Listen to this Post
Introduction:
Subdomain takeover is a critical yet often overlooked vulnerability where attackers hijack abandoned or unclaimed subdomains. When a company retires a service but leaves its DNS record active, it creates a dangerous opening for cybercriminals to host malicious content that appears to be part of the legitimate brand. This article provides a technical deep dive into identifying, exploiting, and mitigating these hidden risks.
Learning Objectives:
- Master reconnaissance techniques to discover all subdomains associated with a target domain.
- Understand the mechanics of subdomain takeover and how to verify vulnerability.
- Implement a proactive defense strategy to harden your DNS and cloud infrastructure.
You Should Know:
1. Subdomain Enumeration: The First Step to Discovery
A comprehensive subdomain inventory is the foundation of any audit. The following commands utilize various techniques to discover potential targets.
Command List:
Using sublist3r for passive enumeration sublist3r -d yourdomain.com Using amass for active reconnaissance and data scraping amass enum -d yourdomain.com -passive amass enum -d yourdomain.com -active -brute -w wordlist.txt Using crt.sh to find subdomains from SSL certificates curl -s "https://crt.sh/?q=%.yourdomain.com&output=json" | jq -r '.[].name_value' | sed 's/\.//g' | sort -u Using a simple bash loop for DNS brute-forcing for word in $(cat wordlist.txt); do host $word.yourdomain.com; done
Step-by-step guide:
Sublist3r aggregates results from multiple search engines and databases, providing a quick passive reconnaissance snapshot. For a more thorough audit, Amass should be used in passive mode first to avoid detection, then in active mode with a wordlist (like the SecLists subdomain list) to brute-force common names. The crt.sh query is highly effective as it leverages Certificate Transparency logs, often revealing development and staging subdomains. Always pipe results through `sort -u` to deduplicate.
2. Identifying Vulnerable CNAME Records
A subdomain is vulnerable to takeover if its CNAME record points to a service that is no longer provisioned, such as an expired AWS S3 bucket, Heroku app, or GitHub Pages site.
Command List:
Dig to check for CNAME records dig CNAME old-campaign.yourdomain.com Nslookup for Windows environments nslookup -type=CNAME staging.yourdomain.com Automated checking with subjack subjack -w discovered_subdomains.txt -t 100 -timeout 30 -ssl -c fingerprints.json Using host command for a quick check host cname.yourdomain.com
Step-by-step guide:
After enumerating subdomains, query their DNS records. A CNAME pointing to a third-party service like `s3.amazonaws.com` is a prime candidate. Use `dig` or `nslookup` to retrieve the record. Then, manually attempt to access the endpoint. If you receive errors like “NoSuchBucket” (S3) or “No such app” (Heroku), the subdomain is likely vulnerable. Subjack automates this by checking a list of domains against known service fingerprints for takeover potential.
3. Exploiting an AWS S3 Bucket Takeover
If a subdomain’s CNAME points to a non-existent S3 bucket, an attacker can claim it and host malicious content.
AWS CLI Commands:
Check if the bucket exists and is accessible aws s3 ls s3://legacy-subdomain.yourdomain.com If the bucket doesn't exist, create it in your account aws s3 mb s3://legacy-subdomain.yourdomain.com Upload a phishing page to the newly claimed bucket aws s3 cp malicious_index.html s3://legacy-subdomain.yourdomain.com/index.html Configure the bucket for static website hosting aws s3 website s3://legacy-subdomain.yourdomain.com/ --index-document index.html
Step-by-step guide:
This demonstrates the critical risk. Using the AWS CLI, an attacker first checks the bucket’s status. If the `ls` command returns a `NoSuchBucket` error, the attacker can use the `mb` (make bucket) command to claim it. The bucket name must match the CNAME record exactly. Once claimed, the attacker can host a full phishing site that will be served from the legitimate company’s subdomain, completely bypassing traditional email and web filters.
4. Mitigation: Proactive DNS Hygiene and Monitoring
Prevention is centered around rigorous asset management and monitoring.
Command List:
Script to periodically check subdomain DNS resolution !/bin/bash for sub in $(cat subdomains_list.txt); do if ip=$(host $sub | grep "has address"); then echo "ALIVE: $sub - $ip" else echo "DEAD: $sub - Needs investigation" fi done Using dnsrecon to audit zone transfers (to check for misconfigurations) dnsrecon -d yourdomain.com -a AWS CLI to list all Route53 hosted zones and records aws route53 list-hosted-zones aws route53 list-resource-record-sets --hosted-zone-id /hostedzone/Z123456789EXAMPLE
Step-by-step guide:
Maintain a master list of all authorized subdomains. The provided Bash script can be run as a cron job to alert on any live subdomains. Regularly audit your DNS zones with `dnsrecon` to ensure zone transfers are disabled, preventing easy enumeration for attackers. For cloud environments, use the native CLI tools (like aws route53) to generate full inventories of your DNS records. Any record not tied to an active, monitored service should be removed immediately.
