hacktricks/pentesting-web/domain-subdomain-takeover.md
Carlos Polop 7cc077db55 a
2024-02-04 17:10:29 +01:00

9.1 KiB

Domain/Subdomain takeover

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:


Use Trickest to easily build and automate workflows powered by the world's most advanced community tools.
Get Access Today:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Domain takeover

If you discover some domain (domain.tld) that is being used by some service inside the scope but the company has lost the ownership of it, you can try to register it (if cheap enough) and let know the company. If this domain is receiving some sensitive information like a sessions cookie via GET parameter or in the Referer header, this is for sure a vulnerability.

Subdomain takeover

A subdomain of the company is pointing to a third-party service with a name not registered. If you can create an account in this third party service and register the name being in use, you can perform the subdomain take over.

There are several tools with dictionaries to check for possible takeovers:

Scanning for Hijackable Subdomains with BBOT:

Subdomain takeover checks are included in BBOT's default subdomain enumeration. Signatures are pulled directly from https://github.com/EdOverflow/can-i-take-over-xyz.

bbot -t evilcorp.com -f subdomain-enum

Subdomain Takeover Generation via DNS Wildcard

When DNS wildcard is used in a domain, any requested subdomain of that domain that doesn't have a different address explicitly will be resolved to the same information. This could be an A ip address, a CNAME...

For example, if *.testing.com is wilcarded to 1.1.1.1. Then, not-existent.testing.com will be pointing to 1.1.1.1.

However, if instead of pointing to an IP address, the sysadmin point it to a third party service via CNAME, like a github subdomain for example (sohomdatta1.github.io). An attacker could create his own third party page (in Gihub in this case) and say that something.testing.com is pointing there. Because, the CNAME wildcard will agree the attacker will be able to generate arbitrary subdomains for the domain of the victim pointing to his pages.

You can find an example of this vulnerability in the CTF write-up: https://ctf.zeyu2001.com/2022/nitectf-2022/undocumented-js-api

Exploiting a subdomain takeover

Subdomain takeover is essentially DNS spoofing for a specific domain across the internet, allowing attackers to set A records for a domain, leading browsers to display content from the attacker's server. This transparency in browsers makes domains prone to phishing. Attackers may employ typosquatting or Doppelganger domains for this purpose. Especially vulnerable are domains where the URL in a phishing email appears legitimate, deceiving users and evading spam filters due to the domain's inherent trust.

Check this post for further details

SSL Certificates

SSL certificates, if generated by attackers via services like Let's Encrypt, add to the legitimacy of these fake domains, making phishing attacks more convincing.

Browser transparency also extends to cookie security, governed by policies like the Same-origin policy. Cookies, often used to manage sessions and store login tokens, can be exploited through subdomain takeover. Attackers can gather session cookies simply by directing users to a compromised subdomain, endangering user data and privacy.

Emails and Subdomain Takeover

Another aspect of subdomain takeover involves email services. Attackers can manipulate MX records to receive or send emails from a legitimate subdomain, enhancing the efficacy of phishing attacks.

Higher Order Risks

Further risks include NS record takeover. If an attacker gains control over one NS record of a domain, they can potentially direct a portion of traffic to a server under their control. This risk is amplified if the attacker sets a high TTL (Time to Live) for DNS records, prolonging the duration of the attack.

Mitigation Strategies

Mitigation strategies include:

  1. Removing vulnerable DNS records - This is effective if the subdomain is no longer required.
  2. Claiming the domain name - Registering the resource with the respective cloud provider or repurchasing an expired domain.
  3. Regular monitoring for vulnerabilities - Tools like aquatone can help identify susceptible domains. Organizations should also revise their infrastructure management processes, ensuring that DNS record creation is the final step in resource creation and the first step in resource destruction.

For cloud providers, verifying domain ownership is crucial to prevent subdomain takeovers. Some, like GitLab, have recognized this issue and implemented domain verification mechanisms.

References


Use Trickest to easily build and automate workflows powered by the world's most advanced community tools.
Get Access Today:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: