- July 6, 2020
- Posted by: Swati.patel
- Category: Blogs
I am briefing out a method that can be used when testing for subdomain takeover. Let us first understand what a subdomain takeover is.
Subdomain takeover is a situation where a malicious user is able to claim a subdomain on behalf of a legitimate site.
Figure 1: Subdomain Illustration
Let us take a typical example to understand it better.
- The user owns a website named xyz.com and your company starts using a new service such as WordPress as an external service for writing blogs.
- The user then registered a domain for a new service which is WordPress and created a CNAME entry which points to newblog.xyz.com.
- After a few years, the user stops using this WordPress service and forgot to remove the CNAME entry of WordPress from the DNS records.
- A malicious user can create an account in WordPress pointing to your WordPress CNAME entry and thereby taking over the subdomain.
- All traffic for subdomain newblog.xyz.com is then directed to a malicious website.
A malicious user can create a similar site that replicates a real site. He can then post malicious content in the Subdomain which leads to the spreading of malware, stealing users’ credentials, etc.
Always update your DNS records. Remove CNAME which is not in use so it becomes not accessible.
How to Identify:
When a subdomain is vulnerable to a takeover, it usually returns a 404 Error meaning that there is no content on the server.
There are many tools available to automate host and whois enumeration process. However, I use below Tools for faster enumeration and exploitation:
- Su3lister https://github.com/aboul3la/Sublist3r
- Sub0ver https://github.com/Ice3man543/SubOver
The first task is to identify list subdomains for a given target domain. To do this, you use Su3lister. You now have a list of subdomains. Copy all these subdomains and save them in a txt file. Now you can start using SubOver.
Here is the syntax for Sub0ver: ./SubOver -l subdomains.txt
It can easily detect and report potential subdomain takeovers that exist. Currently, it checks for more than 40+ potentially hijackable services. You can find those lists of services on the above GitHub page.
The last step is to claim the unclaimed subdomain by creating an account.
A Bounty Tip: Target a Domain wherein you find a large scope. Always read out the scope section first before heading towards finding a security vulnerability. There will be a lesser chance of duplicates.
Author: Vinayak Sakhare