Listen to this Post
A subdomain takeover occurs when an attacker gains control over a subdomain of a target domain. This typically happens when the subdomain points to a service (like AWS S3, GitHub Pages, Heroku, etc.) that has been deleted or misconfigured, allowing an attacker to claim it.
You Should Know:
1. Identifying Vulnerable Subdomains
Use tools like:
- Sublist3r
sublist3r -d example.com -o subdomains.txt
- Amass
amass enum -d example.com -o subdomains.txt
- Findomain
findomain -t example.com -u subdomains.txt
2. Checking for Takeover Vulnerabilities
- Subjack (for detecting dangling DNS records)
subjack -w subdomains.txt -t 100 -ssl -o takeover_results.txt
- Nuclei (with takeover templates)
nuclei -l subdomains.txt -t ~/nuclei-templates/takeovers/ -o nuclei_results.txt
3. Exploiting the Takeover
If a subdomain points to a deleted AWS S3 bucket, an attacker can claim it:
aws s3 mb s3://vulnerable-subdomain.example.com echo "Hacked!" > index.html aws s3 cp index.html s3://vulnerable-subdomain.example.com --acl public-read
For GitHub Pages takeover:
1. Create a GitHub repo named ``.
2. Enable GitHub Pages in settings.
3. Push an `index.html` file.
4. Mitigation Steps
- Remove unused DNS records
- Monitor subdomains with tools like Monitorizer
monitorizer -l subdomains.txt -c config.yaml
- Use CNAME validation to prevent false configurations.
What Undercode Say
Subdomain takeovers remain a critical threat in cybersecurity. Always:
– Audit DNS records regularly.
– Use automated scanners like Aquatone for visualization:
cat subdomains.txt | aquatone -out ./aquatone_report
– Implement DNSSEC to prevent DNS spoofing.
– Check for orphaned cloud resources in AWS, Azure, or GCP:
aws s3 ls | grep vulnerable-subdomain
– Use Burp Suite or OWASP ZAP for manual verification.
Expected Output:
A detailed report of vulnerable subdomains, proof-of-concept (PoC) for takeover, and remediation steps.
Reference:
References:
Reported By: Vasu Bhan – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
