aquatone 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1572ba4c07838fd7294dfc001c8ff23b2f7c19fc
-  data.tar.gz: 2c7fc94f9cef66e71fc8adeed1840a3170cf6367
+  metadata.gz: 89f0cbe4f00ec77bae2d323be2978261680a75d8
+  data.tar.gz: 32948fb248e6614400c878ea2ac4681a5da9558b
 SHA512:
-  metadata.gz: d5086248f07db25eeead317a570ee56cf3d622eb72e471d85c1c33611f3cfc4bba0be721a9f65658e6e078b264bbbb2327157574070e235d1542c4a85ba4ec6e
-  data.tar.gz: f81b9ab7409889e524c59fda6e53e7ce4e891a515f7492885f5fcd5e558ae8bdb187c2e6295ad5ee40324f51b12994dfbc39759a272a03fbcbd08b75e5f90fc6
+  metadata.gz: 941e0e136a451eb295184a6b35dde232cbcae72624a4e421a5c304f89f70c281744cc85c05eafe951f210fd744ec6b3406362b554a4cab9a46b666e58c7be254
+  data.tar.gz: 48ccd44ff3e7fa4cfd05bd7221e6287479f9b80b362342915789ffe673c12a9f8a25fc8ef63524286eee401f4fccddf0fb8395810ca1e352aa6b81c0445325df

data/CHANGELOG.md

@@ -10,6 +10,15 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 ### Changed
 
 
+## [0.3.0]
+### Added
+ - New Tool: aquatone-takeover: Check discovered hosts for subdomain takeover vulnerabilities
+
+### Changed
+ - Show key requirements in for collectors when issuing `aquatone-discover --list-collectors`
+ - Add alias `xlarge` to `huge` port list.
+
+
 ## [0.2.0]
 ### Added
  - New Collector: riddler.io (Thanks, [@jolle](https://github.com/jolle)!)
@@ -38,6 +47,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ### Changed
 
-[Unreleased]: https://github.com/michenriksen/aquatone/compare/v0.2.0...HEAD
+[Unreleased]: https://github.com/michenriksen/aquatone/compare/v0.3.0...HEAD
+[0.3.0]: https://github.com/michenriksen/aquatone/compare/v0.2.0...v0.3.0
 [0.2.0]: https://github.com/michenriksen/aquatone/compare/v0.1.1...v0.2.0
 [0.1.1]: https://github.com/michenriksen/aquatone/compare/v0.1.0...v0.1.1

data/README.md

@@ -152,6 +152,43 @@ When aquatone-gather is finished, it will have created several directories in th
  * `screenshots/`: Contains PNG images of how each web page looks like in a browser
  * `report/` Contains report files in HTML displaying the gathered information for easy analysis
 
+### Subdomain Takeover
+
+Subdomain takeover is a very prevalent and potentially critical security issue which commonly occurs when an organization assigns a subdomain to a third-party service provider and then later discontinues use, but forgets to remove the DNS configuration. This leaves the subdomain vulnerable to complete takover by attackers by signing up to the same service provider and claiming the dangling subdomain.
+
+aquatone-takeover can be used to check hosts uncovered by aquatone-discover for potential domain takeover vulnerabilities:
+
+    $ aquatone-takeover --domain example.com
+
+aquatone-takeover can detect potential subdomain takeover situations from 25 different service providers, including GitHub Pages, Heroku, Amazon S3, Desk and WPEngine.
+
+#### Results
+
+aquatone-takeover will create a `takeovers.json` file in the domain's assessment directory which will contain information in JSON format about any potential subdomain takeover vulnerabilities:
+
+```
+{
+  "shop.example.com": {
+    "service": "Shopify",
+    "service_website": "https://www.shopify.com/",
+    "description": "Ecommerce platform",
+    "resource": {
+      "type": "CNAME",
+      "value": "shops.myshopify.com"
+    }
+  },
+  "help.example.com": {
+    "service": "Desk",
+    "service_website": "https://www.desk.com/",
+    "description": "Customer service and helpdesk ticket software",
+    "resource": {
+      "type": "CNAME",
+      "value": "example.desk.com"
+    }
+  },
+  ...
+}
+```
 
 ## Contributing
 

data/exe/aquatone-discover

@@ -67,10 +67,11 @@ OptionParser.new do |opts|
 
   opts.on("--list-collectors", "See information on collectors") do
     Aquatone::Collector.descendants.each do |collector|
-      puts "Name.......: #{collector.meta[:name]}"
-      puts "Description: #{collector.meta[:description]}" if collector.meta[:description]
-      puts "Author.....: #{collector.meta[:author]}"
-      puts "Key........: #{collector.sluggified_name}\n\n"
+      puts "Name............: #{collector.meta[:name]}"
+      puts "Description.....: #{collector.meta[:description]}" if collector.meta[:description]
+      puts "Author..........: #{collector.meta[:author]}"
+      puts "Key Requirements: #{collector.meta.key?(:require_keys) ? collector.meta[:require_keys].join(', ') : 'None'}"
+      puts "Key.............: #{collector.sluggified_name}\n\n"
       puts "--------------------------------------------------\n\n"
     end
     exit

