Guide To Subdomain Takeovers💥: DNS Resolutions:-Vertical Recon.

Hacktivist-Attacker
10 min readMay 6, 2024

--

Let’s Get Up And Boost Yourself!!!. Now we are on the another Recon part and Easy Vulnerability In Bug Bounty.

Vertical RECON:Subdomains Takeovers...

In The The Previous Blog , We Could Know About how to Enumerate Subdomains. We need Our target’s Subdomains for Exploit the Subdomain Takeover vulnerability. I hope you Already Read The Previous Subdomains Enumeration Blog. If you Don’t then Simply you can Read It From The Link in below.

Once We gathered the the subdomains of our target We will need to Resolute Them. After, we start hunt Vulnerabilities on the Subdomains.
Here is the blog for the “DNS Resolutions:Identifying live Targets”.

However , There is an Another part in Recon when We come into the Subdomains. It is an Subdomain Takeover Vulnerability. We will see the vulnerability in Depth in the blog..

DNS Resolutions:

DNS Resolution Is the Technique used For Identify the Live Hosts. After Gathering Subdomains We need To Determine If They Are Alive Or Not . We Will Do Subdomain Takeovers , Gathering IPs And Taking Screenshots For our Target Subdomains

What Is Subdomains ?

Subdomains are Part of Domains. The Subdomains Are Also domains , but they are Depended And Defined as the Part of the Root Domain.

The Domain → https://medium.comMedium Is The Root domain.

The Subdomain → https://hacktivistttacker.medium.comHacktivistattacker is Sub Domain Of the Medium.

Subdomain Takeovers(Hijacking):

Yeah..,We Will become As Hijackers😶‍🌫️.

Here, This topic was most familiar to All. But Most of All, Not clearly Understand and Not know Enough About it.

There Is Two Types Of Subdomains Takeovers..,

  1. Normal Subdomain Takeovers:(Root Domain Based)
  2. Cloud Subdomain Takeovers:(Cloud Providers Based)

CNAME Record:A Canonical Name record

Domain Name System, A Canonical Name record was used to Map one Domain Name to Another Domain.
For Example, If user.example.com Subdomain could have CNAME Record that Contains the userexample.com Domain(It is Not Subdomain) , Whenever you request to the user.example.com it will simply transfer the request to userexample.com.

At this time You should Control the userexample.com Domain, Because your custom subdomain user.example.com Was pointing To that Domain.

1.Normal Subdomain Takeovers:

Source:Cloud Tech-Author Image: freepik

The Normal Subdomain Takeover happens when you Fallen to control Canonical Domain.(In this example, userexample.com domain). The Control Would Broken When you did Not Manage the userexample.com domain. (Due to, The Domain was Expired or you deleted(Released from the Domain Providers)) .

But, Still your Subdomain user.example.com had CNAME Record that points to the userexample.com (Its not Longer Available).
If Anyone request the subdomain user.example.com that will Point the domain userexample.com And Returns the Domain Not Found.!!

Here Is the Place The Hacker Comes and Play🔥🔥. He Thinks Creatively, He Simply Bought and Own the Unregistered domain userexample.com. Then What Happens , Every Request to The user.example.com would Sent to Hacker’s Domain userexample.com..!!!!.

Ohhhh….!! It is Hacker’s Domain..!!!

Also The Subdomain Would Appear user.example.com in the Browser URL And No One Knows The Canonical Domain in Beyond.!!.

2.Cloud Subdomains Takeovers:

Cloud Tech-Image:Author:freepik

In the Previous type, There is no high Possibility to companies are Configure the Subdomain’s CNAME to Normal Domains.(user.example.com →userexample.com). Because It’s not Necessary to Map the Root Domain To Subdomain.(But the Chances are Available).
However, This Statement did not Match for Cloud Providers.

Cloud Providers🌀🌀:

Cloud Providers are Allow you Access the Computer Service by Using the Internet. You Don’t Need Any physical Media To Store the Data. Cloud Providers have lot of Computers on their Company and they Will Rend It. You can buy the their Service And Access the Computer Resource By the Internet.

For Example Amazon S3(Simple Storage Service) offers you to store high volumes of data more than normal domain providers.

