Description
Nuclei's subdomain takeover detection templates check for dangling DNS records pointing to services that can be claimed by attackers. These templates are part of the official nuclei-templates repository and cover all major cloud providers and hosting services.
Installation
BASH
# Nuclei (required)
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# Templates auto-download on first run
nuclei -update-templatesBasic Usage
BASH
# Scan for subdomain takeover
nuclei -l subdomains.txt -t takeovers/
# Scan single target
echo "sub.target.com" | nuclei -t takeovers/
# With httpx for live hosts
cat subs.txt | httpx -silent | nuclei -t takeovers/Advanced Usage
BASH
# Takeover templates specifically
nuclei -l subdomains.txt -t takeovers/ -c 50
# Combine with CNAME checks
cat subs.txt | dnsx -cname -resp-only | nuclei -t takeovers/
# Output results
nuclei -l subs.txt -t takeovers/ -o takeover_results.txt -json
# With custom resolvers
nuclei -l subs.txt -t takeovers/ -r resolvers.txtCovered Services
TEXT
# AWS S3, CloudFront, Elastic Beanstalk
# Azure (Blob, App Service, Traffic Manager)
# Google Cloud Storage
# GitHub Pages
# Heroku
# Shopify
# Surge.sh
# Tumblr
# WordPress.com
# Zendesk
# FastlyA
# Pantheon
# Cargo Collective
# And many more...Common Workflows
BASH
# Complete takeover pipeline
subfinder -d target.com -silent > subs.txt
cat subs.txt | dnsx -silent > resolved.txt
nuclei -l resolved.txt -t takeovers/ -o takeover_findings.txt
# Continuous monitoring
while true; do
subfinder -d target.com -silent | nuclei -t takeovers/ -silent
sleep 86400 # Run daily
done