GITBOOK-4387: No subject

pentesting-web/domain-subdomain-takeover.md

@@ -1,8 +1,8 @@
 # Domain/Subdomain takeover
 
 {% hint style="success" %}
-Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
-Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
 
 <details>
 
@@ -18,18 +18,18 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
 <figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=domain-subdomain-takeover) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
+Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=domain-subdomain-takeover) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
 Get Access Today:
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=domain-subdomain-takeover" %}
 
 ## Domain takeover
 
-If you discover some domain (domain.tld) that is **being used by some service inside the scope** but the **company** has l**o**st the **ownership** of it, you can try to **register** it (if cheap enough) and let know the company. If this domain is receiving some **sensitive information** like a sessions cookie via **GET** parameter or in the **Referer** header, this is for sure a **vulnerability**.
+If you discover some domain (domain.tld) that is **being used by some service inside the scope** but the **company** has **lost** the **ownership** of it, you can try to **register** it (if cheap enough) and let the company know. If this domain is receiving some **sensitive information** like a session cookie via **GET** parameter or in the **Referer** header, this is for sure a **vulnerability**.
 
 ### Subdomain takeover
 
-A subdomain of the company is pointing to a **third-party service with a name not registered**. If you can **create** an **account** in this **third party service** and **register** the **name** being in use, you can perform the subdomain take over.
+A subdomain of the company is pointing to a **third-party service with a name not registered**. If you can **create** an **account** in this **third party service** and **register** the **name** being in use, you can perform the subdomain takeover.
 
 There are several tools with dictionaries to check for possible takeovers:
 
@@ -45,22 +45,15 @@ There are several tools with dictionaries to check for possible takeovers:
 * [https://github.com/antichown/subdomain-takeover](https://github.com/antichown/subdomain-takeover)
 * [https://github.com/musana/mx-takeover](https://github.com/musana/mx-takeover)
 * [https://github.com/PentestPad/subzy](https://github.com/PentestPad/subzy)
-
-#### Scanning for Hijackable Subdomains with [BBOT](https://github.com/blacklanternsecurity/bbot):
-
-Subdomain takeover checks are included in BBOT's default subdomain enumeration. Signatures are pulled directly from [https://github.com/EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz).
-
-```bash
-bbot -t evilcorp.com -f subdomain-enum
-```
+* [https://github.com/Stratus-Security/Subdominator](https://github.com/Stratus-Security/Subdominator)
 
 ### Subdomain Takeover Generation via DNS Wildcard
 
 When DNS wildcard is used in a domain, any requested subdomain of that domain that doesn't have a different address explicitly will be **resolved to the same information**. This could be an A ip address, a CNAME...
 
-For example, if `*.testing.com` is wilcarded to `1.1.1.1`. Then, `not-existent.testing.com` will be pointing to `1.1.1.1`.
+For example, if `*.testing.com` is wildcarded to `1.1.1.1`. Then, `not-existent.testing.com` will be pointing to `1.1.1.1`.
 
-However, if instead of pointing to an IP address, the sysadmin point it to a **third party service via CNAME**, like a **github subdomain** for example (`sohomdatta1.github.io`). An attacker could **create his own third party page** (in Gihub in this case) and say that `something.testing.com` is pointing there. Because, the **CNAME wildcard** will agree the attacker will be able to **generate arbitrary subdomains for the domain of the victim pointing to his pages**.
+However, if instead of pointing to an IP address, the sysadmin points it to a **third party service via CNAME**, like a G**ithub subdomain** for example (`sohomdatta1.github.io`). An attacker could **create his own third party page** (in Gihub in this case) and say that `something.testing.com` is pointing there. Because, the **CNAME wildcard** will agree the attacker will be able to **generate arbitrary subdomains for the domain of the victim pointing to his pages**.
 
 You can find an example of this vulnerability in the CTF write-up: [https://ctf.zeyu2001.com/2022/nitectf-2022/undocumented-js-api](https://ctf.zeyu2001.com/2022/nitectf-2022/undocumented-js-api)
 
@@ -103,18 +96,19 @@ For cloud providers, verifying domain ownership is crucial to prevent subdomain
 ## References
 
 * [https://0xpatrik.com/subdomain-takeover/](https://0xpatrik.com/subdomain-takeover/)
+* [https://www.stratussecurity.com/post/subdomain-takeover-guide](https://www.stratussecurity.com/post/subdomain-takeover-guide)
 
 <figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=domain-subdomain-takeover) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
+Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=domain-subdomain-takeover) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
 Get Access Today:
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=domain-subdomain-takeover" %}
 
 {% hint style="success" %}
-Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
-Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
 
 <details>