Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 04:33:28 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/domain-subdomain-takeover.md
Translator workflow b442ae90c4 Translated to Klingon
2024-02-10 17:52:19 +00:00

7.9 KiB
Raw Blame History

Domain/Subdomain takeover

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:


Use Trickest to easily build and automate workflows powered by the world's most advanced community tools.
Get Access Today:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Domain takeover

If you discover some domain (domain.tld) that is being used by some service inside the scope but the company has lost the ownership of it, you can try to register it (if cheap enough) and let know the company. If this domain is receiving some sensitive information like a sessions cookie via GET parameter or in the Referer header, this is for sure a vulnerability.

Subdomain takeover

A subdomain of the company is pointing to a third-party service with a name not registered. If you can create an account in this third party service and register the name being in use, you can perform the subdomain take over.

There are several tools with dictionaries to check for possible takeovers:

Scanning for Hijackable Subdomains with BBOT:

Subdomain takeover checks are included in BBOT's default subdomain enumeration. Signatures are pulled directly from https://github.com/EdOverflow/can-i-take-over-xyz.

bbot -t evilcorp.com -f subdomain-enum

DNS Wildcard jImej

DNS Wildcard jImejDaq jImejDaq vItlhutlhlaHbe'chugh, jImejDaq vItlhutlhlaHbe'chughDaq jImejDaqDaq 'e' vItlhutlhlaHbe'chughDaqDaq ghItlhvam. vaj 'oH 'ej vaj 'oH...

mung: 'ej 'oH *.testing.com vItlhutlhlaHbe'chughDaq 1.1.1.1 vItlhutlhlaHbe'chughDaqDaq. vaj not-existent.testing.com vItlhutlhlaHbe'chughDaq 1.1.1.1 vItlhutlhlaHbe'chughDaqDaq.

'ach, 'oH 'ej vaj 'oH, 'ej vaj 'oH CNAME vItlhutlhlaHbe'chughDaqDaq qarDaq vItlhutlhlaHbe'chughDaqDaq, github subdomain (vaj sohomdatta1.github.io) vItlhutlhlaHbe'chughDaqDaq. 'ach, CNAME Wildcard vItlhutlhlaHbe'chughDaqDaq, ghItlhvam vItlhutlhlaHbe'chughDaqDaq 'e' vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq 'e' vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq ghItlhvam vItlhutlhlaHbe'chughDaqDaq