After a long time. Finally, I manage my time to write detailed things about one very famous attack. which is “Subdomain Takeover” attack. Nowadays this vulnerability goes wild just because of bug hunters. I just try to write the “Subdomain Takeover” attack detailed with an in-depth explanation for my readers.
After reading this post. You can practice you Subdomain Takeover skills on our Subdomain Takeover Lab.
Yes!! I have to build a lab for you guys to practice Subdomain Takeover with takeover various services like Github Pages, Bitbucket, AWS S3, Heroku, Tilda, Tumblr, Readme and much more.
Lets Take a look on Index. 🙂
- What is Subdomain?
- What is Subdomain Takeover?
- All About CNAME.
- How to find CNAME records?
- What is Subdomain Takeover Lab?
- Let’s Takeover Subdomain.
What is Subdomain?
Subdomain is a part of main domain. In the above picture(Fig: 1). I have explained a sudomain. The main
What is Subdomain Takeover?
Subdomain Takeover is a type of vulnerability which occurs due to Mis-configuration DNS CNAME records.
Scenario Example: when a company or induaisual has configured a DNS CNAME entry for one of its subdomains pointing to an external service (ex: Heroku, Github Pages, Bitbucket, Tilda, AWS S3 Bucket, Shopify, etc) but the service is no longer utilized by that company. In that condition, An attacker could register to the external service and claim the affected subdomain to configure his/her service’s to point affected subdomain.
All About CNAME.
CNAME stands for Canonical Name is a type of Domain Name System(DNS) record that maps an alias name to a true or canonical domain name. CNAME records are typically used to map a subdomain such as www, mail,
How to find CNAME records?
There is N-Number of ways to find the CNMAE record to associate subdomain. In this section, I’ll show you a few of techniques to find the CNAME record of the specific subdomain.
Let’s get started
touhid@kali:~$ dig @126.96.36.199 syed.subdomain-takeover.tk CNAME
DNS Server: Here we can use any DNS Server. I have used the Google Public DNS(188.8.131.52) Server name. But you can use any of DNS servers like Your Private DNS server or any Anonymous DNS server name also.
Subdomain Name: Here, I have to ask record to my DNS server.
Type: I have asked for specific CNAME record only to DNS Server.
; <<>> DiG 9.11.5-P1-1-Debian <<>> @184.108.40.206 syed.subdomain-takeover.tk CNAME
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52710
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;syed.subdomain-takeover.tk. IN CNAME
;; ANSWER SECTION:
syed.subdomain-takeover.tk. 14399 IN CNAME touhidshaikh.github.io.
;; Query time: 267 msec
;; SERVER: 220.127.116.11#53(18.104.22.168)
;; WHEN: Sun Jan 06 20:22:34 IST 2019
;; MSG SIZE rcvd: 91
touhid@kali:~$ host syed.subdomain-takeover.tk
syed.subdomain-takeover.tk is an alias for touhidshaikh.github.io.
touhidshaikh.github.io has address 22.214.171.124
touhidshaikh.github.io has address 126.96.36.199
touhidshaikh.github.io has address 188.8.131.52
touhidshaikh.github.io has address 184.108.40.206
There is N-Number of tools to check DNS record in various visual formats. You can use DNS recons tools also to check multiple DNS.
What is Subdomain Takeover Lab?
Subdomain Takeover Lab is Initiative of InitD Community for all(Infosec Guys). Here, its legal to takeover subdomain and host anything(Read Rules). Hackers can explore
Subdomain Takeover Lab Link: https://subdomain-takeover.tk
Let’s Takeover Subdomain
Enough Talk! Lets start Hands-on.
Vulnerable Subdomain: beta.subdomain-takeover.tk
Let’s Visit this URL.
In above an image. we got 404 Error page. its means, this subdomain has no longer Github Page.
In short, we can claim this Subdomain by pointing our GitHub page to this subdomain. Let’s confirm CNAME records by Dig Command.
Great this subdomain pointed to github.io
Let’s Login to GitHub and Create a Repository with any name.
Make a New repository or you can use you exist repository.
After Creating you repository. its will shows like below.
now go to repository setting.
In Setting Go to the Github Page Section.
Change None to Your Master Repository and hit Save.
Now add subdomain name here which you want to
And you can use HTTPS connection. i just avoid Enforce HTTPS .
Now Visit beta.subdomain-takeover.tk
Congratulation !! You have Successfully Takeover
There is another alternative way to doing same thing with minimum step.
You Need to add a CNAME file with your desired subdomain name.
AWS S3 Bucket
Vulnerable Subdomain: playing.subdomain-takeover.tk
Let’s Visit this URL.
We Got Error NoSuchBucket
This is good sign if you’re going to takeover the subdomain.
Lets Verify this by looking for CNAME Records.
Ahhh ! Good News its pointing to AWS S3 Bucket.
Now You Need a AWS Account to create a Bucket and claim this subdomain.
Let’s start Takeover.
Login to https://console.aws.amazon.com/
and move to https://s3.console.aws.amazon.com/s3/home
Click Create Bucket.
Set Bucket name to source domain name (i.e., the domain you want to take over)
Click Next multiple times to finish.
Open the created bucket.
Select the file which will be used for PoC (HTML or TXT file). I recommend naming it differently than index.html; you can use PoC (without extension)
In Set Permissions tab select Grant public read access to this object(s)
In Set Properties tab Go To Metadata
In Header, select Content-Type and value should reflect the type of document which you going to upload. In Our Case HTML, choose text/html.
Click to Upload.
If Everything done properly. You’ll Get the subdomain. Lets visit and verify successful takeover.
Tilda (Using A Record)
For Tilda, You need a premium account or at least a Feel Trail Account on https://tilda.cc (We Recommend a Premium Account)
Lets Visit Vulnerable domain and check its available for takeover or not.
Vulnerable Subdomain: tilda.subdomain-takeover.tk
We Got This Page … Its Seems Vulnerable lets dig into and takeover this subdomain.
Let’s Takeover. 🙂
I am Assuming
Create A Project and Click on Edit Site.
Go To Site setting
Click on Domain
Type You Subdomain Name a Click on Save changes.
If Everything is Perfect…. I Got The Subdomain.
I have Design some page in my project 🙂
Remove the unused Service’s DNS Records from DNS Server.
Thanks For Reading.
Please Try or Subdomain Takeover LAB which is in BETA testing. If you Find any Difficulties please comment below or write a mail.
I’m presently expanding my solid experience in Exploit Researching and Python Programming. I focus on using my interpersonal skills to build Security-related software and techniques to exploit Web application and Thick Client Application. As an individual, I’m self-confident, Self-Learner, funny and naturally passionate in Information Security.