From 63a99c33e1750ced1c43c9ae21e059601254a7cb Mon Sep 17 00:00:00 2001 From: CPol Date: Wed, 21 Aug 2024 09:10:47 +0000 Subject: [PATCH] GITBOOK-4387: No subject --- pentesting-web/domain-subdomain-takeover.md | 30 +++++++++------------ 1 file changed, 12 insertions(+), 18 deletions(-) diff --git a/pentesting-web/domain-subdomain-takeover.md b/pentesting-web/domain-subdomain-takeover.md index 3b7401a66..ea8bb27d3 100644 --- a/pentesting-web/domain-subdomain-takeover.md +++ b/pentesting-web/domain-subdomain-takeover.md @@ -1,8 +1,8 @@ # Domain/Subdomain takeover {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -18,18 +18,18 @@ Learn & practice GCP Hacking:
\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=domain-subdomain-takeover) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ +Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=domain-subdomain-takeover) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=domain-subdomain-takeover" %} ## Domain takeover -If you discover some domain (domain.tld) that is **being used by some service inside the scope** but the **company** has l**o**st the **ownership** of it, you can try to **register** it (if cheap enough) and let know the company. If this domain is receiving some **sensitive information** like a sessions cookie via **GET** parameter or in the **Referer** header, this is for sure a **vulnerability**. +If you discover some domain (domain.tld) that is **being used by some service inside the scope** but the **company** has **lost** the **ownership** of it, you can try to **register** it (if cheap enough) and let the company know. If this domain is receiving some **sensitive information** like a session cookie via **GET** parameter or in the **Referer** header, this is for sure a **vulnerability**. ### Subdomain takeover -A subdomain of the company is pointing to a **third-party service with a name not registered**. If you can **create** an **account** in this **third party service** and **register** the **name** being in use, you can perform the subdomain take over. +A subdomain of the company is pointing to a **third-party service with a name not registered**. If you can **create** an **account** in this **third party service** and **register** the **name** being in use, you can perform the subdomain takeover. There are several tools with dictionaries to check for possible takeovers: @@ -45,22 +45,15 @@ There are several tools with dictionaries to check for possible takeovers: * [https://github.com/antichown/subdomain-takeover](https://github.com/antichown/subdomain-takeover) * [https://github.com/musana/mx-takeover](https://github.com/musana/mx-takeover) * [https://github.com/PentestPad/subzy](https://github.com/PentestPad/subzy) - -#### Scanning for Hijackable Subdomains with [BBOT](https://github.com/blacklanternsecurity/bbot): - -Subdomain takeover checks are included in BBOT's default subdomain enumeration. Signatures are pulled directly from [https://github.com/EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz). - -```bash -bbot -t evilcorp.com -f subdomain-enum -``` +* [https://github.com/Stratus-Security/Subdominator](https://github.com/Stratus-Security/Subdominator) ### Subdomain Takeover Generation via DNS Wildcard When DNS wildcard is used in a domain, any requested subdomain of that domain that doesn't have a different address explicitly will be **resolved to the same information**. This could be an A ip address, a CNAME... -For example, if `*.testing.com` is wilcarded to `1.1.1.1`. Then, `not-existent.testing.com` will be pointing to `1.1.1.1`. +For example, if `*.testing.com` is wildcarded to `1.1.1.1`. Then, `not-existent.testing.com` will be pointing to `1.1.1.1`. -However, if instead of pointing to an IP address, the sysadmin point it to a **third party service via CNAME**, like a **github subdomain** for example (`sohomdatta1.github.io`). An attacker could **create his own third party page** (in Gihub in this case) and say that `something.testing.com` is pointing there. Because, the **CNAME wildcard** will agree the attacker will be able to **generate arbitrary subdomains for the domain of the victim pointing to his pages**. +However, if instead of pointing to an IP address, the sysadmin points it to a **third party service via CNAME**, like a G**ithub subdomain** for example (`sohomdatta1.github.io`). An attacker could **create his own third party page** (in Gihub in this case) and say that `something.testing.com` is pointing there. Because, the **CNAME wildcard** will agree the attacker will be able to **generate arbitrary subdomains for the domain of the victim pointing to his pages**. You can find an example of this vulnerability in the CTF write-up: [https://ctf.zeyu2001.com/2022/nitectf-2022/undocumented-js-api](https://ctf.zeyu2001.com/2022/nitectf-2022/undocumented-js-api) @@ -103,18 +96,19 @@ For cloud providers, verifying domain ownership is crucial to prevent subdomain ## References * [https://0xpatrik.com/subdomain-takeover/](https://0xpatrik.com/subdomain-takeover/) +* [https://www.stratussecurity.com/post/subdomain-takeover-guide](https://www.stratussecurity.com/post/subdomain-takeover-guide)
\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=domain-subdomain-takeover) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ +Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=domain-subdomain-takeover) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=domain-subdomain-takeover" %} {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)