data/exe/aquatone-takeover

@@ -0,0 +1,113 @@
+#!/usr/bin/env ruby
+
+require "aquatone"
+
+options = {
+  :fallback_nameservers => %w(8.8.8.8 8.8.4.4),
+  :threads => 5,
+}
+
+OptionParser.new do |opts|
+  opts.banner = "Usage: aquatone-takeover OPTIONS"
+
+  opts.on("-d", "--domain DOMAIN", "Domain name to assess") do |v|
+    if !Aquatone::Validation.valid_domain_name?(v)
+      puts "#{v} doesn't look like a valid domain name."
+      exit 1
+    end
+    options[:domain] = v
+  end
+
+  opts.on("--nameservers NAMESERVERS", "Nameservers to use") do |v|
+    ips = v.split(",").map(&:strip).uniq
+    if ips.empty?
+      puts "Nameservers can't be empty."
+      exit 1
+    end
+    ips.each do |ip|
+      if !Aquatone::Validation.valid_ip?(ip)
+        puts "#{ip} is not a valid IP address."
+        exit 1
+      end
+    end
+    options[:nameservers] = ips
+  end
+
+  opts.on("--fallback-nameservers NAMESERVERS", "Nameservers to fall back to") do |v|
+    ips = v.split(",").map(&:strip).uniq
+    if ips.empty?
+      puts "Fallback nameservers can't be empty."
+      exit 1
+    end
+    ips.each do |ip|
+      if !Aquatone::Validation.valid_ip?(ip)
+        puts "#{ip} is not a valid IP address."
+        exit 1
+      end
+    end
+    options[:fallback_nameservers] = ips
+  end
+
+  opts.on("--list-detectors", "See information on subdomain takeover detectors") do
+    Aquatone::Detector.descendants.each do |detector|
+      puts "Service........: #{detector.meta[:service]}"
+      puts "Service Website: #{detector.meta[:service_website]}"
+      puts "Description....: #{detector.meta[:description]}" if detector.meta[:description]
+      puts "Author.........: #{detector.meta[:author]}"
+      puts "Key............: #{detector.sluggified_name}\n\n"
+      puts "--------------------------------------------------\n\n"
+    end
+    exit
+  end
+
+  opts.on("--only-detectors DETECTORS", "Only run specified takeover detectors") do |v|
+    known_detectors = Aquatone::Detector.descendants.map(&:sluggified_name)
+    detectors       = v.split(",").map(&:strip).uniq
+    detectors.each do |detector|
+      if !known_detectors.include?(detector)
+        puts "Unknown takeover detector key: #{detector}"
+        exit 1
+      end
+    end
+    options[:only_detectors] = detectors
+  end
+
+  opts.on("--disable-detectors DETECTORS", "Disable specified takeover detectors") do |v|
+    known_detectors = Aquatone::Detector.descendants.map(&:sluggified_name)
+    detectors       = v.split(",").map(&:strip).uniq
+    detectors.each do |detector|
+      if !known_detectors.include?(detector)
+        puts "Unknown detector key: #{detector}"
+        exit 1
+      end
+    end
+    options[:disable_detectors] = detectors
+  end
+
+  opts.on("-t", "--threads THREADS", "Number of concurrent threads to use") do |v|
+    options[:threads] = v.to_i
+  end
+
+  opts.on("-s", "--sleep SECONDS", "Seconds to sleep between checks") do |v|
+    if v.to_i < 1
+      puts "Sleep can't be less than 1"
+      exit 1
+    end
+    options[:sleep] = v.to_i
+  end
+
+  opts.on("-j", "--jitter PERCENTAGE", "Jitter factor for sleep intervals") do |v|
+    if !v.to_i.between?(1, 100)
+      puts "Jitter factor must be between 1 and 100"
+      exit 1
+    end
+    options[:jitter] = v.to_f
+  end
+
+  opts.on("-h", "--help", "Show help") do
+    puts opts
+    exit 0
+  end
+end.parse!
+
+Aquatone::Commands::Takeover.run(options)

data/lib/aquatone.rb

@@ -22,6 +22,7 @@ require "aquatone/assessment"
 require "aquatone/report"
 require "aquatone/command"
 require "aquatone/collector"
+require "aquatone/detector"
 
 module Aquatone
   AQUATONE_ROOT         = File.expand_path(File.join(File.dirname(__FILE__), "..")).freeze
@@ -38,6 +39,11 @@ Dir[File.join(File.dirname(__FILE__), "aquatone", "collectors", "*.rb")].each do
   require collector
 end
 
