After a long time. Finally, I manage my time to write detailed things about one very famous attack. which is the “Subdomain Takeover” attack. Nowadays this vulnerability goes wild just because of bug hunters. I just try to write the “Subdomain Takeover” attack detailed with an in-depth explanation for my readers.
After reading this post. You can practice your Subdomain Takeover skills on our Subdomain Takeover Lab.
Yes!! I have to build a lab for you guys to practice Subdomain Takeover with takeover various services like Github Pages, Bitbucket, AWS S3, Heroku, Tilda, Tumblr, Readme and much more.
Download PDF: https://www.exploit-db.com/docs/46415
Let’s Take a look at the Index. 🙂
- What is Subdomain?
- What is Subdomain Takeover?
- All About CNAME.
- How to find CNAME records?
- What is Subdomain Takeover Lab?
- Let’s Takeover Subdomain.
What is Subdomain?
A subdomain is a part of the main domain. In the above picture(Fig: 1). I have explained a subdomain. The main domain name is subdomain-takeover with extension .tk and part of this main domain is
What is Subdomain Takeover?
Subdomain Takeover is a type of vulnerability that occurs due to misconfiguration of DNS CNAME records.
Scenario Example: when a company or individual has configured a DNS CNAME entry for one of its subdomains pointing to an external service (ex: Heroku, Github Pages, Bitbucket, Tilda, AWS S3 Bucket, Shopify, etc) but the service is no longer utilized by that company. In that condition, An attacker could register to the external service and claim the affected subdomain to configure his/her service’s to point to the affected subdomain.
All About CNAME.
CNAME stands for Canonical Name is a type of Domain Name System(DNS) record that maps an alias name to a true or canonical domain name. CNAME records are typically used to map a subdomain such as www, mail,
How to find CNAME records?
There is an N-Number of ways to find the CNMAE record to associate subdomain. In this section, I’ll show you a few techniques to find the CNAME record of the specific subdomain.
Let’s get started
touhid@kali:~$ dig @18.104.22.168 syed.subdomain-takeover.tk CNAME
DNS Server: Here we can use any DNS Server. I have used the Google Public DNS(22.214.171.124) Server name. But you can use any of DNS servers like Your Private DNS server or any Anonymous DNS server name also.
Subdomain Name: Here, I have to ask record from my DNS server.
Type: I have asked for specific CNAME records only to DNS Server.
; <<>> DiG 9.11.5-P1-1-Debian <<>> @126.96.36.199 syed.subdomain-takeover.tk CNAME
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52710
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;syed.subdomain-takeover.tk. IN CNAME
;; ANSWER SECTION:
syed.subdomain-takeover.tk. 14399 IN CNAME touhidshaikh.github.io.
;; Query time: 267 msec
;; SERVER: 188.8.131.52#53(184.108.40.206)
;; WHEN: Sun Jan 06 20:22:34 IST 2019
;; MSG SIZE rcvd: 91
touhid@kali:~$ host syed.subdomain-takeover.tk
syed.subdomain-takeover.tk is an alias for touhidshaikh.github.io.
touhidshaikh.github.io has address 220.127.116.11
touhidshaikh.github.io has address 18.104.22.168
touhidshaikh.github.io has address 22.214.171.124
touhidshaikh.github.io has address 126.96.36.199
There is an N-Number of tools to check DNS records in various visual formats. You can use DNS recons tools also to check multiple DNS.
What is Subdomain Takeover Lab?
Subdomain Takeover Lab is an Initiative of InitD Community for all(Infosec Guys). Here, it’s legal to takeover subdomains and hosts anything(Read Rules). Hackers can explore their Subdomain Takeover Skills with a vulnerable subdomain of subdomain-takeover.
Subdomain Takeover Lab Link: https://subdomain-takeover.tk
Let’s Takeover Subdomain
Enough Talk! Lets start Hands-on.
Vulnerable Subdomain: beta.subdomain-takeover.tk
Let’s Visit this URL.
In the above image. we got a 404 Error page. This means this subdomain has no longer Github Page.
In short, we can claim this Subdomain by pointing our GitHub page to this subdomain. Let’s confirm CNAME records by Dig Command.
Great this subdomain pointed to github.io
Let’s Login to GitHub and Create a Repository with any name.
Make a New repository or you can use your existing repository.
After Creating your repository. its will shows like below.
now go to repository setting.
In Setting Go to the Github Page Section.
Change None to Your Master Repository and hit Save.
Now add the subdomain name here which you want to
And you can use an HTTPS connection. I just avoid Enforce HTTPS.
Now Visit beta.subdomain-takeover.tk
Congratulation !! You have Successfully Takeover
There is another alternative way to doing same thing with minimum step.
You Need to Add a CNAME file with your desired subdomain name.
AWS S3 Bucket
Vulnerable Subdomain: playing.subdomain-takeover.tk
Let’s Visit this URL.
We Got Error NoSuchBucket
This is a good sign if you’re going to take over the subdomain.
Let’s verify this by looking for CNAME Records.
Ahhh! Good News is it’s pointing to AWS S3 Bucket.
Now You Need an AWS Account to create a Bucket and claim this subdomain.
Let’s start Takeover.
Login to https://console.aws.amazon.com/
and move to https://s3.console.aws.amazon.com/s3/home
Click Create Bucket.
Set Bucket name to source domain name (i.e., the domain you want to take over)
Click Next multiple times to finish.
Open the created bucket.
Select the file which will be used for PoC (HTML or TXT file). I recommend naming it differently than index.html; you can use PoC (without extension)
In the Set Permissions tab select Grant public read access to this object(s)
In Set, Properties tab Go To Metadata
In the Header, select Content-Type and the value should reflect the type of document which you going to upload. In Our Case HTML, choose text/HTML.
Click to Upload.
If Everything was done properly. You’ll Get the subdomain. Let’s visit and verify the successful takeover.
Tilda (Using A Record)
For Tilda, You need a premium account or at least a Feel Trail Account on https://tilda.cc (We Recommend a Premium Account)
Let’s Visit the Vulnerable domain and check its available for takeover or not.
Vulnerable Subdomain: Tilda.subdomain-takeover.tk
We Got This Page … It Seems Vulnerable let’s dig into and takeover this subdomain.
Let’s Takeover. 🙂
I am Assuming
Create A Project and Click on Edit Site.
Go To Site setting
Click on Domain
Type Your Subdomain Name a Click on Save changes.
If Everything is Perfect… I Got The Subdomain.
I have Designed some pages in my project 🙂
Remove the unused Service’s DNS Records from DNS Server.
Original Blog Post
Thanks For Reading.
Please Try or Subdomain Takeover LAB which is in BETA testing. If you Find any Difficulties please comment below or write a mail.