

Verdict ↕	Subdomain ↕	CNAME Chain	Service	HTTP

Fingerprint Database 65 built-in

Service	CNAME Patterns	HTTP Fingerprint

Service Name *

HTTP Fingerprint String to search in HTTP response body

CNAME Patterns * (comma-separated) Substrings matched against each CNAME hop

How Takeover works

A four-phase enumeration and detection pipeline — all client-side, no proxy, no API keys required.

Phase 1 — Multi-Source Enumeration

Queries four passive sources in parallel: crt.sh Certificate Transparency logs, HackerTarget passive DNS, AlienVault OTX threat intelligence, and RapidDNS. Results are deduplicated and normalised before scanning begins.

Phase 2a — Wildcard DNS Detection

Before resolving anything, Takeover queries a guaranteed-nonexistent subdomain via DoH. If it resolves, the domain has wildcard DNS — a banner warns you that results may include false positives throughout the scan.

Phase 2b — CNAME Chain + NS Resolution

Full CNAME chains are followed (up to 10 hops) via DNS-over-HTTPS. Each subdomain is also checked for NS delegation — dangling NS records pointing to non-existent nameservers indicate a separate, severe class of takeover.

Phase 2c — A-Record NXDOMAIN

After the full CNAME chain is resolved, the terminal target's A record is queried. An NXDOMAIN response on the final target — even without a fingerprint match — is a strong takeover signal and is flagged as Potential.

Phase 3 — HTTP Fingerprint Verification

Each CNAME match is checked against 65+ service signatures (GitHub Pages, Heroku, S3, Azure, Netlify, Vercel, Railway, Fly.io, Zendesk, Shopify and more). An HTTP fetch attempts to confirm the dangling error page in the response body.

Concurrent & Configurable

Choose between 5, 10, or 20 concurrent checks. All requests originate from your browser — no data passes through TheAdminStack servers. CORS restrictions apply to HTTP body verification; use the JSON/CSV export with curl to confirm findings.

Responsible Use: Takeover is designed for legitimate security research, bug bounty programmes, red team engagements, and defensive vulnerability assessment of infrastructure you own or have explicit written permission to test. Unauthorised reconnaissance of third-party domains may violate computer fraud laws in your jurisdiction. Use responsibly and in accordance with applicable laws.