mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 14:10:41 +00:00
59 lines
7.9 KiB
Markdown
59 lines
7.9 KiB
Markdown
# Domain/Subdomain takeover
|
|
|
|
<details>
|
|
|
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
|
|
|
Other ways to support HackTricks:
|
|
|
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
|
|
<figure><img src="../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
\
|
|
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
|
Get Access Today:
|
|
|
|
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|
|
|
|
## Domain takeover
|
|
|
|
If you discover some domain (domain.tld) that is **being used by some service inside the scope** but the **company** has l**o**st the **ownership** of it, you can try to **register** it (if cheap enough) and let know the company. If this domain is receiving some **sensitive information** like a sessions cookie via **GET** parameter or in the **Referer** header, this is for sure a **vulnerability**.
|
|
|
|
### Subdomain takeover
|
|
|
|
A subdomain of the company is pointing to a **third-party service with a name not registered**. If you can **create** an **account** in this **third party service** and **register** the **name** being in use, you can perform the subdomain take over.
|
|
|
|
There are several tools with dictionaries to check for possible takeovers:
|
|
|
|
* [https://github.com/EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz)
|
|
* [https://github.com/blacklanternsecurity/bbot](https://github.com/blacklanternsecurity/bbot)
|
|
* [https://github.com/punk-security/dnsReaper](https://github.com/punk-security/dnsReaper)
|
|
* [https://github.com/haccer/subjack](https://github.com/haccer/subjack)
|
|
* [https://github.com/anshumanbh/tko-sub](https://github.com/anshumanbh/tko-subs)
|
|
* [https://github.com/ArifulProtik/sub-domain-takeover](https://github.com/ArifulProtik/sub-domain-takeover)
|
|
* [https://github.com/SaadAhmedx/Subdomain-Takeover](https://github.com/SaadAhmedx/Subdomain-Takeover)
|
|
* [https://github.com/Ice3man543/SubOver](https://github.com/Ice3man543/SubOver)
|
|
* [https://github.com/m4ll0k/takeover](https://github.com/m4ll0k/takeover)
|
|
* [https://github.com/antichown/subdomain-takeover](https://github.com/antichown/subdomain-takeover)
|
|
* [https://github.com/musana/mx-takeover](https://github.com/musana/mx-takeover)
|
|
|
|
#### Scanning for Hijackable Subdomains with [BBOT](https://github.com/blacklanternsecurity/bbot):
|
|
|
|
Subdomain takeover checks are included in BBOT's default subdomain enumeration. Signatures are pulled directly from [https://github.com/EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz).
|
|
```bash
|
|
bbot -t evilcorp.com -f subdomain-enum
|
|
```
|
|
### DNS Wildcard jImej
|
|
|
|
DNS Wildcard jImejDaq jImejDaq vItlhutlhlaHbe'chugh, jImejDaq vItlhutlhlaHbe'chughDaq jImejDaqDaq 'e' vItlhutlhlaHbe'chughDaqDaq **ghItlhvam**. vaj 'oH 'ej vaj 'oH...
|
|
|
|
mung: 'ej 'oH `*.testing.com` vItlhutlhlaHbe'chughDaq `1.1.1.1` vItlhutlhlaHbe'chughDaqDaq. vaj `not-existent.testing.com` vItlhutlhlaHbe'chughDaq `1.1.1.1` vItlhutlhlaHbe'chughDaqDaq.
|
|
|
|
'ach, 'oH 'ej vaj 'oH, 'ej vaj 'oH **CNAME** vItlhutlhlaHbe'chughDaqDaq **qarDaq** vItlhutlhlaHbe'chughDaqDaq, **github subdomain** (vaj `sohomdatta1.github.io`) vItlhutlhlaHbe'chughDaqDaq. 'ach, **CNAME Wildcard** vItlhutlhlaHbe'chughDaqDaq, **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq 'e' vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq 'e' vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq **ghItlhvam** vItlhutlhlaHbe'chughDaqDaq
|