Introduction
Hello everyone, in this security blog we will be discussing subdomain vulnerability and the methodology to check for takeovers.
First, let us understand about what is a subdomain
A Subdomain is a subset or a section of larger domain for e.g., info.abc.com is subdomain of the domain abc.com .Subdomains are used to organise different section of a website.
A subdomain takeover is an attack where an attacker gains control over a website's subdomain.
A subdomain takeover vulnerability occurs when an attacker takes control of an unused or unconfigured subdomain within a domain. It typically happens when a domain has a subdomain that points to an external service (like a cloud hosting provider (AWS S3), or a content delivery network, github, Heroku, azure frontdoor etc), but that service no longer exists or has been deleted, leaving the subdomain unconfigured(means that the DNS record for that subdomain still existing) or remained dangling.
To understand this more clearly let us consider a scenario-
Scenario: Subdomain Takeover on media.company.com
Original Setup: A marketing team for company.com uses an Amazon S3 bucket service to host media files.
They create a DNS record:
media.company.com. CNAME media-bucket.s3.amazonaws.com
β S3 Bucket Deleted
Later, the team deletes the media-bucket from Amazon S3 but forgets to remove the DNS record for media.company.com.
Now, media.company.com points to a non-existent S3 bucket.
πΎ Attacker Comes In
- The attacker checks the DNS and finds media.company.com pointing to a now-missing S3 bucket.
- They create a new S3 bucket named media-bucket in their own AWS account.
- They upload custom (or malicious) content to the bucket and make it publicly accessible.
Now, visiting media.company.com serves content from the attacker's bucket.
That's the essence of a subdomain takeover. The attacker exploits a forgotten DNS configuration and gains control over a trusted subdomain.
Not necessarily all the 3rd party services are vulnerable you can check which 3rd party servies are vulnerable to subdomain takeover:
This repository lists services and how to claim subdomains with dangling DNS records.
Impact
- The attacker could:
- Serve phishing pages
- Inject malware
- Capture cookies or credentials
- Harm brand reputation
Hunting Methodlogy
Subdomain Takeovers are gold mines for bug hunters.
1οΈβ£ Subdomain Enumeration
Subdomain Enumeration plays a crucial role in finding subdoamin takeover vulnerability. "Thing is simple as more the subdomains you have more the chance of finding the subdomain takeover bug".
Different tools i use for subdomain enumeration:
amass: amass enum -d target.com -o amass.txt
subfinder: subfinder -d target.com -o subfinder.txt
assetfinder: assetfinder β subs-only target.com | tee assetfinder.txt
crt.sh: crt.sh from command line- curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u > crt_sh.txt
waybackurls: echo target.com | waybackurls > waybackurls.txt
findomain: findomain -t target.com > findomain.txt
Merge and dedupe results: cat amass.txt subfinder.txt assetfinder.txt crt_sh.txt waybackurls.txt findomain.txt | sort -u > subdomains.txt
1 Linear bash command for subdomain enumeration
You can use this 1 Linear bash command for sudomain eumeration and dedupe results.
TARGET="example.com"; \
subfinder -d $TARGET -silent -o subfinder.txt; \
assetfinder β subs-only $TARGET | tee assetfinder.txt; \
findomain -t $TARGET -q > findomain.txt; \
curl -s "https://crt.sh/?q=%25.$TARGET&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | tee crtsh.txt; \
waybackurls $TARGET | awk -F/ '{print $3}' | tee waybackurls.txt; \
amass enum -d $TARGET -o amass.txt; \
cat subfinder.txt assetfinder.txt findomain.txt crtsh.txt waybackurls.txt amass.txt | sort -u > all_subdomains.txt && \
echo "[β] Found $(wc -l < all_subdomains.txt) unique subdomains saved in all_subdomains.txt"
2οΈβ£ Manual Check for DNS Resolution
In the context of subdomain takeover, when we say "DNS resolution", we are primarily using it to:
π Find the CNAME Record of a subdomain
Because:
CNAME records often point to third-party services like Heroku, GitHub Pages, S3, Azure, etc. If the third-party resource is unclaimed, you can potentially take it over.
dnsx, dig tools are used for this purpose:
Example:
Suppose you're checking this subdomain: blog.target.com
You run:
dig -f blog.target.com CNAME +short
You get:
unclaimedsite.github.io.
β This tells you:
- The DNS resolves
- The subdomain is pointing to GitHub Pages
- You can now check if unclaimedsite.github.io is available to claim
β‘οΈ This is how DNS resolution is used to find CNAME.
You can now check it by visiting the site blog.target.com manually and if blog.target.com β It redirects (or shows a 404) from unclaimedsite.github.io
If the page shows a 404 not found or GitHub's "There isn't a GitHub Pages site here" message, it means the GitHub Pages site is unclaimed
Then go to GitHub and log in (or create an account).
- Create a new repository named
unclaimedsite(must match the subdomain prefix). - Inside the repository:
- Add an
index.htmlfile with your test content (e.g.,Hello from takeover test!). - Enable GitHub Pages:
- Go to Settings β Pages.
- Select the branch (e.g.,
main) and folder (/root) for GitHub Pages. - Save and wait a few seconds.
- Now visit
blog.target.com.
β If your test page shows up, the subdomain was successfully taken over.
Similarly you can test for other services also e.g., AWS S3, GitHub Pages, Heroku, Azure.
3οΈβ£ Automation using tools
You can use subzy, subjack, nuclei to Detect Potential Takeovers
Using Subjack
subjack -w subdomains.txt -t 100 -timeout 10 -ssl -v -o subjack_results.txt
Using subzy
subzy -targets subdomains.txt -timeout 10 -json -o subzy_results.json
Using Nuclei
cat subdomains.txt | nuclei -t takeovers
Conclusion
Subdomain takeovers are a real threat and also a great opportunity for bug hunters. By combining subdomain enumeration, manual checks, and automated scanning, you can uncover vulnerabilities and help secure websites.
Always ensure you have proper authorization before scanning or testing domains.
Happy hunting!
π₯ Connect with me on LinkedIn: https://www.linkedin.com/in/saksham-singh-aa31ba271/ β I'd love to connect and discuss more about cybersecurity!