Subdomain Takeover

Active discovery

Sublistr
DNSRecon
Amass
Ffuf

ffuf -u <target> -w /path/to/wordlist.txt -H "Host: FUZZ.target.com" -fs <size-filter>

Explanation

Domain name (sub.example.com) uses a CNAME record for another domain (sub.example.com CNAME anotherdomain.com).
At some point, anotherdomain.com expires and is available for anyone's registration.
Since the CNAME record is not removed from the DNS zone of example.com, anyone who records anotherdomain.com has full control over sub.example.com until the DNS record is present.

Subdomain Takeover is a malicious activity that the victim’s subdomain allows attackers to control and impersonate.

Automation

First we need to enumerate subdomains. See Subdomain Discovery for doing that. Then we can httpx for checking HTTP response status for each subdomain.

httpx

https://github.com/projectdiscovery/httpx

# -title: Display page title
# -wc: Display response body word count
# -sc: Display response status-code
# -cl: Display response content-length
# -ct: Display response content-type
# -location: Display response redirect location
# -web-server: Display server name
# -asn: Display host ASN information
# -o: Output
cat domains.txt | httpx -title -wc -sc -cl -ct -location -web-server -asn -o alive-subdomains.txt

# Resume Scan (-resume)
# You can resume the scan using `resume.cfg`.
cat domains.txt | httpx -title -wc -sc -cl -ct -location -web-server -asn -o alive-subdomains.txt -resume resume.cfg

Can I Take Over XYZ?

See https://github.com/EdOverflow/can-i-take-over-xyz to check if the provider allows us to register subdomains.

CNAME Subdomain Takeover

1. Identify Misconfigurations for Subdomains

Check DNS records for identifying what’s on the destination of the subdomain.

dig sub.example.com ANY
dig sub.example.com CNAME

If the HEADER status is NXDOMAIN error in the result, subdomain takeover might be possible. Also we can try to access them with web browser or command-line:

# -L: Follow redirect
# -v: Verbose mode
curl -Lv app.example.com
curl -v cloud.example.com
curl -v mail.example.com

2. Spoof with the Subdomain

If a certain subdomain can be accessible but the error page of the specific provider (e.g. GitHub, Google Cloud, Wix, etc.) appeared, it means that the subdomain of the settings in the service provider was removed but the DNS record (e.g. A, CNAME) remains yet.

In short, attackers can spoof as a legitimate site by claiming this subdomain in the provider.

Here’s an abstract example:

Login the target provider.
Create a malicious website.
Add the target subdomain (e.g. app.example.com) as custom domain in the setting page.
If users visit app.example.com, they have now visited a malicious website created by an attacker.

NS Subdomain Takeover

It’s more dangerous If NS record is vulnerable because if the nameserver is taken over, an attacker can take full control of victim’s domains.

To gather NS records for the target domain, use dig command.

dig example.com +short NS

# Result examples
ns-100.abcde.org
ns-120.abcde.co.uk

Next, check if the gathered domains can be purchased with domain name registrar like GoDaddy, NameCheap.

For example, search [abcde.org](http://abcde.org) in the domain search page of NameCheap. If this domain can be purchased, attackers can buy this domain then take control the name resolution of a victim by creating the custom nameserver which pointed to this domain.

References

Resources

Subdomain Takeover: Proof Creation for Bug BountiesPatrik Hudak

GitHub - EdOverflow/can-i-take-over-xyz: "Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.GitHub

PreviousSubdomain Enum NextDNS (Domain Name Systems) Pentesting

Last updated 1 month ago

hashtagActive discovery

hashtagExplanation

hashtagAutomation

hashtaghttpx

hashtagCan I Take Over XYZ?

hashtagCNAME Subdomain Takeover

hashtag1. Identify Misconfigurations for Subdomains

hashtag2. Spoof with the Subdomain

hashtagNS Subdomain Takeover

hashtagReferences

hashtagResources