Listen to this Post
In this article, we explore how to identify and claim subdomains that mistakenly point to GitHub, leading to potential subdomain takeover vulnerabilities. The process involves subdomain enumeration, verification using httpx, and claiming them via GitHub Pages.
Steps to Perform Subdomain Takeover
1. Subdomain Enumeration
Use tools like subfinder, amass, or `findomain` to gather subdomains:
subfinder -d exemplo.com -o subdomains.txt amass enum -d exemplo.com -o subdomains.txt
2. Verify Subdomains with `httpx`
Check for GitHub 404 pages using:
httpx -l subdomains.txt -sc -title -td -o verified_subdomains.txt
Look for responses like `[404 github]`.
3. Claiming Subdomains via GitHub Pages
- Create a new GitHub repository.
- Add an `index.html` file.
- Go to Settings > Pages and set the subdomain under Custom Domain.
- GitHub will verify ownership, and the subdomain is claimed.
You Should Know:
- Prevention: Organizations should monitor DNS records and remove unused subdomains.
- Automation: Use scripts to scan for misconfigured subdomains regularly.
- Legal Risks: Unauthorized subdomain takeover may violate laws; always seek permission.
Example Commands for Security Testing
- DNS Check:
dig A exe.exemplo.com nslookup exe.exemplo.com
- HTTP Verification:
curl -I http://exe.exemplo.com wget --server-response http://exe.exemplo.com
- Mass Scanning:
nuclei -l subdomains.txt -t takeovers/
What Undercode Say
Subdomain takeovers remain a critical security issue. Misconfigured DNS records expose organizations to phishing, malware distribution, and reputation damage. Regular audits using tools like dnsrecon, httpx, and manual verification are essential.
Expected Output:
[+] http://exe.exemplo.com → GitHub 404 (Vulnerable) [+] http://exe2.exemplo2.com → GitHub 404 (Vulnerable) [+] Subdomain successfully claimed via GitHub Pages.
For further reading:
References:
Reported By: Nat%C3%A3 Luiz – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
