You are currently viewing Subdomain Takeover Explained with Practical

Subdomain Takeover Explained with Practical

Hello All,

After a long time. Finally, I manage my time to write detailed things about one very famous attack. which is the “Subdomain Takeover” attack. Nowadays this vulnerability goes wild just because of bug hunters. I just try to write the “Subdomain Takeover” attack detailed with an in-depth explanation for my readers.

After reading this post. You can practice your Subdomain Takeover skills on our Subdomain Takeover Lab.

Yes!! I have to build a lab for you guys to practice Subdomain Takeover with takeover various services like Github Pages, Bitbucket, AWS S3, Heroku, Tilda, Tumblr, Readme and much more.

Download PDF: https://www.exploit-db.com/docs/46415

Let’s Take a look at the Index. 🙂

Index

  • What is Subdomain?
  • What is Subdomain Takeover?
  • All About CNAME.
  • How to find CNAME records?
  • What is Subdomain Takeover Lab?
  • Let’s Takeover Subdomain.
  • Mitigation
  • Bibliography

What is Subdomain?

Fig: 1

A subdomain is a part of the main domain. In the above picture(Fig: 1). I have explained a subdomain. The main domain name is subdomain-takeover with extension .tk and part of this main domain is touhid which is called the subdomain of this main domain.

What is Subdomain Takeover?

Subdomain Takeover is a type of vulnerability that occurs due to misconfiguration of DNS CNAME records. 

Scenario Example: when a company or individual has configured a DNS CNAME entry for one of its subdomains pointing to an external service (ex: Heroku, Github Pages, Bitbucket, Tilda, AWS S3 Bucket, Shopify, etc) but the service is no longer utilized by that company. In that condition, An attacker could register to the external service and claim the affected subdomain to configure his/her services to point to the affected subdomain.

All About CNAME.

CNAME stands for Canonical Name is a type of Domain Name System(DNS) record that maps an alias name to a true or canonical domain name. CNAME records are typically used to map a subdomain such as www, mail, Cpanel, blog etc to the domain hosting that subdomain’s content.

How to find CNAME records?

There is an N-Number of ways to find the CNMAE record to associate subdomain. In this section, I’ll show you a few techniques to find the CNAME record of the specific subdomain.

Let’s get started

Dig Command

touhid@kali:~$ dig @8.8.8.8 syed.subdomain-takeover.tk CNAME
Fig: 2

DNS Server: Here we can use any DNS Server. I have used the Google Public DNS(8.8.8.8) Server name. But you can use any of DNS servers like Your Private DNS server or any Anonymous DNS server name also.
Subdomain Name: Here, I have to ask record from my DNS server.
Type: I have asked for specific CNAME records only to DNS Server.

Output

; <<>> DiG 9.11.5-P1-1-Debian <<>> @8.8.8.8 syed.subdomain-takeover.tk CNAME
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52710
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;syed.subdomain-takeover.tk. IN CNAME
;; ANSWER SECTION:
syed.subdomain-takeover.tk. 14399 IN CNAME touhidshaikh.github.io.
;; Query time: 267 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Jan 06 20:22:34 IST 2019
;; MSG SIZE rcvd: 91

Host Command

touhid@kali:~$ host syed.subdomain-takeover.tk

Output

syed.subdomain-takeover.tk is an alias for touhidshaikh.github.io.
touhidshaikh.github.io has address 185.199.109.153
touhidshaikh.github.io has address 185.199.110.153
touhidshaikh.github.io has address 185.199.111.153
touhidshaikh.github.io has address 185.199.108.153

There is an N-Number of tools to check DNS records in various visual formats. You can use DNS recons tools also to check multiple DNS.

What is Subdomain Takeover Lab?

Subdomain Takeover Lab is an Initiative of InitD Community for all(Infosec Guys). Here, it’s legal to take over subdomains and host anything(Read Rules). Hackers can explore their Subdomain Takeover Skills with a vulnerable subdomain of subdomain-takeover. tk domain. You can find more than 100 subdomain which is Mis-Configured DNS record such as CNAME, MX, NS records.

Subdomain Takeover Lab Link: https://subdomain-takeover.tk

Let’s Takeover Subdomain

Enough Talk! Lets start Hands-on.

GitHub Pages

Vulnerable Subdomain: beta.subdomain-takeover.tk

Let’s Visit this URL.

In the above image. we got a 404 Error page. This means this subdomain has no longer Github Page.

In short, we can claim this Subdomain by pointing our GitHub page to this subdomain. Let’s confirm CNAME records by Dig Command.

Great this subdomain pointed to github.io

Let’s Login to GitHub and Create a Repository with any name.

Make a New repository or you can use your existing repository.

After Creating your repository. its will shows like below.

now go to repository setting.

In Setting Go to the Github Page Section.

Change None to Your Master Repository and hit Save.


Now add the subdomain name here which you want to takeover. in my case, the Custom domain will be beta.subdomain-takeover.tk 

And you can use an HTTPS connection. I just avoid Enforce HTTPS.

Now Visit beta.subdomain-takeover.tk

Congratulation !! You have Successfully Takeover
beta.subdomain-takeover.tk


There is another alternative way to do the same thing with minimum steps.

You Need to Add a CNAME file with your desired subdomain name.


AWS S3 Bucket

Vulnerable Subdomain: playing.subdomain-takeover.tk

Let’s Visit this URL.

We Got Error NoSuchBucket

This is a good sign if you’re going to take over the subdomain.

Let’s verify this by looking for CNAME Records.

Ahhh! Good News is it’s pointing to AWS S3 Bucket.

Now You Need an AWS Account to create a Bucket and claim this subdomain.

Let’s start Takeover.

Login to https://console.aws.amazon.com/

and move to https://s3.console.aws.amazon.com/s3/home

Click Create Bucket.

Set Bucket name to source domain name (i.e., the domain you want to take over)

Click Next multiple times to finish.

Open the created bucket.

Click Upload

Select the file which will be used for PoC (HTML or TXT file). I recommend naming it differently than index.html; you can use PoC (without extension)

In the Set Permissions tab select Grant public read access to this object(s)

In  Set, Properties tab Go To Metadata

In the Header, select Content-Type and the value should reflect the type of document which you going to upload. In Our Case HTML, choose text/HTML.

Click to Upload.

If Everything was done properly. You’ll Get the subdomain. Let’s visit and verify the successful takeover.

Congratulation !!


Tilda (Using A Record)

For Tilda, You need a premium account or at least a Feel Trail Account on https://tilda.cc (We Recommend a Premium Account)

Let’s Visit the Vulnerable domain and check its available for takeover or not.

Vulnerable Subdomain: Tilda.subdomain-takeover.tk

We Got This Page … It Seems Vulnerable let’s dig into and takeover this subdomain.

Let’s Takeover. 🙂

I am Assuming

Create A Project and Click on Edit Site.

Go To Site setting

Click on Domain

Type Your Subdomain Name a Click on Save changes.

If Everything is Perfect… I Got The Subdomain.

I have Designed some pages in my project 🙂

Congratulation.

Mitigation

Remove the unused Service’s DNS Records from DNS Server.

Original Blog Post

  • https://blog.initd.sh/others-attacks/mis-configuration/subdomain-takeover-explained/

Thanks For Reading.

Please Try or Subdomain Takeover LAB which is in BETA testing. If you Find any Difficulties please comment below or write a mail.

This Post Has 2 Comments

  1. Anonymous

    nice..

Leave a Reply