SubT-Cloak is an advanced subdomain takeover analysis and cloaking simulation tool designed for red teamers, bug bounty hunters, and defenders alike. It expands traditional takeover scanning by introducing stealth, persistence, a 86D9 nd deception into the equation.
🔹 --cloak Mode (Attacker Simulation)
- Simulates evasive takeover behavior
- Rotate status codes (200/403/404/503)
- Fake HTTP headers (remove fingerprints)
- Serve realistic spoofed HTML templates
- DNS cloaking simulation toggle (coming soon)
🔹 --detect-evade Mode (Defender Scanner)
- Detect evasive takeovers missed by traditional tools
- Analyze header anomalies, content hashes, status code rotation
- CNAME resolution and fingerprinting
- YAML output format
git clone https://github.com/tegal1337/subt-cloak.git
cd subt-cloak
go build -o subt-cloak main.go./subt-cloak --cloak --template github --rotate-status --fake-headers./subt-cloak --detect-evade --input domains.txt --output result.yamlchmod +x run-takeover.sh
./run-takeover.sh targetdomain.comGenerates:
- All subdomains from subfinder
- Probes live with httpx
- Filters evasive takeovers
- cname: github.io
status_code: 200
status: vulnerable can be takeover!
headers:
- Server: GitHub.com
content:
- "There isn't a GitHub Pages site here."
evasion_signatures:
- fake-200-response
- stripped-headerssubt-cloak/
├── main.go
├── scanner/
│ ├── cloak.go
│ ├── detect.go
│ └── utils.go
├── templates/
│ ├── github.html
│ └── heroku.html
├── fingerprints/
│ └── services.yaml
├── run-takeover.sh
└── README.md
This tool is based on the research paper:
"SubT-Cloak: Persistent Subdomain Takeover via Stealth and Deception" (For Black Hat Submission 2026)
MIT License. Feel free to fork, adapt, or contribute.
@tegal1337 | Security Researcher | TegalSec