HackTricks
Domain/Subdomain takeover
Tip
AWS 해킹 배우기 및 연습하기:
HackTricks Training AWS Red Team Expert (ARTE)
GCP 해킹 배우기 및 연습하기:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
HackTricks 지원하기
- 구독 계획 확인하기!
- **💬 디스코드 그룹 또는 텔레그램 그룹에 참여하거나 트위터 🐦 @hacktricks_live를 팔로우하세요.
- HackTricks 및 HackTricks Cloud 깃허브 리포지토리에 PR을 제출하여 해킹 트릭을 공유하세요.
Domain takeover
If you discover some domain (domain.tld) that is being used by some service inside the scope but the company has lost the ownership of it, you can try to register it (if cheap enough) and let the company know. If this domain is receiving some sensitive information like a session cookie via GET parameter or in the Referer header, this is for sure a vulnerability.
Subdomain takeover
A subdomain of the company is pointing to a third-party service with a name not registered. If you can create an account in this third party service and register the name being in use, you can perform the subdomain takeover.
There are several tools with dictionaries to check for possible takeovers:
- https://github.com/EdOverflow/can-i-take-over-xyz
- https://github.com/blacklanternsecurity/bbot
- https://github.com/punk-security/dnsReaper
- https://github.com/haccer/subjack
- https://github.com/anshumanbh/tko-sub
- https://github.com/ArifulProtik/sub-domain-takeover
- https://github.com/SaadAhmedx/Subdomain-Takeover
- https://github.com/Ice3man543/SubOver
- https://github.com/antichown/subdomain-takeover
- https://github.com/musana/mx-takeover
- https://github.com/PentestPad/subzy
- https://github.com/Stratus-Security/Subdominator
- https://github.com/NImaism/takeit
- https://github.com/projectdiscovery/nuclei (use
-tags takeoverwith nuclei-templates) - https://github.com/edoardottt/cariddi (takeover checks in crawling output)
Subdomain Takeover Generation via DNS Wildcard
When DNS wildcard is used in a domain, any requested subdomain of that domain that doesn’t have a different address explicitly will be resolved to the same information. This could be an A ip address, a CNAME…
For example, if *.testing.com is wildcarded to 1.1.1.1. Then, not-existent.testing.com will be pointing to 1.1.1.1.
However, if instead of pointing to an IP address, the sysadmin points it to a third party service via CNAME, like a GitHub subdomain for example (sohomdatta1.github.io). An attacker could create his own third party page (in GitHub in this case) and say that something.testing.com is pointing there. Because the CNAME wildcard will agree, the attacker will be able to generate arbitrary subdomains for the domain of the victim pointing to his pages.
You can find an example of this vulnerability in the CTF write-up: https://ctf.zeyu2001.com/2022/nitectf-2022/undocumented-js-api
Exploiting a subdomain takeover
Subdomain takeover is essentially DNS spoofing for a specific domain across the internet, allowing attackers to set A records for a domain, leading browsers to display content from the attacker’s server. This transparency in browsers makes domains prone to phishing. Attackers may employ typosquatting or Doppelganger domains for this purpose. Especially vulnerable are domains where the URL in a phishing email appears legitimate, deceiving users and evading spam filters due to the domain’s inherent trust.
Check this post for further details
SSL Certificates
SSL certificates, if generated by attackers via services like Let’s Encrypt, add to the legitimacy of these fake domains, making phishing attacks more convincing.
Cookie Security and Browser Transparency
Browser transparency also extends to cookie security, governed by policies like the Same-origin policy. Cookies, often used to manage sessions and store login tokens, can be exploited through subdomain takeover. Attackers can gather session cookies simply by directing users to a compromised subdomain, endangering user data and privacy.
CORS Bypass
It might be possible that every subdomain is allowed to access CORS resources from the main domain or other subdomains. This could be exploited by an attacker to access sensitive information abusing CORS requests.