Companies bought these Cloud Domains based on their purposes. The Cloud providers did not allow you to set the custom Domain Names to their service domain. Once you Rend their service , they will append your company name to their domain. Finally they will create subdomain for the Cloud Service subdomain. Then you can map it the Subdomain to your own Subdomain by Adding The CNAME record.

For example…,

Amazon s3 bucket urls are look like this , <COMAPNYNAME>s3.amazonaws.com. Once An company creates the S3 Bucket, If they want , Then they can add CNAME record to map their custom domain.

mys3.example.com → example.s3.amazonaws.com

Simple..!! Whenever you try to load the mys3.example.com , then the DNS would Give the example.s3.amazonaws.com .
Amazon is one of the Example for the Cloud Services , There are lot of Cloud Providers available and They are provide various of Services…!!. Companies are use Different types of Cloud providers for Different type of Services they Needed..

It’s very important to manage the Cloud provider’s service. If you missed to Pay for the rend or Discontinued your service and forgot to delete the CNAME Record from your DNS Records , Then you got an error By Cloud Providers like “Not Found ” whenever you try to access the subdomain you are mapped to the Cloud domains. Its happens, Because your Mapped Canonical domain is not exist and Still your CNAME is Pointing To the unavailable Cloud Domain.

Now, the Hacker will Create the Same Subdomain as the Target’s subdomain(example.s3.amazonaws.com) in the cloud providers . After that he could Takeover the Target’s Subdomain ( mys3.example.com).

Impacts of Subdomain Takeovers..!!

  1. XSS, CORS and SOP bypass → If The Root Domain allows cookies are accessed by the subdomains , then the attacker uses XSS to Stole All the User’s Cookies. They also Access the resource by CORS Policy.
  2. Malware Content → The Attacker host malware content in the subdomain, it lead to exploit the visitors of the page
  3. business Logical → Everyone trust the subdomain because , it has the Target domain in Itself..

Lastly , Trust is The Biggest Impact. Users can trust the Subdomain. They give Sensitive Contents to the Subdomain…!!!

Tools:

Tools Are Made Our Job Easier.!!!

We can see two types of Tools based On Two Techniques to check the Possibility to Subdomain Takeovers Vulnerability..,

  1. CNAME Based → This Technique Depend on Checking Subdomain’s CNAME and Checking If the Service is Available or Not.
  2. DNS Misconfigurations Based → This Technique Depend on Checking Inactive Subdomain’s DNS Response and Found Which service was Arisen the Errors.

NOTE About The Recon Methodology:

We already Resolute the subdomains by the previous blog and We found Which Are Alive. However, The Subdomain vulnerability is also available in the dead Subdomains. So we will perform scan for Subdomain Takeover Vulnerability on our Target’s all subdomains. No matter if they are live or not. After this blog we will only focus on the Live Assets of Our Target.

1.CNAME Based:

We can use the These tools to check if the Subdomain Takeover is Possible or Not..

The tools are do the same thing as the Theory we saw. Tools are check if the subdomain has CNAME record. If its then it will request the subdomain and check the response. If the subdomain returns errors like “Not Found” then it will report to us. Then we can claim the domain from the Providers.

1.Sub0ver → SubOver detects 30+ services which is much more than any other tool out there. The tool uses Golang concurrency and hence is very fast. It can easily detect and report potential subdomain takeovers that exist.

https://github.com/Ice3man543/SubOver

https://raw.githubusercontent.com/Ice3man543/SubOver/master/subover.png

Install:

#Installing Tool:

git clone https://github.com/Ice3man543/SubOver.git
cd SubOver
go install github.com/Ice3man543/SubOver@latest
#NOTE - Do not change the location of fingerprints.json file. Or the tool will not work.

Usage:

#Usage:

subover -l example.com-all-subs.txt -a

#Usage Explantion

-l : File Contains List Of Subdomain
-a : Check the Subdomain Takeover By Sending The Request to the Subdomains.

2.subjack →Subjack is a Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked.

https://github.com/haccer/subjack.

haccer’s subjack..!!!

