9.6 KiB
Domain/Subdomain takeover
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Use Trickest to easily build and automate workflows powered by the world's most advanced community tools.
Get Access Today:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=domain-subdomain-takeover" %}
Domain takeover
If you discover some domain (domain.tld) that is being used by some service inside the scope but the company has lost the ownership of it, you can try to register it (if cheap enough) and let the company know. If this domain is receiving some sensitive information like a session cookie via GET parameter or in the Referer header, this is for sure a vulnerability.
Subdomain takeover
A subdomain of the company is pointing to a third-party service with a name not registered. If you can create an account in this third party service and register the name being in use, you can perform the subdomain takeover.
There are several tools with dictionaries to check for possible takeovers:
- https://github.com/EdOverflow/can-i-take-over-xyz
- https://github.com/blacklanternsecurity/bbot
- https://github.com/punk-security/dnsReaper
- https://github.com/haccer/subjack
- https://github.com/anshumanbh/tko-sub
- https://github.com/ArifulProtik/sub-domain-takeover
- https://github.com/SaadAhmedx/Subdomain-Takeover
- https://github.com/Ice3man543/SubOver
- https://github.com/m4ll0k/takeover
- https://github.com/antichown/subdomain-takeover
- https://github.com/musana/mx-takeover
- https://github.com/PentestPad/subzy
- https://github.com/Stratus-Security/Subdominator
- https://github.com/NImaism/takeit
Subdomain Takeover Generation via DNS Wildcard
When DNS wildcard is used in a domain, any requested subdomain of that domain that doesn't have a different address explicitly will be resolved to the same information. This could be an A ip address, a CNAME...
For example, if *.testing.com
is wildcarded to 1.1.1.1
. Then, not-existent.testing.com
will be pointing to 1.1.1.1
.
However, if instead of pointing to an IP address, the sysadmin points it to a third party service via CNAME, like a Github subdomain for example (sohomdatta1.github.io
). An attacker could create his own third party page (in Gihub in this case) and say that something.testing.com
is pointing there. Because, the CNAME wildcard will agree the attacker will be able to generate arbitrary subdomains for the domain of the victim pointing to his pages.
You can find an example of this vulnerability in the CTF write-up: https://ctf.zeyu2001.com/2022/nitectf-2022/undocumented-js-api
Exploiting a subdomain takeover
Subdomain takeover is essentially DNS spoofing for a specific domain across the internet, allowing attackers to set A records for a domain, leading browsers to display content from the attacker's server. This transparency in browsers makes domains prone to phishing. Attackers may employ typosquatting or Doppelganger domains for this purpose. Especially vulnerable are domains where the URL in a phishing email appears legitimate, deceiving users and evading spam filters due to the domain's inherent trust.
Check this post for further details
SSL Certificates
SSL certificates, if generated by attackers via services like Let's Encrypt, add to the legitimacy of these fake domains, making phishing attacks more convincing.
Cookie Security and Browser Transparency
Browser transparency also extends to cookie security, governed by policies like the Same-origin policy. Cookies, often used to manage sessions and store login tokens, can be exploited through subdomain takeover. Attackers can gather session cookies simply by directing users to a compromised subdomain, endangering user data and privacy.
Emails and Subdomain Takeover
Another aspect of subdomain takeover involves email services. Attackers can manipulate MX records to receive or send emails from a legitimate subdomain, enhancing the efficacy of phishing attacks.
Higher Order Risks
Further risks include NS record takeover. If an attacker gains control over one NS record of a domain, they can potentially direct a portion of traffic to a server under their control. This risk is amplified if the attacker sets a high TTL (Time to Live) for DNS records, prolonging the duration of the attack.
CNAME Record Vulnerability
Attackers might exploit unclaimed CNAME records pointing to external services that are no longer used or have been decommissioned. This allows them to create a page under the trusted domain, further facilitating phishing or malware distribution.
Mitigation Strategies
Mitigation strategies include:
- Removing vulnerable DNS records - This is effective if the subdomain is no longer required.
- Claiming the domain name - Registering the resource with the respective cloud provider or repurchasing an expired domain.
- Regular monitoring for vulnerabilities - Tools like aquatone can help identify susceptible domains. Organizations should also revise their infrastructure management processes, ensuring that DNS record creation is the final step in resource creation and the first step in resource destruction.
For cloud providers, verifying domain ownership is crucial to prevent subdomain takeovers. Some, like GitLab, have recognized this issue and implemented domain verification mechanisms.
References
- https://0xpatrik.com/subdomain-takeover/
- https://www.stratussecurity.com/post/subdomain-takeover-guide
Use Trickest to easily build and automate workflows powered by the world's most advanced community tools.
Get Access Today:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=domain-subdomain-takeover" %}
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.