+Dir[File.join(File.dirname(__FILE__), "aquatone", "detectors", "*.rb")].each do |detector|
+  require detector
+end
+
 require "aquatone/commands/discover"
 require "aquatone/commands/scan"
 require "aquatone/commands/gather"
+require "aquatone/commands/takeover"

data/lib/aquatone/commands/takeover.rb

@@ -0,0 +1,147 @@
+module Aquatone
+  module Commands
+    class Takeover < Aquatone::Command
+      def execute!
+        if !options[:domain]
+          output("Please specify a domain to assess\n")
+          exit 1
+        end
+
+        @domain     = Aquatone::Domain.new(options[:domain])
+        @assessment = Aquatone::Assessment.new(options[:domain])
+
+        banner("Takeover")
+        prepare_host_dictionary
+        prepare_detectors
+        setup_resolver
+        check_hosts
+        write_to_takeovers_file
+      end
+
+      private
+
+      def prepare_host_dictionary
+        if !@assessment.has_file?("hosts.json")
+          output(red("#{@assessment.path} does not contain hosts.json file\n\n"))
+          output("Did you run aquatone-discover first?\n")
+          exit 1
+        end
+        hosts = JSON.parse(@assessment.read_file("hosts.json"))
+        @hosts = hosts.keys
+        output("Loaded #{bold(@hosts.count)} hosts from #{bold(File.join(@assessment.path, 'hosts.json'))}\n")
+      end
+
+      def prepare_detectors
+        @detectors = Aquatone::Detector.descendants
+        output("Loaded #{bold(@detectors.count)} domain takeover detectors\n\n")
+      end
+
+      def setup_resolver
+        if options[:nameservers]
+          nameservers = options[:nameservers]
+        else
+          output("Identifying nameservers for #{@domain.name}... ")
+          nameservers = @domain.nameservers
+          output("Done\n")
+          if nameservers.empty?
+            output(yellow("#{@domain.name} has no nameservers. Using fallback nameservers.\n\n"))
+            nameservers = []
+          end
+        end
+
+        if !nameservers.empty?
+          output("Using nameservers:\n\n")
+          nameservers.each do |ns|
+            output(" - #{ns}\n")
+          end
+          output("\n")
+        end
+        @resolver = Aquatone::Resolver.new(
+          :nameservers          => nameservers,
+          :fallback_nameservers => options[:fallback_nameservers]
+        )
+      end
+
+      def check_hosts
+        pool                = thread_pool
+        @task_count         = 1
+        @takeovers          = {}
+        @takeovers_detected = 0
+        @start_time         = Time.now.to_i
+        output("Checking hosts for domain takeover vulnerabilities...\n\n")
+        @hosts.each do |host|
+          resource = @resolver.resource(host)
+          next unless valid_resource?(resource)
+          pool.schedule do
+            output_progress if asked_for_progress?
+            @task_count += 1
+            @detectors.each do |detector|
+              next if skip_detector?(detector)
+              detector_instance = detector.new(host, resource)
+              if detector_instance.positive?
+                resource_type  = resource.class.to_s.split("::").last
+                resource_value = resource.is_a?(Resolv::DNS::Resource::IN::CNAME) ? resource.name.to_s : resource.address.to_s
+                output(red("Potential domain takeover detected!\n"))
+                output("#{bold('Host...........:')} #{host}\n")
+                output("#{bold('Service........:')} #{detector.meta[:service]}\n")
+                output("#{bold('Service website:')} #{detector.meta[:service_website]}\n")
+                output("#{bold('Resource.......:')} #{resource_type} #{resource_value}\n")
+                output("\n")
+                @takeovers[host] = {
+                  "service"         => detector.meta[:service],
+                  "service_website" => detector.meta[:service_website],
+                  "description"     => detector.meta[:description],
+                  "resource"        => {
+                    "type"  => resource_type,
+                    "value" => resource_value
+                  }
+                }
+                @takeovers_detected += 1
+                break
+              end
+            end
+          end
+          jitter_sleep
+        end
+        pool.shutdown
+        output("Finished checking hosts:\n\n")
+        output(" - Vulnerable     : #{bold(red(@takeovers_detected))}\n")
+        output(" - Not Vulnerable : #{bold(green(@hosts.count - @takeovers_detected))}\n\n")
+      end
+
+      def write_to_takeovers_file
+        @assessment.write_file("takeovers.json", @takeovers.to_json)
+        output("Wrote #{bold(@takeovers.keys.count)} potential subdomain takeovers to:\n\n")
+        output(" - #{bold('file://' + File.join(@assessment.path, 'takeovers.json'))}\n\n")
+      end
+
+      def output_progress
+        output("Stats: #{seconds_to_time(Time.now.to_i - @start_time)} elapsed; " \
+               "#{@task_count} out of #{@hosts.count} hosts checked (#{@takeovers_detected} takeovers detected); " \
+               "#{(@task_count.to_f / @hosts.count.to_f * 100.00).round(1)}% done\n")
+      end
+
+      def valid_resource?(resource)
+        [Resolv::DNS::Resource::IN::CNAME, Resolv::DNS::Resource::IN::A].include?(resource.class)
+      end
+
+      def skip_detector?(detector)
+        if options[:only_detectors]
+          if options[:only_detectors].include?(detector.sluggified_name)
+            false
+          else
+            true
+          end
+        elsif options[:disable_detectors]
+          if options[:disable_detectors].include?(detector.sluggified_name)
+            true
+          else
+            false
+          end
+        else
+          false
+        end
+      end
+    end
+  end
+end

