Hey guys, this is me @dheerajydv19 and in today’s blog, we will learn everything you need to know about subdomain takeover. I have read almost 25 reports on this today, and this blog is based on my findings from those reports only.
What is Subdomain Takeover?
Subdomain Takeover is the vulnerability that arises when hackers claim a subdomain of any website which was connected to any third party like GitHub, aws, bitbucket, etc. Let’s understand it by co-relating with a real-world scenario.
Let’s imagine, one day you received an email that says that Paypal has recently gone via a data breach due to which millions of people’s data is at risk and we hereby request that you change your password via the below reset link as early as possible. Let’s imagine the link is
form.paypal.com/reset-password, as you can see it is from paypal.com which is the actual domain and you trusted it and clicked on the link, enters your email, and password, and changing your password. The website showed a popup password was reset successfully, you have gone to sleep, next day, you logged in and see your 100$ balance is transferred.
Can you guess, what could possibly have gone wrong?
Let me describe what has possibly gone wrong, in most of the cases what actually happens, attackers gains control of a subdomain of a website that was pointing to an external service, but the external service associated with the domain has been deleted, misconfigured or is no longer in use. So, what malicious threat actors(attackers) do is claim these subdomains,s and since they have full control over these subdomains, they host malicious content on these subdomains and abuse the trust of the visitors.
In the above situation, what possible the attacker would have done is, he had gained control of any subdomain, he hosted a fake password reset page on that, and collected the user’s data, which he later on used for money theft.
Let’s now learn, how we can do the subdomain takeover.
Subdomain Takeover Process -
Choose your target -
Choose your target wisely, most probably prefer the target that states wide scope or the one that are less popular, since it’s considered a long-hanging fruit, so the better unique your target, the more chances of finding the subdomain takeover(just my opinion, it totally depends on a lot of factors). , let’s imagine the target website is hosted at domain example.com.
Gather all the subdomains of the target website using techniques/tools of your choice. Some tools you can use are subfinder,sublist3r, amass, etc. You can read more about subdomain enumeration for large-scale reconnaissance in my last blog using the below link
I always prefer collecting as many subdomains as I can using multiple tools one by one.
Identify external services -
Here, we try to find if all the subdomains which points to dns/cname record to any third-party(external) service. You can do this via …
Once you found all the subdomains which are associated with external services, filter them out while testing for subdomain takeover.
Checking for vulnerable subdomains -
This can be done in two ways, first manually visiting all the websites in which you will pay attention to the data the website displayed and checking for traces of vulnerable external services. You can use use the “can-i-take-over-xyz” project for reference.
Report findings -
Once you are sure about the subdomain that it’s vulnerable, claim it and report it to the owner of the website via a bug bounty program if they have any or vdp or by doing a mail to their security team.
This is what subdomain takeover is all about, once I hit my first bounty via subdomain takeover, I will write a blog subdomain takeover:The Practical Way with all tools, commands, and everything else you need to know while hunting.
Can I takeover every subdomain that is pointing to any external services and not is being used?
No, you cant take takeover every subdomain which is not in use and pointing to any external service, as not all external services are available. Some external services require verification, hence we can’t takeover the subdomains which are pointing to them even if it looks like they are vulnerable. You can take reference from the below two GitHub repo for checking if the services are vulnerable.
If any services are not in the list of these two, give it a try, maybe you found something new which is vulnerable.
What tools can I use for subdomain enumeration?
You can use the below tools for subdomain enumeration.
Amass, SubBrute, Knock, DNSRecon, Subfinder, Sublist3r, etc.
Can I make this process faster somehow?
Yes, by using aquatone
That’s it for today’s blog, will continue writing more amazing blogs, especially on osint and bug hunting and a few other topics, too. Show your support by following me on Twitter.
Follow me on Twitter: https://twitter.com/Dheerajydv19