CSRF - Same-Site Cookies bypass
It could be possible that the subdomain is allowed to send cookies to the domain or other subdomains which was prevented by the Same-Site attribute of the cookies. However, note that anti-CSRF tokens will still prevent this attack if they are properly implemented.
OAuth tokens redirect
It might be possible that the compromised subdomain is allowed to be used in the redirect_uri URL of an OAuth flow. This could be exploited by an attacker to steal the OAuth token.
CSP Bypass
It might be possible that the compromised subdomain (or every subdomain) is allowed to be used for example the script-src of the CSP. This could be exploited by an attacker to inject malicious scripts and abuse potential XSS vulnerabilities.
Emails and Subdomain Takeover
Another aspect of subdomain takeover involves email services. Attackers can manipulate MX records to receive or send emails from a legitimate subdomain, enhancing the efficacy of phishing attacks.
Higher Order Risks
Further risks include NS record takeover. If an attacker gains control over one NS record of a domain, they can potentially direct a portion of traffic to a server under their control. This risk is amplified if the attacker sets a high TTL (Time to Live) for DNS records, prolonging the duration of the attack.
CNAME Record Vulnerability
Attackers might exploit unclaimed CNAME records pointing to external services that are no longer used or have been decommissioned. This allows them to create a page under the trusted domain, further facilitating phishing or malware distribution.
완화 전략
완화 전략에는 다음이 포함됩니다:
- 취약한 DNS 레코드 제거 - 더 이상 필요하지 않은 서브도메인에는 효과적입니다.
- 도메인 이름 재획득 - 해당 리소스를 적절한 클라우드 제공자에 등록하거나 만료된 도메인을 다시 구매합니다.
- 정기적 취약점 모니터링 - aquatone 같은 도구는 취약한 도메인 식별에 도움이 됩니다. 조직은 또한 인프라 관리 프로세스를 검토하여, DNS 레코드 생성이 리소스 생성의 마지막 단계이자 리소스 파괴의 첫 번째 단계가 되도록 해야 합니다.
For cloud providers, verifying domain ownership is crucial to prevent subdomain takeovers. Some, like GitLab, have recognized this issue and implemented domain verification mechanisms.
탐지 기법
- Find dangling DNS records: look for CNAME/A/AAAA/ALIAS/ANAME records pointing to non-existent resources (deleted buckets, apps, pages, load balancers).
- Check provider error signatures: match HTTP responses, TLS certs, or DNS errors to known takeover patterns (see can-i-take-over-xyz).
- Look for orphaned cloud assets: verify S3/CloudFront, Azure Websites, GCP App Engine/Storage, GitHub Pages, Heroku, Fastly, Netlify, Vercel, Zendesk, Shopify, Atlassian, and similar services.
- Passive DNS and historical records: old CNAMEs often reveal previously used third-party services that may still be vulnerable.
- Wildcard pitfalls: confirm wildcard DNS vs. explicit records to avoid false positives and understand takeover amplification.
APIs 및 데이터 소스
- https://securitytrails.com/ (historical DNS, passive DNS API)
- https://community.riskiq.com/ (PassiveTotal)
- https://www.farsightsecurity.com/solutions/dnsdb/
- https://www.domaintools.com/products/iris/
- https://search.censys.io/ (certs and host data)
- https://www.shodan.io/ (host data)
- https://www.virustotal.com/ (historical DNS, URLs)
- https://chaos.projectdiscovery.io/ (subdomains dataset)
참고자료
- https://0xpatrik.com/subdomain-takeover/
- https://www.stratussecurity.com/post/subdomain-takeover-guide
- https://www.hackerone.com/blog/guide-subdomain-takeovers-20
Tip
AWS 해킹 배우기 및 연습하기:
GCP 해킹 배우기 및 연습하기:HackTricks 지원하기
- 구독 계획 확인하기!
- **💬 디스코드 그룹 또는 텔레그램 그룹에 참여하거나 트위터 🐦 @hacktricks_live를 팔로우하세요.
- HackTricks 및 HackTricks Cloud 깃허브 리포지토리에 PR을 제출하여 해킹 트릭을 공유하세요.