data/lib/aquatone/detector.rb

@@ -0,0 +1,94 @@
+module Aquatone
+  class Detector
+    class Error < StandardError; end
+    class InvalidMetadataError < Error; end
+    class MetadataNotSetError < Error; end
+
+    attr_reader :host, :resource
+
+    def self.meta
+      @meta || fail(MetadataNotSetError, "Metadata has not been set")
+    end
+
+    def self.meta=(meta)
+      validate_metadata(meta)
+      @meta = meta
+    end
+
+    def self.descendants
+      detectors = ObjectSpace.each_object(Class).select { |klass| klass < self }
+      detectors.sort { |x, y| x.meta[:service] <=> y.meta[:service] }
+    end
+
+    def self.sluggified_name
+      return meta[:slug].downcase if meta[:slug]
+      meta[:service].strip.downcase.gsub(/[^a-z0-9]+/, '-').gsub("--", "-")
+    end
+
+    def initialize(host, resource)
+      @host     = host
+      @resource = resource
+    end
+
+    def run
+      fail NotImplementedError
+    end
+
+    def positive?
+      run
+    rescue
+      false
+    end
+
+    protected
+
+    def cname_resource?
+      resource.is_a?(Resolv::DNS::Resource::IN::CNAME)
+    end
+
+    def apex_resource?
+      resource.is_a?(Resolv::DNS::Resource::IN::A)
+    end
+
+    def resource_value
+      cname_resource? ? resource.name.to_s : resource.address.to_s
+    end
+
+    def get_request(uri, options={})
+      options = {
+        :timeout => 10
+      }.merge(options)
+      Aquatone::HttpClient.get(uri, options)
+    end
+
+    def post_request(uri, body=nil, options={})
+      options = {
+        :body    => body,
+        :timeout => 10
+      }.merge(options)
+      Aquatone::HttpClient.post(uri, options)
+    end
+
+    def url_escape(string)
+      CGI.escape(string)
+    end
+
+    def random_sleep(seconds)
+      random_sleep = ((1 - (rand(30) * 0.01)) * seconds.to_i)
+      sleep(random_sleep)
+    end
+
+    def failure(message)
+      fail Error, message
+    end
+
+    def self.validate_metadata(meta)
+      fail InvalidMetadataError, "Metadata is not a hash" unless meta.is_a?(Hash)
+      fail InvalidMetadataError, "Metadata is empty" if meta.empty?
+      fail InvalidMetadataError, "Metadata is missing key: service" unless meta.key?(:service)
+      fail InvalidMetadataError, "Metadata is missing key: service_website" unless meta.key?(:service_website)
+      fail InvalidMetadataError, "Metadata is missing key: author" unless meta.key?(:author)
+      fail InvalidMetadataError, "Metadata is missing key: description" unless meta.key?(:description)
+    end
+  end
+end

data/lib/aquatone/detectors/campaign_monitor.rb

@@ -0,0 +1,23 @@
+module Aquatone
+  module Detectors
+    class CampaignMonitor < Aquatone::Detector
+      self.meta = {
+        :service         => "Campaign Monitor",
+        :service_website => "https://www.zendesk.com/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "Email marketing"
+      }
+
+      CNAME_VALUE          = "name.createsend.com".freeze
+      RESPONSE_FINGERPRINT = "<strong>Trying to access your account?</strong>".freeze
+
+      def run
+        return false unless cname_resource?
+        if resource_value == CNAME_VALUE
+          return get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)
+        end
+        false
+      end
+    end
+  end
+end

data/lib/aquatone/detectors/cargo.rb

@@ -0,0 +1,25 @@
+module Aquatone
+  module Detectors
+    class Cargo < Aquatone::Detector
+      self.meta = {
+        :service         => "Cargo",
+        :service_website => "https://cargocollective.com/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "Web publishing platform"
+      }
+
+      APEX_VALUE           = "173.203.204.123".freeze
+      CNAME_VALUE          = "cargocollective.com".freeze
+      RESPONSE_FINGERPRINT = "Use a personal domain name".freeze
+
+      def run
+        if apex_resource?
+          return false unless resource_value == APEX_VALUE
+        elsif cname_resource?
+          return false unless resource_value == CNAME_VALUE
+        end
+        get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)
+      end
+    end
+  end
+end

data/lib/aquatone/detectors/cloudfront.rb

@@ -0,0 +1,23 @@
+module Aquatone
+  module Detectors
+    class Cloudfront < Aquatone::Detector
+      self.meta = {
+        :service         => "Cloudfront",
+        :service_website => "https://aws.amazon.com/cloudfront/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "Content delivery network"
+      }
+
+      CNAME_VALUE          = ".cloudfront.net".freeze
+      RESPONSE_FINGERPRINT = "The request could not be satisfied".freeze
+
+      def run
+        return false unless cname_resource?
+        if resource_value.end_with?(CNAME_VALUE)
+          return get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)
+        end
+        false
+      end
+    end
+  end
+end

data/lib/aquatone/detectors/desk.rb

@@ -0,0 +1,23 @@
+module Aquatone
+  module Detectors
+    class Desk < Aquatone::Detector
+      self.meta = {
+        :service         => "Desk",
+        :service_website => "https://www.desk.com/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "Customer service and helpdesk ticket software"
+      }
+
+      CNAME_VALUE          = ".desk.com".freeze
+      RESPONSE_FINGERPRINT = "Sorry, We Couldn't Find That Page".freeze
+
+      def run
+        return false unless cname_resource?
+        if resource_value.end_with?(CNAME_VALUE)
+          return get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)
+        end
+        false
+      end
+    end
+  end
+end

