Skip to content

Latest commit

 

History

History
100 lines (47 loc) · 5.05 KB

Subdomain Takeover.md

File metadata and controls

100 lines (47 loc) · 5.05 KB
Raw

What is Subdomain Takeover?

A subdomain takeover is a type of cyber attack in which an attacker is able to gain control of a subdomain that is no longer in use by its intended owner. This can occur when a company or organization stops using a subdomain but fails to properly remove it from the internet, leaving it available for someone else to claim.

How can this happen?

  • One way that a subdomain takeover could happen is when a company uses a third-party service such as cloud hosting, Content Delivery Network (CDN) or DNS service to host a part of its website. If the company discontinues the service and does not remove the DNS entries pointing to that service, the attacker can claim the subdomain and point it to his server.

  • Another way subdomain takeovers can happen is when a subdomain is using a CNAME record that points to a domain that is no longer controlled by the company, but it was not updated, an attacker can take control over the domain and point it to his server.

How can attackers use this?

The attacker can then use the subdomain to host malicious content, phishing pages, or even launch further attacks against the original domain and its visitors. For example, an attacker could use a subdomain takeover to redirect visitors to a fake login page, in order to steal their credentials. They can also use a compromised subdomain to bypass security measures put in place by the original domain, making it difficult to detect the attack.

How to prevent subdomain takeover?

To prevent a subdomain takeover, companies and organizations should ensure that all subdomains are properly removed from the internet when they are no longer in use. This includes removing DNS entries, deactivating any associated accounts, and revoking any API keys or access tokens.

Step 1: Subdomain Enumeration

The first step in a subdomain takeover is to identify potential targets. This is typically done through subdomain enumeration. Subdomains are essentially separate parts of a larger domain that can be used to direct traffic to specific servers or applications. By identifying subdomains that are no longer in use, an attacker can potentially take control of them and use them to host their own malicious content.

There are several tools that can be used for subdomain enumeration, including:

  1. Subfinder
  2. Assetfinder
  3. Subdomainizer
  4. Sublist3r
  5. Findomain

Step 2: Identifying Live Subdomains

Once potential targets have been identified through subdomain enumeration, the next step is to determine which of those subdomains are actually live and accessible. This is important because attempting to take over a subdomain that is not live will not be effective.

To use HTTPX and HTTPROBE, simply run the following command:

  1. cat domains.txt | httprobe (Find Live Subdomains)
  2. cat domains.txt | httprobe — prefer-https (https result)
  3. cat livesub.txt | httpx
  4. httpx -l livesub.txt -sc -mc 200

Step 3: Checking for Subdomain Takeover Vulnerabilities

  • Once potential targets have been identified and live subdomains have been identified, the next step is to determine if any of the live subdomains are vulnerable to takeover. One way to do this is by using Nuclei takeover templates.

  • Nuclei is an open-source project that provides a framework for fast and customisable vulnerability scanning. It includes a variety of templates for identifying vulnerabilities in web applications, including takeover templates that can be used to identify subdomain takeover vulnerabilities.

To use Nuclei, simply run the following command:

  • nuclei -l livesub.txt -t /home/kali/Downloads/detect-all-takeovers.yaml

Stpe 4: How to check Subdomain Takeover Vulnerability for single or multiple Targets?

Subzy is a Subdomain Takeover Tool and can be used to identify the domain or domains vulnerable to subdomain takeover vulnerability.

Installation

  1. git clone https://github.com/PentestPad/subzy.git
  2. cd subzy
  3. go build -o subzy main.go
  4. ./subzy run --target example.com (Single Domain)
  5. ./subzy run --targets list.txt (List of Domain)

Methods to find Subdomain Takeover:

  1. Enumerate all the subdomains using subfiner, asset finder, amass, findomain. Puredns, dnsx, Sublist3r, etc.

  2. Combine all the found using the above tools in a text file i.e., subdomains.txt.

  3. Find live subdomains using httprobe or Httpx from the list of all subdomains and save them in a text file i.e., livesubdomains.txt.

  4. Then use the Nuclei template of subdomain takeover by project discovery to find the vulnerable domain.

  5. That’s all it will find the possible vulnerable websites if any.

  6. Now, find the CNAME of the vulnerable website using the below methods:

  • dig sub.example.com
  • nslookup sub.example.com
  1. So, now you have to look if the subdomain has CNAME pointing to somewhere and not yet claimed (i.e mostly a 404 Not Found) then search google for “something.com subdomain takeover” here something.com is the CNAME. If you can’t find the result you need you just go to https://something.com and mostly that cloud website will teach you how to connect to a website.