Install:

#Installing Tool:
git clone https://github.com/haccer/subjack.git && cd subjack
#NOTE - Do not change the location of fingerprints.json file. Or the tool will not work.

go install github.com/haccer/subjack@latest

Usage:

#Usage:
subjack -w example.com-all-subs.txt -a -c fingerprints.json

-w : File Contains List Of Subdomains
-a : Check the Subdomain Takeover By Sending The Request to the Subdomains.
-c : Configuration File

3.Nuclei → Nuclei is used to send requests across targets based on a template, leading to zero false positives and providing fast scanning on a large number of hosts. Nuclei can be used to model all kinds of security checks.

https://github.com/projectdiscovery/nuclei

Project Discovery’s Nuclei Tool

Install:

go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

Setup and Usage:

#Usage:

#One Template For finding All takeover Possibilities
nuclei -l exapmle.com-all-subs.txt -t $HOME/nuclei-templates/http/takeovers/detect-all-takeovers.yaml -o example_takeover.txt

#All Template in the folder For finding All takeover Possibilities
nuclei -l exapmle.com-all-subs.txt -t $HOME/nuclei-templates/http/takeovers -o example_takeover.txt

#USage Explanation
-l : File Contains List Of Subdomain
-t : Template Use For Exloiting
-o : Output the result to the file

CAUTION About The AUTOMATION Tools🚫:

Running the automated tool with awareness can cause the security risks. The tools in below are actively interact With our Targets. So be careful about your target while performing automation.Don’t provide any flags which is not known by you. Read it..Understand it..Do it…

2.DNS Misconfigurations Based:

This Is the Another Technique, Which is based Checking the status subdomains if the Subdomain is Vulnerable for Subdomains Takeovers.

Sometimes the subdomains(also domains) were did not exist. They are cause the Errors like “NXDOMAIN, REFUSED, SERVFAIL”. The Response are also Generated for other Reasons(The domain did not exist, Server failed or Not Allowed). But , It chances to the Subdomains are still holds the DNS Records(Dead Records).

If you want to Dive Depth Into this Concept then you can refer the Frans Rosén Awesome Document in Below…

Document LINK:

DNS Hijacking Using Cloud Providers-Author: fransrosen

fransrosen’s Ultimate DNS hijacking Guide…⚡⚡

Tool:

1.tko-subs → A tool that can help detect and takeover subdomains with dead DNS records.

https://github.com/anshumanbh/tko-subs

anshumasbh’s tko-subs tool

Install:

#Clone The Repistory.
git clone https://github.com/anshumanbh/tko-subs.git ; cd tko-subs

#Install:
go install github.com/anshumanbh/tko-subs@latest

#The tool need to Config file to run. These files are located in the Cloned Repistory.
#So,Always run the Tool within this repistory or yu will be specify the location to the config file.

Usage:

#Usage:

tko-subs -domains example.com-all-subs.txt -data providers-data.csv -output tko_output.csv

#Usage Explantion:
-domains : Specify the file that holds List of subdomains
-data : list of Cloud Providers can checked to Takeover the Subdomains.
-output : Save the Results As the File(the tool will save as csv file by default.)

NOTE: Its not 100% Possibility for the Tools Give Accurate Results. Because, If the tools were not updated Regularly then some results are made Falsely. Nowadays , Some of the Cloud Providers are update their system Regularly for Reduce The Possibility To subdomain Takeover.S its always better to verify it manually. You can check the Possibility Of the Subdomains by Referring the Below Blog..,

Takeovers:

After the Tool Reported the vulnerable Subdomains , you can Register in the Vulnerable subdomain’s Registered Cloud Provider and Claim the Subdomain . Don’t Do anything that related to Unethically.

If you did Takeover the subdomain ,then its an Illegal Thing until you did not Report the vulnerability to the company which is affected. Once you reported , The Company Validate the Vulnerability and they will Solve the vulnerability as much they can fast. After they triaged and solved your vulnerability report they will Award the bounty for it 💵💵.

Quote For The Day:

“A Successful Man is one who can Lay a Firm Foundation with the Bricks Others have Thrown at Him.” --David Brinkley

Cool Guys✨✨..!! We Completed the Subdomain Takeover Vulnerability as the Part Of Vertical Recon. Whenever The word RECONISM: Vertical Recon is comes, there are lot of Information available for Need to Gathering🔥🔥. On the Next Blog we will see the “Fingerprinting: Identifying the Technologies Of Our Target..!!!!”. So, its time to I Leave from the Blog and You to. Bye Bye👋.., I will See you in the Next Blog💖💖.

Relax..We will see Soon!!!!..

--

--

Hacktivist-Attacker

The Person Who Can Help You To Become A Best Version in The World Of Web Penetration Testing/Bug Bounty..