data/lib/aquatone/detectors/fastly.rb

@@ -0,0 +1,23 @@
+module Aquatone
+  module Detectors
+    class Fastly < Aquatone::Detector
+      self.meta = {
+        :service         => "Fastly",
+        :service_website => "https://www.fastly.com/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "Content delivery network"
+      }
+
+      CNAME_VALUE          = ".fastly.net".freeze
+      RESPONSE_FINGERPRINT = "Fastly error: unknown domain".freeze
+
+      def run
+        return false unless cname_resource?
+        if resource_value.end_with?(CNAME_VALUE)
+          return get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)
+        end
+        false
+      end
+    end
+  end
+end

data/lib/aquatone/detectors/feedpress.rb

@@ -0,0 +1,23 @@
+module Aquatone
+  module Detectors
+    class Feedpress < Aquatone::Detector
+      self.meta = {
+        :service         => "FeedPress",
+        :service_website => "https://feed.press/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "Feed analytics and Podcast hosting"
+      }
+
+      CNAME_VALUE          = "redirect.feedpress.me".freeze
+      RESPONSE_FINGERPRINT = "The feed has not been found.".freeze
+
+      def run
+        return false unless cname_resource?
+        if resource_value == CNAME_VALUE
+          return get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)
+        end
+        false
+      end
+    end
+  end
+end

data/lib/aquatone/detectors/freshdesk.rb

@@ -0,0 +1,23 @@
+module Aquatone
+  module Detectors
+    class Freshdesk < Aquatone::Detector
+      self.meta = {
+        :service         => "Freshdesk",
+        :service_website => "https://freshdesk.com/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "Customer support software and ticketing system"
+      }
+
+      CNAME_VALUE          = ".freshdesk.com".freeze
+      RESPONSE_FINGERPRINT = "You can claim it now at".freeze
+
+      def run
+        return false unless cname_resource?
+        if resource_value.end_with?(CNAME_VALUE)
+          return get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)
+        end
+        false
+      end
+    end
+  end
+end

data/lib/aquatone/detectors/ghost.rb

@@ -0,0 +1,29 @@
+module Aquatone
+  module Detectors
+    class Ghost < Aquatone::Detector
+      self.meta = {
+        :service         => "Ghost",
+        :service_website => "https://ghost.org/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "Publishing platform"
+      }
+
+      CNAME_VALUE          = ".ghost.io".freeze
+      RESPONSE_FINGERPRINT = "The thing you were looking for is no longer here, or never was".freeze
+
+      def run
+        return false unless cname_resource?
+        if resource_value.end_with?(CNAME_VALUE)
+          response = get_request("http://#{host}/",
+            # Set a proper User-Agent to avoid potential CloudFlare CAPTCHA wall
+            :headers => {
+              "User-Agent" => "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
+            }
+          )
+          return response.body.include?(RESPONSE_FINGERPRINT)
+        end
+        false
+      end
+    end
+  end
+end

data/lib/aquatone/detectors/github_pages.rb

@@ -0,0 +1,25 @@
+module Aquatone
+  module Detectors
+    class GithubPages < Aquatone::Detector
+      self.meta = {
+        :service         => "GitHub Pages",
+        :service_website => "https://pages.github.com/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "GitHub static website hosting"
+      }
+
+      APEX_VALUES          = %w(192.30.252.153 192.30.252.154).freeze
+      CNAME_VALUE          = ".github.io".freeze
+      RESPONSE_FINGERPRINT = "There isn't a GitHub Pages site here.".freeze
+
+      def run
+        if apex_resource?
+          return false unless APEX_VALUES.include?(resource_value)
+        elsif cname_resource?
+          return false unless resource_value.end_with?(CNAME_VALUE)
+        end
+        get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)
+      end
+    end
+  end
+end

data/lib/aquatone/detectors/helpjuice.rb

@@ -0,0 +1,23 @@
+module Aquatone
+  module Detectors
+    class Helpjuice < Aquatone::Detector
+      self.meta = {
+        :service         => "Helpjuice",
+        :service_website => "https://helpjuice.com/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "Knowledge base software"
+      }
+
+      CNAME_VALUE          = ".helpjuice.com".freeze
+      RESPONSE_FINGERPRINT = "<title>No such app</title>".freeze
+
+      def run
+        return false unless cname_resource?
+        if resource_value.end_with?(CNAME_VALUE)
+          return get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)
+        end
+        false
+      end
+    end
+  end
+end

data/lib/aquatone/detectors/helpscout.rb

@@ -0,0 +1,23 @@
+module Aquatone
+  module Detectors
+    class Helpscout < Aquatone::Detector
+      self.meta = {
+        :service         => "Help Scout",
+        :service_website => "https://www.helpscout.net/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "Customer service software and education platform"
+      }
+
+      CNAME_VALUE          = ".helpscoutdocs.com".freeze
+      RESPONSE_FINGERPRINT = "No settings were found for this company".freeze
+
+      def run
+        return false unless cname_resource?
+        if resource_value.end_with?(CNAME_VALUE)
+          return get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)
+        end
+        false
+      end
+    end
+  end
+end

