Subdomain Takeover Explained with Practical

Hello All,

After a long time. Finally, I manage my time to write detailed things about one very famous attack. which is “Subdomain Takeover” attack. Nowadays this vulnerability goes wild just because of bug hunters. I just try to write the “Subdomain Takeover” attack detailed with an in-depth explanation for my readers.

After reading this post. You can practice you Subdomain Takeover skills on our Subdomain Takeover Lab.

Yes!! I have to build a lab for you guys to practice Subdomain Takeover with takeover various services like Github Pages, Bitbucket, AWS S3, Heroku, Tilda, Tumblr, Readme and much more.

Lets Take a look on Index. 🙂

Index

  • What is Subdomain?
  • What is Subdomain Takeover?
  • All About CNAME.
  • How to find CNAME records?
  • What is Subdomain Takeover Lab?
  • Let’s Takeover Subdomain.
  • Mitigation
  • Bibliography

What is Subdomain?

Fig: 1

Subdomain is a part of main domain. In the above picture(Fig: 1). I have explained a sudomain. The main domian name is subdomain-takeover with extension .tk and part of this main domain is touhid which is called subdomain of this main domain.

What is Subdomain Takeover?

Subdomain Takeover is a type of vulnerability which occurs due to Mis-configuration DNS CNAME records. 

Scenario Example: when a company or induaisual has configured a DNS CNAME entry for one of its subdomains pointing to an external service (ex: Heroku, Github Pages, Bitbucket, Tilda, AWS S3 Bucket, Shopify, etc) but the service is no longer utilized by that company. In that condition, An attacker could register to the external service and claim the affected subdomain to configure his/her service’s to point affected subdomain.

All About CNAME.

CNAME stands for Canonical Name is a type of Domain Name System(DNS) record that maps an alias name to a true or canonical domain name. CNAME records are typically used to map a subdomain such as www, mail, cpanel, blog etc to the domain hosting that subdomain’s content.

How to find CNAME records?

There is N-Number of ways to find the CNMAE record to associate subdomain. In this section, I’ll show you a few of techniques to find the CNAME record of the specific subdomain.

Let’s get started

Dig Command

touhid@kali:~$ dig @8.8.8.8 syed.subdomain-takeover.tk CNAME
Fig: 2

DNS Server: Here we can use any DNS Server. I have used the Google Public DNS(8.8.8.8) Server name. But you can use any of DNS servers like Your Private DNS server or any Anonymous DNS server name also.
Subdomain Name: Here, I have to ask record to my DNS server.
Type: I have asked for specific CNAME record only to DNS Server.

Output

; <<>> DiG 9.11.5-P1-1-Debian <<>> @8.8.8.8 syed.subdomain-takeover.tk CNAME
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52710
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;syed.subdomain-takeover.tk. IN CNAME
;; ANSWER SECTION:
syed.subdomain-takeover.tk. 14399 IN CNAME touhidshaikh.github.io.
;; Query time: 267 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Jan 06 20:22:34 IST 2019
;; MSG SIZE rcvd: 91

Host Command

touhid@kali:~$ host syed.subdomain-takeover.tk

Output

syed.subdomain-takeover.tk is an alias for touhidshaikh.github.io.
touhidshaikh.github.io has address 185.199.109.153
touhidshaikh.github.io has address 185.199.110.153
touhidshaikh.github.io has address 185.199.111.153
touhidshaikh.github.io has address 185.199.108.153

There is N-Number of tools to check DNS record in various visual formats. You can use DNS recons tools also to check multiple DNS.

What is Subdomain Takeover Lab?

Subdomain Takeover Lab is Initiative of InitD Community for all(Infosec Guys). Here, its legal to takeover subdomain and host anything(Read Rules). Hackers can explore thier Subdomain Takeover Skills with a vulnerable subdomain of subdomain-takeover.tk domain. You can find more than 100 subdomain which is Mis-Configured DNS record such as CNAME, MX, NS records.

Subdomain Takeover Lab Link: https://subdomain-takeover.tk

Let’s Takeover Subdomain

Enough Talk! Lets start Hands-on.

Github Pages

Vulnerable Subdomain: beta.subdomain-takeover.tk

Let’s Visit this URL.

In above an image. we got 404 Error page. its means, this subdomain has no longer Github Page.

In short, we can claim this Subdomain by pointing our GitHub page to this subdomain. Let’s confirm CNAME records by Dig Command.

Great this subdomain pointed to github.io

Let’s Login to GitHub and Create a Repository with any name.

Make a New repository or you can use you exist repository.

After Creating you repository. its will shows like below.

now go to repository setting.

In Setting Go to the Github Page Section.

Change None to Your Master Repository and hit Save.


Now add subdomain name here which you want to takeover. in my case, Custom domain will be beta.subdomain-takeover.tk 

And you can use HTTPS connection. i just avoid Enforce HTTPS .

Now Visit beta.subdomain-takeover.tk

Congratulation !! You have Successfully Takeover
beta.subdomain-takeover.tk


There is another alternative way to doing same thing with minimum step.

You Need to add a CNAME file with your desired subdomain name.


AWS S3 Bucket

Vulnerable Subdomain: playing.subdomain-takeover.tk

Let’s Visit this URL.

We Got Error NoSuchBucket

This is good sign if you’re going to takeover the subdomain.

Lets Verify this by looking for CNAME Records.

Ahhh ! Good News its pointing to AWS S3 Bucket.

Now You Need a AWS Account to create a Bucket and claim this subdomain.

Let’s start Takeover.

Login to https://console.aws.amazon.com/

and move to https://s3.console.aws.amazon.com/s3/home

Click Create Bucket.

Set Bucket name to source domain name (i.e., the domain you want to take over)

Click Next multiple times to finish.

Open the created bucket.

Click Upload

Select the file which will be used for PoC (HTML or TXT file). I recommend naming it differently than index.html; you can use PoC (without extension)

In  Set Permissions tab select Grant public read access to this object(s)

In  Set Properties tab Go To Metadata

In Header, select Content-Type and value should reflect the type of document which you going to upload. In Our Case HTML, choose text/html.

Click to Upload.

If Everything done properly. You’ll Get the subdomain. Lets visit and verify successful takeover.

Congratulation !!


Tilda (Using A Record)

For Tilda, You need a premium account or at least a Feel Trail Account on https://tilda.cc (We Recommend a Premium Account)

Lets Visit Vulnerable domain and check its available for takeover or not.

Vulnerable Subdomain: tilda.subdomain-takeover.tk

We Got This Page … Its Seems Vulnerable lets dig into and takeover this subdomain.

Let’s Takeover. 🙂

I am Assuming

Create A Project and Click on Edit Site.

Go To Site setting

Click on Domain

Type You Subdomain Name a Click on Save changes.

If Everything is Perfect…. I Got The Subdomain.

I have Design some page in my project 🙂

Congratulation.

Mitigation

Remove the unused Service’s DNS Records from DNS Server.

Bibliography

Thanks For Reading.

Please Try or Subdomain Takeover LAB which is in BETA testing. If you Find any Difficulties please comment below or write a mail.

Leave a Reply

Your email address will not be published. Required fields are marked *