Scribd
Upload
615 views26 pages

Subdomain Takeover Guide

This document provides a guide to taking over subdomains through subdomain takeover vulnerabilities. It explains what subdomain takeovers are, how to find CNAME records, and provides step-by-step instructions for taking over subdomains linked to GitHub Pages, AWS S3 buckets, and Tilda. The guide demonstrates how to claim an abandoned subdomain by redirecting it to your own site hosted on one of these services. It encourages readers to practice subdomain takeovers on the Subdomain Takeover Lab.

Uploaded by

mouja
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
615 views26 pages

Subdomain Takeover Guide

This document provides a guide to taking over subdomains through subdomain takeover vulnerabilities. It explains what subdomain takeovers are, how to find CNAME records, and provides step-by-step instructions for taking over subdomains linked to GitHub Pages, AWS S3 buckets, and Tilda. The guide demonstrates how to claim an abandoned subdomain by redirecting it to your own site hosted on one of these services. It encourages readers to practice subdomain takeovers on the Subdomain Takeover Lab.

Uploaded by

mouja
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26

INITD COMMUNITY

THE ULTIMATE GUIDE


FOR BASIC SUBDOMAIN
TAKEOVER WITH PRACTICAL

BY
Touhid M.Shaikh
Special Thanks!!

We are InitD
Harshal Ghaisas - Logo Designer
Shrutirupa Banerjiee, Sachin Sase and
Sagar Sharma - Members
TABLE OF
contents
1. Introduction
2. What is Subdomain?
3. What is Subdomain Takeover?
4. All About CNAME.
5. How to find CNAME Records?
6. What is Subdomain Takeover Lab?
7. Let's Takeover Subdomain.
Github Pages
AWS S3 Bucket
Tilda
8. Mitigation
9. Bibliography
INTRODUCTION

Subdomain takeover vulnerabilities occur


when a subdomain subdomain.example.com)
is pointing to a service (e.g. Amazone S3,
GitHub pages, Heroku, etc.) that has been
removed or deleted.
This allows an attacker to set up a page on
the service that was being used and point
their page to that subdomain. For example, if
subdomain.example.com was pointing to a
GitHub page and the user decided to delete
their GitHub page, an attacker can now
create a GitHub page, add a CNAME file
containing subdomain.example.com, and
claim subdomain.example.com.

1
What is Subdomain?

(Fig: 1).

Subdomain is a part of main domain. In


the above picture(Fig: 1). I have explained a
sudomain. The main domian name is
subdomain-takeover with extension .tk and
part of this main domain is touhid which is
called subdomain of this main domain.

2
What is Subdomain Takeover?

Subdomain Takeover is a type of vulnerability


which occurs due to Mis-configuration DNS
CNAME, NS, MX records.

Scenario Example:
When a company or individual has
configured a DNS CNAME entry for one of its
subdomains pointing to an external service
(ex: Heroku, Github Pages, Bitbucket, Tilda,
AWS S3 Bucket, Shopify, etc) but the service is
no longer utilized by that company. In that
condition, An attacker could register to the
external service and claim the affected
subdomain to configure his/her service's to
point affected subdomain.

3
All About CNAME

CNAME stands for Canonical Name is a type


of Domain Name System(DNS) record that
maps an alias name to a true or canonical
domain name. CNAME records are typically
used to map a subdomain such as www,
mail, cpanel, blog etc to the domain hosting
that subdomain's content.

4
How to find CNAME records?

There is N-Number of ways to find the


CNMAE record to associate subdomain. In
this section, I'll show you a few of techniques
to find the CNAME record of the specific
subdomain.
[ok] started...
Dig Command
$ dig @8.8.8.8 syed.subdomain-takeover.tk CNAME

DNS Server: Here we can use any DNS Server. I have used the
Google Public DNS(8.8.8.8) Server name. But you can use any
of DNS servers like Your Private DNS server or any
Anonymous DNS server name also.

Subdomain Name: Here, I have to ask record to my DNS


server.

Type: I have asked for specific CNAME record only to DNS


Server.

