Spicy OSINT Techniques: Find Subdomain Takeover Pages Using FOFA Search Engine

Listen to this Post

Featured Image
Subdomain takeovers are a critical security issue where an attacker can claim a subdomain that is no longer in use but still points to a vulnerable third-party service. Using OSINT (Open-Source Intelligence) techniques, we can identify such subdomains using the FOFA Search Engine.

FOFA Dorks for Subdomain Takeover Detection

Use these search queries in FOFA to find potential subdomain takeover vulnerabilities:

1. `body=”subdomain takeover poc by”`

2. `body=”subdomain takeover by”`

For an extensive collection of FOFA dorks, visit:

FOFA Dorks Collection

You Should Know: Practical Steps to Exploit & Secure Subdomain Takeovers

1. Identifying Vulnerable Subdomains

Use FOFA or other OSINT tools like Amass, Sublist3r, or Subfinder to enumerate subdomains:

amass enum -d example.com -passive 
subfinder -d example.com -silent 

2. Checking DNS Records

Verify if the subdomain points to a dead service (e.g., deleted GitHub pages, expired AWS S3 buckets):

dig CNAME vulnerable.example.com 
nslookup takeover.example.com 

3. Exploiting Takeover (For Ethical Testing)

If the subdomain points to an unclaimed service (e.g., GitHub Pages), you can claim it:

 Example for GitHub Pages takeover 
echo "Hacked by You" > index.html 
git init 
git add . 
git commit -m "Takeover PoC" 
git branch -M main 
git remote add origin https://github.com/yourusername/vulnerable-subdomain.git 
git push -u origin main 

4. Mitigation Steps for Defenders

  • Remove unused DNS records:
    Example for AWS Route53 
    aws route53 change-resource-record-sets --hosted-zone-id ZONEID --change-batch file://delete_record.json 
    
  • Monitor subdomains regularly:
    Use crontab for automated checks 
    0     subfinder -d example.com -o /var/log/subdomains.log 
    

What Undercode Say

Subdomain takeovers remain a low-hanging fruit for attackers. Organizations must continuously audit their DNS configurations and remove orphaned records. Automation tools like Chaos, DNSRecon, and Aquatone help in detection, while defenders should enforce strict cloud resource policies.

Expected Output:

  • List of vulnerable subdomains from FOFA.
  • Confirmed takeover via DNS checks.
  • Remediation steps applied.

Prediction

As cloud adoption grows, subdomain takeovers will evolve with new attack vectors in serverless and edge computing. Automated detection and response will become essential.

References:

Reported By: Abhirup Konwar – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram