hacktricks/pentesting-web/domain-subdomain-takeover.md

# Kuchukua Umiliki wa Kikoa/Subdomain

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalamu wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>

\
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia mifumo ya kazi** inayotumia zana za **jamii ya juu zaidi** duniani.\
Pata Ufikiaji Leo:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

## Kuchukua Umiliki wa Kikoa

Ikiwa unagundua kikoa (kikoa.tld) ambacho **kinatumika na huduma fulani ndani ya wigo** lakini **kampuni** imepoteza **umiliki** wake, unaweza kujaribu **kujisajili** (ikiwa ni rahisi kutosha) na kuijulisha kampuni. Ikiwa kikoa hiki kinapokea **habari nyeti** kama kuki za vikao kupitia **parameta ya GET** au kwenye kichwa cha **Referer**, hii bila shaka ni **hitilafu**.

### Kuchukua Umiliki wa Subdomain

Subdomain ya kampuni inaelekeza kwenye **huduma ya mtu wa tatu na jina lisililosajiliwa**. Ikiwa unaweza **kuunda** akaunti kwenye **huduma ya mtu wa tatu** na **kujisajili** jina linalotumiwa, unaweza kufanya kuchukua umiliki wa subdomain.

Kuna zana kadhaa na maneno ya kamusi ya kuangalia kwa kuchukua:

* [https://github.com/EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz)
* [https://github.com/blacklanternsecurity/bbot](https://github.com/blacklanternsecurity/bbot)
* [https://github.com/punk-security/dnsReaper](https://github.com/punk-security/dnsReaper)
* [https://github.com/haccer/subjack](https://github.com/haccer/subjack)
* [https://github.com/anshumanbh/tko-sub](https://github.com/anshumanbh/tko-subs)
* [https://github.com/ArifulProtik/sub-domain-takeover](https://github.com/ArifulProtik/sub-domain-takeover)
* [https://github.com/SaadAhmedx/Subdomain-Takeover](https://github.com/SaadAhmedx/Subdomain-Takeover)
* [https://github.com/Ice3man543/SubOver](https://github.com/Ice3man543/SubOver)
* [https://github.com/m4ll0k/takeover](https://github.com/m4ll0k/takeover)
* [https://github.com/antichown/subdomain-takeover](https://github.com/antichown/subdomain-takeover)
* [https://github.com/musana/mx-takeover](https://github.com/musana/mx-takeover)
* [https://github.com/PentestPad/subzy](https://github.com/PentestPad/subzy)

#### Kuchunguza Subdomains Zinazoweza Kutekwa na [BBOT](https://github.com/blacklanternsecurity/bbot):

Uchunguzi wa kuchukua unajumuisha katika uchunguzi wa kawaida wa subdomain wa BBOT. Saini zinachukuliwa moja kwa moja kutoka [https://github.com/EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz).
```bash
bbot -t evilcorp.com -f subdomain-enum
```
### Uzalishaji wa Kuchukua Subdomain kupitia DNS Wildcard

Wakati wildcard wa DNS unapotumiwa kwenye kikoa, subdomain yoyote iliyotakiwa ya kikoa ambayo haina anwani tofauti kwa uwazi itakuwa **imeelekezwa kwenye habari ile ile**. Hii inaweza kuwa anwani ya A ip, CNAME...

Kwa mfano, ikiwa `*.testing.com` imeelekezwa kwa `1.1.1.1`. Kisha, `not-existent.testing.com` itakuwa inaelekeza kwa `1.1.1.1`.

Hata hivyo, badala ya kuielekeza kwa anwani ya IP, msimamizi wa mfumo anaweza kuielekeza kwa **huduma ya mtu wa tatu kupitia CNAME**, kama **subdomain ya github** kwa mfano (`sohomdatta1.github.io`). Mshambuliaji anaweza **kuunda ukurasa wake wa mtu wa tatu** (kwenye Gihub kwa kesi hii) na kusema kwamba `kitu.testing.com` inaelekeza hapo. Kwa sababu, **wildcard ya CNAME** itakubaliana na mshambuliaji ataweza **kuzalisha subdomains za kiholela kwa kikoa cha muathiriwa zinazo elekezwa kwenye kurasa zake**.

Unaweza kupata mfano wa udhaifu huu katika andiko la CTF: [https://ctf.zeyu2001.com/2022/nitectf-2022/undocumented-js-api](https://ctf.zeyu2001.com/2022/nitectf-2022/undocumented-js-api)

## Kutumia kuchukua subdomain

Kuchukua subdomain ni kimsingi kughushi DNS kwa kikoa maalum kote kwenye mtandao, kuruhusu wachambuzi kuweka rekodi za A kwa kikoa, kuongoza vivinjari kuonyesha maudhui kutoka kwenye seva ya mshambuliaji. Hii **uwazi** katika vivinjari hufanya vikoa kuwa hatarini kwa udanganyifu. Wachambuzi wanaweza kutumia [_typosquatting_](https://en.wikipedia.org/wiki/Typosquatting) au [_Doppelganger domains_](https://en.wikipedia.org/wiki/Doppelg%C3%A4nger) kwa madhumuni haya. Hasa hatarini ni vikoa ambapo URL katika barua pepe ya udanganyifu inaonekana kuwa halali, kuwadanganya watumiaji na kuepuka vichujio vya barua taka kutokana na imani ya asili ya kikoa.

Angalia [chapisho hili kwa maelezo zaidi](https://0xpatrik.com/subdomain-takeover/)

### **Vyeti vya SSL**

Vyeti vya SSL, ikiwa vinazalishwa na wachambuzi kupitia huduma kama [_Let's Encrypt_](https://letsencrypt.org/), huongeza uhalali wa vikoa bandia hivi, kufanya mashambulizi ya udanganyifu kuwa ya kushawishi zaidi.

### **Usalama wa Vidakuzi na Uwazi wa Kivinjari**

Uwazi wa kivinjari pia unahusiana na usalama wa vidakuzi, unatawaliwa na sera kama [Sera ya Asili Moja](https://en.wikipedia.org/wiki/Same-origin\_policy). Vidakuzi, mara nyingi hutumiwa kusimamia vikao na kuhifadhi alama za kuingia, vinaweza kutumiwa vibaya kupitia kuchukua subdomain. Wachambuzi wanaweza **kukusanya vidakuzi vya kikao** kwa urahisi tu kwa kuwaongoza watumiaji kwenye subdomain iliyodhurika, kuweka data ya mtumiaji na faragha hatarini.

### **Barua pepe na Kuchukua Subdomain**

Msimamo mwingine wa kuchukua subdomain unahusisha huduma za barua pepe. Wachambuzi wanaweza kubadilisha **rekodi za MX** kupokea au kutuma barua pepe kutoka kwa subdomain halali, kuongeza ufanisi wa mashambulizi ya udanganyifu.

### **Hatari za Viwango vya Juu**

Hatari zaidi ni pamoja na **kuchukua rekodi za NS**. Ikiwa mshambuliaji anapata udhibiti wa rekodi moja ya NS ya kikoa, wanaweza kuelekeza sehemu ya trafiki kwenye seva chini ya udhibiti wao. Hatari hii inaongezeka ikiwa mshambuliaji anaweka **TTL (Muda wa Kuishi)** wa juu kwa rekodi za DNS, kuzidisha muda wa shambulizi.

### Udhaifu wa Rekodi ya CNAME

Wachambuzi wanaweza kutumia rekodi za CNAME ambazo hazijadaiwa zinazo elekeza kwa huduma za nje ambazo hazitumiwi tena au zimeondolewa. Hii inawaruhusu kuunda ukurasa chini ya kikoa kinachotegemewa, kuwezesha zaidi udanganyifu au usambazaji wa zisizo.

### **Mbinu za Kupunguza Hatari**

Mbinu za kupunguza hatari ni pamoja na:

1. **Kuondoa rekodi za DNS zenye udhaifu** - Hii ni yenye ufanisi ikiwa subdomain haifai tena.
2. **Kudai jina la kikoa** - Kusajili rasilimali na mtoa huduma wa wingu husika au kununua upya kikoa kilichoisha muda wake.
3. **Kufuatilia mara kwa mara kwa udhaifu** - Zana kama [aquatone](https://github.com/michenriksen/aquatone) inaweza kusaidia kutambua vikoa vinavyoweza kuathiriwa. Mashirika pia yanapaswa kupitia upya michakato yao ya usimamizi wa miundombinu, kuhakikisha kuwa uundaji wa rekodi za DNS ni hatua ya mwisho katika uundaji wa rasilimali na hatua ya kwanza katika uharibifu wa rasilimali.

Kwa watoa huduma wa wingu, kuthibitisha umiliki wa kikoa ni muhimu ili kuzuia kuchukua subdomain. Baadhi, kama [GitLab](https://about.gitlab.com/2018/02/05/gitlab-pages-custom-domain-validation/), wametambua suala hili na kutekeleza mbinu za uthibitisho wa kikoa.

## Marejeo

* [https://0xpatrik.com/subdomain-takeover/](https://0xpatrik.com/subdomain-takeover/)

<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>

\
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia kiotomatiki** zinazotegemea zana za jamii za juu zaidi duniani.\
Pata Ufikiaji Leo:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

<details>

<summary><strong>Jifunze kuhusu kuchukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge** 💬 na [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-29 21:14:28 +00:00			`# Kuchukua Umiliki wa Kikoa/Subdomain`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalamu wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Njia nyingine za kusaidia HackTricks:`
arte 2023-12-31 01:25:17 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`* Ikiwa unataka kuona kampuni yako ikionekana kwenye HackTricks au kupakua HackTricks kwa PDF Angalia [MIPANGO YA USAJILI](https://github.com/sponsors/carlospolop)!`
Translated ['pentesting-web/domain-subdomain-takeover.md'] to sw 2024-02-15 12:02:03 +00:00			`* Pata [bidhaa rasmi za PEASS & HackTricks](https://peass.creator-spring.com)`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 03:36:12 +00:00			`* Gundua [Familia ya PEASS](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) ya kipekee`
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-17 16:40:00 +00:00			`* Jiunge na 💬 [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au kikundi cha [telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks\_live).`
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-29 21:14:28 +00:00			`* Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos za github.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>`
GitBook: [#3240] No subject 2022-06-06 22:28:05 +00:00
update 2023-01-01 16:19:07 +00:00			`\`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`Tumia [Trickest](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na kutumia mifumo ya kazi inayotumia zana za jamii ya juu zaidi duniani.\`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Pata Ufikiaji Leo:`
GitBook: [#3240] No subject 2022-06-06 22:28:05 +00:00
update 2023-01-01 16:19:07 +00:00			`{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 03:36:12 +00:00			`## Kuchukua Umiliki wa Kikoa`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`Ikiwa unagundua kikoa (kikoa.tld) ambacho kinatumika na huduma fulani ndani ya wigo lakini kampuni imepoteza umiliki wake, unaweza kujaribu kujisajili (ikiwa ni rahisi kutosha) na kuijulisha kampuni. Ikiwa kikoa hiki kinapokea habari nyeti kama kuki za vikao kupitia parameta ya GET au kwenye kichwa cha Referer, hii bila shaka ni hitilafu.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 03:36:12 +00:00			`### Kuchukua Umiliki wa Subdomain`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`Subdomain ya kampuni inaelekeza kwenye huduma ya mtu wa tatu na jina lisililosajiliwa. Ikiwa unaweza kuunda akaunti kwenye huduma ya mtu wa tatu na kujisajili jina linalotumiwa, unaweza kufanya kuchukua umiliki wa subdomain.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`Kuna zana kadhaa na maneno ya kamusi ya kuangalia kwa kuchukua:`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`* [https://github.com/EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz)`
BBOT for bucket enumeration, subdomain takeover 2023-03-21 21:10:11 +00:00			`* [https://github.com/blacklanternsecurity/bbot](https://github.com/blacklanternsecurity/bbot)`
GitBook: [#3361] No subject 2022-08-12 14:25:49 +00:00			`* [https://github.com/punk-security/dnsReaper](https://github.com/punk-security/dnsReaper)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`* [https://github.com/haccer/subjack](https://github.com/haccer/subjack)`
			`* [https://github.com/anshumanbh/tko-sub](https://github.com/anshumanbh/tko-subs)`
			`* [https://github.com/ArifulProtik/sub-domain-takeover](https://github.com/ArifulProtik/sub-domain-takeover)`
			`* [https://github.com/SaadAhmedx/Subdomain-Takeover](https://github.com/SaadAhmedx/Subdomain-Takeover)`
			`* [https://github.com/Ice3man543/SubOver](https://github.com/Ice3man543/SubOver)`
			`* [https://github.com/m4ll0k/takeover](https://github.com/m4ll0k/takeover)`
			`* [https://github.com/antichown/subdomain-takeover](https://github.com/antichown/subdomain-takeover)`
GitBook: [#3748] No subject 2023-01-13 10:30:46 +00:00			`* [https://github.com/musana/mx-takeover](https://github.com/musana/mx-takeover)`
Translated ['pentesting-web/domain-subdomain-takeover.md'] to sw 2024-02-15 12:02:03 +00:00			`* [https://github.com/PentestPad/subzy](https://github.com/PentestPad/subzy)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-29 21:14:28 +00:00			`#### Kuchunguza Subdomains Zinazoweza Kutekwa na [BBOT](https://github.com/blacklanternsecurity/bbot):`
GITBOOK-4092: change request with no subject merged in GitBook 2023-09-24 09:51:34 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`Uchunguzi wa kuchukua unajumuisha katika uchunguzi wa kawaida wa subdomain wa BBOT. Saini zinachukuliwa moja kwa moja kutoka [https://github.com/EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz).`
GITBOOK-4092: change request with no subject merged in GitBook 2023-09-24 09:51:34 +00:00			```bash
BBOT for bucket enumeration, subdomain takeover 2023-03-21 21:10:11 +00:00			`bbot -t evilcorp.com -f subdomain-enum`
GITBOOK-4092: change request with no subject merged in GitBook 2023-09-24 09:51:34 +00:00			```
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`### Uzalishaji wa Kuchukua Subdomain kupitia DNS Wildcard`
BBOT for bucket enumeration, subdomain takeover 2023-03-21 21:10:11 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`Wakati wildcard wa DNS unapotumiwa kwenye kikoa, subdomain yoyote iliyotakiwa ya kikoa ambayo haina anwani tofauti kwa uwazi itakuwa imeelekezwa kwenye habari ile ile. Hii inaweza kuwa anwani ya A ip, CNAME...`
GitBook: [#3724] No subject 2023-01-02 14:30:12 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 03:36:12 +00:00			Kwa mfano, ikiwa `*.testing.com` imeelekezwa kwa `1.1.1.1`. Kisha, `not-existent.testing.com` itakuwa inaelekeza kwa `1.1.1.1`.
GitBook: [#3724] No subject 2023-01-02 14:30:12 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			Hata hivyo, badala ya kuielekeza kwa anwani ya IP, msimamizi wa mfumo anaweza kuielekeza kwa huduma ya mtu wa tatu kupitia CNAME, kama subdomain ya github kwa mfano (`sohomdatta1.github.io`). Mshambuliaji anaweza kuunda ukurasa wake wa mtu wa tatu (kwenye Gihub kwa kesi hii) na kusema kwamba `kitu.testing.com` inaelekeza hapo. Kwa sababu, wildcard ya CNAME itakubaliana na mshambuliaji ataweza kuzalisha subdomains za kiholela kwa kikoa cha muathiriwa zinazo elekezwa kwenye kurasa zake.
GitBook: [#3724] No subject 2023-01-02 14:30:12 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 03:36:12 +00:00			`Unaweza kupata mfano wa udhaifu huu katika andiko la CTF: [https://ctf.zeyu2001.com/2022/nitectf-2022/undocumented-js-api](https://ctf.zeyu2001.com/2022/nitectf-2022/undocumented-js-api)`
GitBook: [#3724] No subject 2023-01-02 14:30:12 +00:00
Translated ['pentesting-web/domain-subdomain-takeover.md'] to sw 2024-02-15 12:02:03 +00:00			`## Kutumia kuchukua subdomain`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			Kuchukua subdomain ni kimsingi kughushi DNS kwa kikoa maalum kote kwenye mtandao, kuruhusu wachambuzi kuweka rekodi za A kwa kikoa, kuongoza vivinjari kuonyesha maudhui kutoka kwenye seva ya mshambuliaji. Hii uwazi katika vivinjari hufanya vikoa kuwa hatarini kwa udanganyifu. Wachambuzi wanaweza kutumia [_typosquatting_](https://en.wikipedia.org/wiki/Typosquatting) au [_Doppelganger domains_](https://en.wikipedia.org/wiki/Doppelg%C3%A4nger) kwa madhumuni haya. Hasa hatarini ni vikoa ambapo URL katika barua pepe ya udanganyifu inaonekana kuwa halali, kuwadanganya watumiaji na kuepuka vichujio vya barua taka kutokana na imani ya asili ya kikoa.
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Angalia [chapisho hili kwa maelezo zaidi](https://0xpatrik.com/subdomain-takeover/)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`### Vyeti vya SSL`
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-17 16:40:00 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`Vyeti vya SSL, ikiwa vinazalishwa na wachambuzi kupitia huduma kama [_Let's Encrypt_](https://letsencrypt.org/), huongeza uhalali wa vikoa bandia hivi, kufanya mashambulizi ya udanganyifu kuwa ya kushawishi zaidi.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`### Usalama wa Vidakuzi na Uwazi wa Kivinjari`
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-17 16:40:00 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`Uwazi wa kivinjari pia unahusiana na usalama wa vidakuzi, unatawaliwa na sera kama [Sera ya Asili Moja](https://en.wikipedia.org/wiki/Same-origin\_policy). Vidakuzi, mara nyingi hutumiwa kusimamia vikao na kuhifadhi alama za kuingia, vinaweza kutumiwa vibaya kupitia kuchukua subdomain. Wachambuzi wanaweza kukusanya vidakuzi vya kikao kwa urahisi tu kwa kuwaongoza watumiaji kwenye subdomain iliyodhurika, kuweka data ya mtumiaji na faragha hatarini.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['pentesting-web/domain-subdomain-takeover.md'] to sw 2024-02-15 12:02:03 +00:00			`### Barua pepe na Kuchukua Subdomain`
