fbpx

Subdomain Takeover Attack

I am briefing out a method that can be used when testing for subdomain takeover. Let us first understand what a subdomain takeover is. 

Introduction:

Subdomain takeover is a situation where a malicious user is able to claim a subdomain on behalf of a legitimate site.

Figure 1: Subdomain Illustration

Let us take a typical example to understand it better.

Attack Scenario:

  1. The user owns a website named xyz.com and your company starts using a new service such as WordPress as an external service for writing blogs.
  2. The user then registered a domain for a new service which is WordPress and created a CNAME entry which points to newblog.xyz.com.
  3. After a few years, the user stops using this WordPress service and forgot to remove the CNAME entry of WordPress from the DNS records.
  4. A malicious user can create an account in WordPress pointing to your WordPress CNAME entry and thereby taking over the subdomain.
  5. All traffic for subdomain newblog.xyz.com is then directed to a malicious website. 

Potential Impact:

A malicious user can create a similar site that replicates a real site. He can then post malicious content in the Subdomain which leads to the spreading of malware, stealing users’ credentials, etc.

Remediation:

Always update your DNS records. Remove CNAME which is not in use so it becomes not accessible.

How to Identify:

When a subdomain is vulnerable to a takeover, it usually returns a 404 Error meaning that there is no content on the server. 

There are many tools available to automate host and whois enumeration process. However, I use below Tools for faster enumeration and exploitation:

  1. Su3lister https://github.com/aboul3la/Sublist3r
  2. Sub0ver  https://github.com/Ice3man543/SubOver

The first task is to identify list subdomains for a given target domain. To do this, you use Su3lister. You now have a list of subdomains. Copy all these subdomains and save them in a txt file. Now you can start using SubOver. 

Here is the syntax for Sub0ver:  ./SubOver -l subdomains.txt

It can easily detect and report potential subdomain takeovers that exist. Currently, it checks for more than 40+ potentially hijackable services. You can find those lists of services on the above GitHub page.

The last step is to claim the unclaimed subdomain by creating an account. 

 A Bounty Tip: Target a Domain wherein you find a large scope. Always read out the scope section first before heading towards finding a security vulnerability. There will be a lesser chance of duplicates.

Author: Vinayak Sakhare



Leave a Reply