data/lib/aquatone/detectors/heroku.rb

@@ -0,0 +1,25 @@
+module Aquatone
+  module Detectors
+    class Heroku < Aquatone::Detector
+      self.meta = {
+        :service         => "Heroku",
+        :service_website => "https://www.heroku.com/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "Cloud application platform"
+      }
+
+      CNAME_VALUES         = %w(.herokudns.com .herokussl.com .herokuapp.com).freeze
+      RESPONSE_FINGERPRINT = "<title>No such app</title>".freeze
+
+      def run
+        return false unless cname_resource?
+        CNAME_VALUES.each do |cname_value|
+          if resource_value.end_with?(cname_value)
+            return get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)
+          end
+        end
+        false
+      end
+    end
+  end
+end

data/lib/aquatone/detectors/instapage.rb

@@ -0,0 +1,21 @@
+module Aquatone
+  module Detectors
+    class Instapage < Aquatone::Detector
+      self.meta = {
+        :service         => "Instapage",
+        :service_website => "https://instapage.com/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "Landing page platform"
+      }
+
+      CNAME_VALUES          = %w(pageserve.co secure.pageserve.co).freeze
+      RESPONSE_FINGERPRINT = "You've Discovered A Missing Link. Our Apologies!".freeze
+
+      def run
+        return false unless cname_resource?
+        return false unless CNAME_VALUES.include?(resource_value)
+        get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)
+      end
+    end
+  end
+end

data/lib/aquatone/detectors/pingdom.rb

@@ -0,0 +1,21 @@
+module Aquatone
+  module Detectors
+    class Pingdom < Aquatone::Detector
+      self.meta = {
+        :service         => "Pingdom",
+        :service_website => "https://www.pingdom.com/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "Website and performance monitoring"
+      }
+
+      CNAME_VALUE          = "stats.pingdom.com".freeze
+      RESPONSE_FINGERPRINT = "Sorry, couldn&rsquo;t find the status page".freeze
+
+      def run
+        return false unless cname_resource?
+        return false unless resource_value == CNAME_VALUE
+        get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)
+      end
+    end
+  end
+end

data/lib/aquatone/detectors/s3.rb

@@ -0,0 +1,23 @@
+module Aquatone
+  module Detectors
+    class S3 < Aquatone::Detector
+      self.meta = {
+        :service         => "Amazon S3",
+        :service_website => "https://aws.amazon.com/s3/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "Cloud storage"
+      }
+
+      CNAME_VALUE          = ".amazonaws.com".freeze
+      RESPONSE_FINGERPRINT = "NoSuchBucket".freeze
+
+      def run
+        return false unless cname_resource?
+        if resource_value.end_with?(CNAME_VALUE)
+          return get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)
+        end
+        false
+      end
+    end
+  end
+end

data/lib/aquatone/detectors/shopify.rb

@@ -0,0 +1,25 @@
+module Aquatone
+  module Detectors
+    class Shopify < Aquatone::Detector
+      self.meta = {
+        :service         => "Shopify",
+        :service_website => "https://www.shopify.com/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "Ecommerce platform"
+      }
+
+      APEX_VALUE           = "23.227.38.32".freeze
+      CNAME_VALUE          = "shops.myshopify.com".freeze
+      RESPONSE_FINGERPRINT = "Sorry, this shop is currently unavailable.".freeze
+
+      def run
+        if apex_resource?
+          return false unless resource_value == APEX_VALUE
+        elsif cname_resource?
+          return false unless resource_value == CNAME_VALUE
+        end
+        get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)
+      end
+    end
+  end
+end

data/lib/aquatone/detectors/statuspage.rb

@@ -0,0 +1,23 @@
+module Aquatone
+  module Detectors
+    class Statuspage < Aquatone::Detector
+      self.meta = {
+        :service         => "StatusPage",
+        :service_website => "https://www.statuspage.io/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "Status page hosting"
+      }
+
+      CNAME_VALUE          = ".stspg-customer.com".freeze
+      RESPONSE_FINGERPRINT = "<title>Hosted Status Pages for Your Company</title>".freeze
+
+      def run
+        return false unless cname_resource?
+        if resource_value.end_with?(CNAME_VALUE)
+          return get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)
+        end
+        false
+      end
+    end
+  end
+end

data/lib/aquatone/detectors/surveygizmo.rb

@@ -0,0 +1,25 @@
+module Aquatone
+  module Detectors
+    class Surveygizmo < Aquatone::Detector
+      self.meta = {
+        :service         => "SurveyGizmo",
+        :service_website => "https://www.surveygizmo.com/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "Online survey software"
+      }
+
+      CNAME_VALUES          = %w(privatedomain.sgizmo.com privatedomain.surveygizmo.eu privatedomain.sgizmoca.com).freeze
+      RESPONSE_FINGERPRINT = 'data-html-name="Header Logo Link"'.freeze
+
+      def run
+        return false unless cname_resource?
+        CNAME_VALUES.each do |cname_value|
+          if resource_value == cname_value
+            return get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)
+          end
+        end
+        false
+      end
+    end
+  end
+end

