- July 6, 2020
- Posted by: Swati.patel
- Category: Blogs
I am briefing out a method that can be used when testing for subdomain takeover. Let us first understand what a subdomain takeover is.
Introduction:
Subdomain takeover is a situation where a malicious user is able to claim a subdomain on behalf of a legitimate site.
Figure 1: Subdomain Illustration
Let us take a typical example to understand it better.
Attack Scenario:
- The user owns a website named xyz.com and your company starts using a new service such as WordPress as an external service for writing blogs.
- The user then registered a domain for a new service which is WordPress and created a CNAME entry which points to newblog.xyz.com.
- After a few years, the user stops using this WordPress service and forgot to remove the CNAME entry of WordPress from the DNS records.
- A malicious user can create an account in WordPress pointing to your WordPress CNAME entry and thereby taking over the subdomain.
- All traffic for subdomain newblog.xyz.com is then directed to a malicious website.
Potential Impact:
A malicious user can create a similar site that replicates a real site. He can then post malicious content in the Subdomain which leads to the spreading of malware, stealing users’ credentials, etc.
Remediation:
Always update your DNS records. Remove CNAME which is not in use so it becomes not accessible.
How to Identify:
When a subdomain is vulnerable to a takeover, it usually returns a 404 Error meaning that there is no content on the server.
There are many tools available to automate host and whois enumeration process. However, I use below Tools for faster enumeration and exploitation:
- Su3lister https://github.com/aboul3la/Sublist3r
- Sub0ver https://github.com/Ice3man543/SubOver
The first task is to identify list subdomains for a given target domain. To do this, you use Su3lister. You now have a list of subdomains. Copy all these subdomains and save them in a txt file. Now you can start using SubOver.
Here is the syntax for Sub0ver: ./SubOver -l subdomains.txt
It can easily detect and report potential subdomain takeovers that exist. Currently, it checks for more than 40+ potentially hijackable services. You can find those lists of services on the above GitHub page.
The last step is to claim the unclaimed subdomain by creating an account.
A Bounty Tip: Target a Domain wherein you find a large scope. Always read out the scope section first before heading towards finding a security vulnerability. There will be a lesser chance of duplicates.
Author: Vinayak Sakhare