v3.0.0

What's New

subjack is now a comprehensive DNS Takeover Scanner covering multiple attack vectors beyond CNAME hijacking.

New Detection Capabilities

• Stale A record detection — finds dead IPs on AWS, GCP, Azure, DigitalOcean, Linode, Vultr, and Oracle Cloud (-ar)
• Dangling NS delegation checks — detects deleted cloud DNS zones on Route53, Google Cloud DNS, Azure DNS, and more (-ns)
• Zone transfer (AXFR) detection — with NS hostname bruteforcing (-axfr)
• SPF include takeover — expired domains in SPF records (-mail)
• MX record takeover — expired mail server domains (-mail)
• CNAME chain takeover — multi-level CNAME chains up to 10 deep
• SRV record takeover — SRV targets pointing to registrable domains
• Azure Traffic Manager verification — reduces false positives via API check

Improvements

• Concurrency limits and consistent timeouts
• NXDOMAIN detection via DNS rcode instead of error string parsing
• S3 CNAME pattern tightened to avoid false matches on ELB
• Stdin support for piping domain lists
• All results written to output file (not just vulnerable ones)
• Updated and cleaned fingerprints (removed Heroku, Fastly)
• DNS lookup timeout to prevent hanging

Housekeeping

• Unit tests for provider detection, DNS patterns, and fingerprint validation
• Removed dead code

Full Changelog: v2.2.0...v3.0.0

Subjack 2.2.0

What's New

• Go modules — modernized from GOPATH to Go modules (Go 1.25)
• Embedded fingerprints — fingerprints.json is baked into the binary at compile time, no external config file needed
• Custom DNS resolvers — new -r flag to specify a list of DNS resolvers with random selection and fallback
• Kickofflabs fingerprint — added new subdomain takeover detection
• GitHub Actions — CI pipeline and automated cross-platform release builds

Bug Fixes

• Fixed race condition on concurrent JSON output writes
• Fixed "Not Vulnerable" printing after a vulnerable detection
• Fixed domain availability check running redundantly inside fingerprint loop
• Fixed body fingerprint match not breaking out of outer loop
• Fixed JSON output file not being truncated on rewrite
• Fixed flag.Usage set after flag.Parse()
• Replaced deprecated io/ioutil with modern equivalents

Improvements

• Reusable HTTP client instead of creating one per request
• fasthttp request/response objects returned to pool
• Removed dead code (https(), joinHost())
• Cleaner architecture — *Options passed through instead of 7+ parameter functions

Install

go install github.com/haccer/subjack@latest

2.1

Fix everything unreported :(

2.0

2.0

1.4

Readd missing output flag

1.3.1

• Bug fixes

1.3

Additions

• JetBrains & Microsoft Azure fingerprint
• More Amass options
• Allowing check for subdomains pointing to non-existent domains (NXDOMAIN) and if they're available to be registered or not

1.2

Additions

• Rewrite
• Amass integration allowing subjack to discover subdomains on it's own before testing for subdomain takeover.
• More options

Fixes

• Cloudfront 2nd check bug fix

1.1.2

New Additions

• More services
• Stronger 2-step check to rule out false positives

1.1.1

Added

• Better Cargo detection

Removed

• The "last request" thing was very buggy, it had to go
• A service or two