data/lib/aquatone/detectors/teamwork.rb

@@ -0,0 +1,23 @@
+module Aquatone
+  module Detectors
+    class Teamwork < Aquatone::Detector
+      self.meta = {
+        :service         => "Teamwork",
+        :service_website => "https://www.teamwork.com/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "Project management, help desk and chat software"
+      }
+
+      CNAME_VALUE          = ".teamwork.com".freeze
+      RESPONSE_FINGERPRINT = "<title>Oops - We didn't find your site.</title>".freeze
+
+      def run
+        return false unless cname_resource?
+        if resource_value.end_with?(CNAME_VALUE)
+          return get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)
+        end
+        false
+      end
+    end
+  end
+end

data/lib/aquatone/detectors/tictail.rb

@@ -0,0 +1,25 @@
+module Aquatone
+  module Detectors
+    class Tictail < Aquatone::Detector
+      self.meta = {
+        :service         => "Tictail",
+        :service_website => "https://tictail.com/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "Social shopping platform"
+      }
+
+      APEX_VALUE           = "46.137.181.142".freeze
+      CNAME_VALUE          = "domains.tictail.com".freeze
+      RESPONSE_FINGERPRINT = 'class="MarketplaceHeader__tictailLogo"'.freeze
+
+      def run
+        if apex_resource?
+          return false unless resource_value == APEX_VALUE
+        elsif cname_resource?
+          return false unless resource_value == CNAME_VALUE
+        end
+        get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)
+      end
+    end
+  end
+end

data/lib/aquatone/detectors/tumblr.rb

@@ -0,0 +1,25 @@
+module Aquatone
+  module Detectors
+    class Tumblr < Aquatone::Detector
+      self.meta = {
+        :service         => "Tumblr",
+        :service_website => "https://www.tumblr.com/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "Microblogging and social networking platform"
+      }
+
+      APEX_VALUE           = "66.6.44.4".freeze
+      CNAME_VALUE          = "domains.tumblr.com".freeze
+      RESPONSE_FINGERPRINT = "Whatever you were looking for doesn't currently exist at this address.".freeze
+
+      def run
+        if apex_resource?
+          return false unless resource_value == APEX_VALUE
+        elsif cname_resource?
+          return false unless resource_value == CNAME_VALUE
+        end
+        get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)
+      end
+    end
+  end
+end

data/lib/aquatone/detectors/unbounce.rb

@@ -0,0 +1,25 @@
+module Aquatone
+  module Detectors
+    class Unbounce < Aquatone::Detector
+      self.meta = {
+        :service         => "Unbounce",
+        :service_website => "https://unbounce.com/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "Landing page builder and conversion marketing platform"
+      }
+
+      APEX_VALUE           = "54.84.104.245".freeze
+      CNAME_VALUE          = "unbouncepages.com".freeze
+      RESPONSE_FINGERPRINT = "The requested URL was not found on this server.".freeze
+
+      def run
+        if apex_resource?
+          return false unless resource_value == APEX_VALUE
+        elsif cname_resource?
+          return false unless resource_value == CNAME_VALUE
+        end
+        get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)
+      end
+    end
+  end
+end

data/lib/aquatone/detectors/uservoice.rb

@@ -0,0 +1,29 @@
+module Aquatone
+  module Detectors
+    class Uservoice < Aquatone::Detector
+      self.meta = {
+        :service         => "UserVoice",
+        :service_website => "https://www.uservoice.com/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "Product management software"
+      }
+
+      CNAME_VALUE           = ".uservoice.com".freeze
+      RESPONSE_FINGERPRINTS = [
+        "The page you have requested does not exist.",
+        "This UserVoice subdomain is currently available!"
+      ].freeze
+
+      def run
+        return false unless cname_resource?
+        if resource_value.end_with?(CNAME_VALUE)
+          response = get_request("http://#{host}/")
+          RESPONSE_FINGERPRINTS.each do |fingerprint|
+            return true if response.body.include?(fingerprint)
+          end
+        end
+        false
+      end
+    end
+  end
+end

data/lib/aquatone/detectors/wpengine.rb

@@ -0,0 +1,25 @@
+module Aquatone
+  module Detectors
+    class Wpengine < Aquatone::Detector
+      self.meta = {
+        :service         => "WPEngine",
+        :service_website => "https://wpengine.com/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "WordPress blog hosting"
+      }
+
+      APEX_VALUE           = "130.211.160.56".freeze
+      CNAME_VALUE          = ".wpengine.com".freeze
+      RESPONSE_FINGERPRINT = "but is not configured for an account on our platform.".freeze
+
+      def run
+        if apex_resource?
+          return false unless resource_value == APEX_VALUE
+        elsif cname_resource?
+          return false unless resource_value.end_with?(CNAME_VALUE)
+        end
+        get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)
+      end
+    end
+  end
+end