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-17 16:40:00 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`Msimamo mwingine wa kuchukua subdomain unahusisha huduma za barua pepe. Wachambuzi wanaweza kubadilisha rekodi za MX kupokea au kutuma barua pepe kutoka kwa subdomain halali, kuongeza ufanisi wa mashambulizi ya udanganyifu.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['pentesting-web/domain-subdomain-takeover.md'] to sw 2024-02-15 12:02:03 +00:00			`### Hatari za Viwango vya Juu`
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-17 16:40:00 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`Hatari zaidi ni pamoja na kuchukua rekodi za NS. Ikiwa mshambuliaji anapata udhibiti wa rekodi moja ya NS ya kikoa, wanaweza kuelekeza sehemu ya trafiki kwenye seva chini ya udhibiti wao. Hatari hii inaongezeka ikiwa mshambuliaji anaweka TTL (Muda wa Kuishi) wa juu kwa rekodi za DNS, kuzidisha muda wa shambulizi.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`### Udhaifu wa Rekodi ya CNAME`
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-17 16:40:00 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`Wachambuzi wanaweza kutumia rekodi za CNAME ambazo hazijadaiwa zinazo elekeza kwa huduma za nje ambazo hazitumiwi tena au zimeondolewa. Hii inawaruhusu kuunda ukurasa chini ya kikoa kinachotegemewa, kuwezesha zaidi udanganyifu au usambazaji wa zisizo.`
a 2024-02-05 20:00:40 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`### Mbinu za Kupunguza Hatari`
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-17 16:40:00 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Mbinu za kupunguza hatari ni pamoja na:`
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-17 16:40:00 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 03:36:12 +00:00			`1. Kuondoa rekodi za DNS zenye udhaifu - Hii ni yenye ufanisi ikiwa subdomain haifai tena.`
Translated ['pentesting-web/domain-subdomain-takeover.md'] to sw 2024-02-15 12:02:03 +00:00			`2. Kudai jina la kikoa - Kusajili rasilimali na mtoa huduma wa wingu husika au kununua upya kikoa kilichoisha muda wake.`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`3. Kufuatilia mara kwa mara kwa udhaifu - Zana kama [aquatone](https://github.com/michenriksen/aquatone) inaweza kusaidia kutambua vikoa vinavyoweza kuathiriwa. Mashirika pia yanapaswa kupitia upya michakato yao ya usimamizi wa miundombinu, kuhakikisha kuwa uundaji wa rekodi za DNS ni hatua ya mwisho katika uundaji wa rasilimali na hatua ya kwanza katika uharibifu wa rasilimali.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 03:36:12 +00:00			`Kwa watoa huduma wa wingu, kuthibitisha umiliki wa kikoa ni muhimu ili kuzuia kuchukua subdomain. Baadhi, kama [GitLab](https://about.gitlab.com/2018/02/05/gitlab-pages-custom-domain-validation/), wametambua suala hili na kutekeleza mbinu za uthibitisho wa kikoa.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Marejeo`
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-17 16:40:00 +00:00
a 2024-02-04 16:10:29 +00:00			`* [https://0xpatrik.com/subdomain-takeover/](https://0xpatrik.com/subdomain-takeover/)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>`
GitBook: [#3240] No subject 2022-06-06 22:28:05 +00:00
update 2023-01-01 16:19:07 +00:00			`\`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`Tumia [Trickest](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na kutumia kiotomatiki zinazotegemea zana za jamii za juu zaidi duniani.\`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Pata Ufikiaji Leo:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
update 2023-01-01 16:19:07 +00:00			`{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`<summary><strong>Jifunze kuhusu kuchukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Njia nyingine za kusaidia HackTricks:`
arte 2023-12-31 01:25:17 +00:00
Translated ['pentesting-web/domain-subdomain-takeover.md'] to sw 2024-02-15 12:02:03 +00:00			`* Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia [MIPANGO YA KUJIUNGA](https://github.com/sponsors/carlospolop)!`
			`* Pata [bidhaa rasmi za PEASS & HackTricks](https://peass.creator-spring.com)`
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-17 16:40:00 +00:00			`* Gundua [Familia ya PEASS](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) ya kipekee`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`* Jiunge 💬 na [kikundi cha Discord](https://discord.gg/hRep4RUj7f) au kikundi cha [telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks\_live).`
			`* Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`