5
How to find CNAME records? (cont'd)

OUTPUT:

6
How to find CNAME records? (cont'd)

Host Command
$ host syed.subdomain-takeover.tk

OUTPUT:

There is N-Number of tools to check DNS record in


various visual formats. You can use DNS recons tools
also to check multiple DNS.

7
What is Subdomain Takeover Lab?

Subdomain Takeover Lab is Initiative of InitD Community for all(Infosec Guys). Here, its
legal to takeover subdomain and host anything(Read Rules). Hackers can explore thier
Subdomain Takeover Skills with a vulnerable subdomain of subdomain-takeover.tk
domain. You can find more than 100 subdomain which is Mis-Configured DNS record
such as CNAME, MX, NS records.

Subdomain Takeover Lab Link: https://subdomain-takeover.tk

Let’s Takeover Subdomain


Enough Talk! Lets start Hands-on.

Github Pages

Vulnerable Subdomain: beta.subdomain-takeover.tk

Let’s Visit this URL.

In above an image. we got 404 Error page. its means, this subdomain has no longer
Github Page.

In short, we can claim this Subdomain by pointing our GitHub page to this subdomain.
Let’s confirm CNAME records by Dig Command.

Great this subdomain pointed to github.io

Let’s Login to GitHub and Create a Repository with any name.


Make a New repository or you can use you exist repository.
After Creating you repository. its will shows like below.

now go to repository setting.

In Setting Go to the Github Page Section.


Change None to Your Master Repository and hit Save.
Now add subdomain name here which you want to takeover. in my case, Custom
domain will be beta.subdomain-takeover.tk

And you can use HTTPS connection. i just avoid Enforce HTTPS .
Now Visit beta.subdomain-takeover.tk

Congratulation !! You have Successfully Takeover


beta.subdomain-takeover.tk
There is another alternative way to doing same thing with minimum step.

You Need to add a CNAME file with your desired subdomain name.

AWS S3 Bucket

Vulnerable Subdomain: playing.subdomain-takeover.tk

Let’s Visit this URL.

We Got Error NoSuchBucket

This is good sign if you’re going to takeover the subdomain.


Lets Verify this by looking for CNAME Records.

Ahhh ! Good News its pointing to AWS S3 Bucket.

Now You Need a AWS Account to create a Bucket and claim this subdomain.

Let’s start Takeover.

Login to https://console.aws.amazon.com/

and move to https://s3.console.aws.amazon.com/s3/home

Click Create Bucket.

Set Bucket name to source domain name (i.e., the domain you want to take over)
Click Next multiple times to finish.

Open the created bucket.

Click Upload

Select the file which will be used for PoC (HTML or TXT file). I recommend naming it
differently than index.html; you can use PoC (without extension)
In Set Permissions tab select Grant public read access to this object(s)

In Set Properties tab Go To Metadata

In Header, select Content-Type and value should reflect the type of document which
you going to upload. In Our Case HTML, choose text/html.

Click to Upload.

If Everything done properly. You’ll Get the subdomain. Lets visit and verify successful
takeover.
Congratulation !!

Tilda (Using A Record)

For Tilda, You need a premium account or at least a Feel Trail Account on https://tilda.cc
(We Recommend a Premium Account)

Lets Visit Vulnerable domain and check its available for takeover or not.

Vulnerable Subdomain: tilda.subdomain-takeover.tk


We Got This Page … Its Seems Vulnerable lets dig into and takeover this subdomain.

Let’s Takeover.

I am Assuming

Create A Project and Click on Edit Site.

Go To Site setting

Click on Domain
Type You Subdomain Name a Click on Save changes.

If Everything is Perfect…. I Got The Subdomain.


I have Design some page in my project

Congratulation.

Mitigation

Remove the unused Service’s DNS Records from DNS Server.

Bibliography

https://github.com/EdOverflow/can-i-take-over-xyz

Thanks For Reading.

Please Try or Subdomain Takeover LAB which is in BETA testing. If you Find any
Difficulties please let us know.
END

You might also like