data/lib/aquatone/detectors/zendesk.rb

@@ -0,0 +1,23 @@
+module Aquatone
+  module Detectors
+    class Zendesk < Aquatone::Detector
+      self.meta = {
+        :service         => "Zendesk",
+        :service_website => "https://www.zendesk.com/",
+        :author          => "Michael Henriksen (@michenriksen)",
+        :description     => "Customer service software and support ticket system"
+      }
+
+      CNAME_VALUE          = ".zendesk.com".freeze
+      RESPONSE_FINGERPRINT = "<title>Help Center Closed | Zendesk</title>".freeze
+
+      def run
+        return false unless cname_resource?
+        if resource_value.end_with?(CNAME_VALUE)
+          return get_request("http://#{host}/").body.include?(RESPONSE_FINGERPRINT)
+        end
+        false
+      end
+    end
+  end
+end

data/lib/aquatone/port_lists.rb

@@ -26,7 +26,7 @@ module Aquatone
         return self::MEDIUM
       when "large"
         return self::LARGE
-      when "huge"
+      when "huge", "xlarge"
         return self::HUGE
       else
         fail UnknownPortListName, "Unknown port list name: #{name}"

data/lib/aquatone/resolver.rb

@@ -22,6 +22,20 @@ module Aquatone
       nil
     end
 
+    def resource(host)
+      resource = resource_with_nameserver(host,
+        Resolv::DNS::Resource::IN::CNAME) ||
+      resource_with_fallback_nameserver(host,
+        Resolv::DNS::Resource::IN::CNAME)
+      if !resource
+        resource = resource_with_nameserver(host,
+          Resolv::DNS::Resource::IN::A) ||
+        resource_with_fallback_nameserver(host,
+          Resolv::DNS::Resource::IN::A)
+      end
+      resource
+    end
+
     private
 
     def resolve_with_nameserver(host)
@@ -32,6 +46,14 @@ module Aquatone
       _resolve(host, options[:fallback_nameservers].sample)
     end
 
+    def resource_with_nameserver(host, typeclass)
+      _resource(host, typeclass, options[:nameservers].sample)
+    end
+
+    def resource_with_fallback_nameserver(host, typeclass)
+      _resource(host, typeclass, options[:fallback_nameservers].sample)
+    end
+
     def _resolve(host, nameserver_ip)
       nameserver = Resolv::DNS.new(:nameserver => nameserver_ip).tap do |ns|
         ns.timeouts = options[:timeout]
@@ -43,5 +65,17 @@ module Aquatone
       nameserver.close
       nil
     end
+
+    def _resource(host, typeclass, nameserver_ip)
+      nameserver = Resolv::DNS.new(:nameserver => nameserver_ip).tap do |ns|
+        ns.timeouts = options[:timeout]
+      end
+      resource = nameserver.getresource(host, typeclass)
+      nameserver.close
+      resource
+    rescue Resolv::ResolvError
+      nameserver.close
+      nil
+    end
   end
 end

data/lib/aquatone/version.rb

@@ -1,3 +1,3 @@
 module Aquatone
-  VERSION = "0.2.0".freeze
+  VERSION = "0.3.0".freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aquatone
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Michael Henriksen
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-06-25 00:00:00.000000000 Z
+date: 2017-07-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: httparty
@@ -87,6 +87,7 @@ executables:
 - aquatone-discover
 - aquatone-gather
 - aquatone-scan
+- aquatone-takeover
 extensions: []
 extra_rdoc_files: []
 files:
@@ -103,6 +104,7 @@ files:
 - exe/aquatone-discover
 - exe/aquatone-gather
 - exe/aquatone-scan
+- exe/aquatone-takeover
 - lib/aquatone.rb
 - lib/aquatone/assessment.rb
 - lib/aquatone/browser.rb
@@ -124,6 +126,33 @@ files:
 - lib/aquatone/commands/discover.rb
 - lib/aquatone/commands/gather.rb
 - lib/aquatone/commands/scan.rb
+- lib/aquatone/commands/takeover.rb
+- lib/aquatone/detector.rb
+- lib/aquatone/detectors/campaign_monitor.rb
+- lib/aquatone/detectors/cargo.rb
+- lib/aquatone/detectors/cloudfront.rb
+- lib/aquatone/detectors/desk.rb
+- lib/aquatone/detectors/fastly.rb
+- lib/aquatone/detectors/feedpress.rb
+- lib/aquatone/detectors/freshdesk.rb
+- lib/aquatone/detectors/ghost.rb
+- lib/aquatone/detectors/github_pages.rb
+- lib/aquatone/detectors/helpjuice.rb
+- lib/aquatone/detectors/helpscout.rb
+- lib/aquatone/detectors/heroku.rb
+- lib/aquatone/detectors/instapage.rb
+- lib/aquatone/detectors/pingdom.rb
+- lib/aquatone/detectors/s3.rb
+- lib/aquatone/detectors/shopify.rb
+- lib/aquatone/detectors/statuspage.rb
+- lib/aquatone/detectors/surveygizmo.rb
+- lib/aquatone/detectors/teamwork.rb
+- lib/aquatone/detectors/tictail.rb
+- lib/aquatone/detectors/tumblr.rb
+- lib/aquatone/detectors/unbounce.rb
+- lib/aquatone/detectors/uservoice.rb
+- lib/aquatone/detectors/wpengine.rb
+- lib/aquatone/detectors/zendesk.rb
 - lib/aquatone/domain.rb
 - lib/aquatone/http_client.rb
 - lib/aquatone/key_store.rb