dnsReaper – Subdomain Takeover Tool For Attackers, Bug Bounty Hunters And The Blue Team!

DNS Reaper is yet another sub-domain takeover tool, but with an emphasis on accuracy, speed and the number of signatures in our arsenal!

You can run it by providing a list of domains in a file, or a single domain on the command line. DNS Reaper will then scan the domains with all of its signatures, producing a CSV file.

You can run DNS Reaper in a pipeline, feeding it a list of domains that you intend to provision, and it will exit Non-Zero if it detects a takeover is possible. You can prevent takeovers before they are even possible!

To run DNS Reaper, you can use the docker image or run it with python 3.10.

Findings are returned in the output and more detail is provided in a local “results.csv” file. We also support json output as an option.

docker run punksecurity/dnsreaper --help

Scan AWS account:

docker run punksecurity/dnsreaper aws --aws-access-key-id <key> --aws-access-key-secret <secret>

Scan all domains from file:

docker run -v $(pwd):/etc/dnsreaper punksecurity/dnsreaper file --filename /etc/dnsreaper/<filename>

Scan single domain

docker run punksecurity/dnsreaper single --domain <domain>

Scan single domain and output to stdout:

You should either redirect the stderr output or save stdout output with >

docker run punksecurity/dnsreaper single --domain <domain> --out stdout --out-format=json > output