5. Cloud Infrastructure Hardening
Secure your cloud accounts to prevent subdomain hijacking via compromised credentials or misconfigured services.
Terraform S3 Bucket Configuration Snippet:
resource "aws_s3_bucket" "main_app" {
bucket = "prod-main-app-bucket"
acl = "private"
versioning {
enabled = true
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
Block ALL public access
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
Reserve the bucket name to prevent external takeover
resource "aws_s3_bucket" "legacy_subdomain" {
bucket = "legacy-subdomain.yourdomain.com"
acl = "private"
Even if unused, block all access
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
Step-by-step guide:
Infrastructure as Code (IaC) is a powerful defense. The Terraform code above shows a secure S3 bucket configuration. Crucially, it includes a resource for the legacy subdomain bucket itself. By proactively creating this bucket with all public access blocked, you permanently prevent an attacker from claiming it, even if the DNS CNAME record remains active. This “defensive registration” is a key strategy for high-risk legacy entries.
6. Automated Monitoring with Canary Tokens
Deploy early warning systems to detect takeover attempts on sensitive but unused domains.
Canary Token Setup (Conceptual):
Using a service like CanaryTokens.org, you place a unique token file on a subdomain. The following curl command simulates an attacker or monitoring system accessing it. A request to your canary token URL... curl http://monitor-staging.yourdomain.com/secret-file.html ...will instantly trigger an alert to your security team.
Step-by-step guide:
Canary tokens are digital tripwires. For critical legacy subdomains that cannot be immediately deleted, host a unique file provided by a canary token service. Configure the subdomain to resolve to a monitored server that hosts only this file. Any request to this file will generate an immediate alert, signifying that someone has discovered the subdomain and is probing it. This provides a crucial early warning before a full-scale phishing attack is launched.
7. Integrating Subdomain Scans into CI/CD Pipelines
Prevent new subdomain takeovers by scanning for misconfigurations before deployment.
GitHub Action Snippet:
name: Subdomain Security Scan on: [push, pull_request] jobs: subdomain-scan: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v3 - name: Run Subjack Scan uses: docker://haccer/subjack:latest with: args: -w ./subdomains.txt -t 100 -ssl -c /go/src/github.com/haccer/subjack/fingerprints.json -o results.json - name: Fail Build on Vulnerability run: | if [ -s results.json ]; then echo "CRITICAL: Vulnerable subdomains found!" cat results.json exit 1 fi
Step-by-step guide:
Shift security left by integrating subdomain checks directly into your development lifecycle. This GitHub Action example runs Subjack on a list of subdomains associated with the project every time code is pushed or a pull request is made. If the scan detects a vulnerable CNAME record, the build fails, preventing the vulnerable configuration from being deployed to production. This ensures that new subdomain takeovers are not introduced during development.
What Undercode Say:
- Asset Management is Your First Line of Defense. The core of this vulnerability is not a technical flaw in software, but a failure in process and inventory management. You cannot secure what you do not know you own.
- The Attack Surface is Dynamic and Self-Inflicted. Organizations often focus on hardening known production assets, while the real danger comes from the “temporary” projects and forgotten campaigns that are never formally decommissioned, creating a constantly expanding, unmonitored attack surface.
The analysis from the original post, citing 21% of DNS records pointing to unresolved content, highlights a systemic failure in IT lifecycle management. This is not a niche issue but a pervasive one affecting companies of all sizes. The technical process of a takeover is trivial; the real challenge for defenders is operational. A proactive, continuous audit cycle is non-negotiable. Relying on manual, annual reviews is insufficient in a cloud-native environment where services can be spun up and torn down daily. The solution must be automated, integrated into DevOps workflows, and treated with the same seriousness as patch management.
Prediction:
Subdomain takeover will evolve from a infrastructure misconfiguration into a software supply chain attack vector. We will see a rise in attackers automatically claiming expired subdomains not just for phishing, but to poison DNS caches and serve malicious JavaScript libraries or compromised npm packages from what appear to be trusted company CDNs. As more infrastructure becomes ephemeral and managed by automated scripts, the window for exploitation will shrink, but the consequence of a successful takeover will magnify, directly impacting customer data integrity and trust in the software supply chain.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Darya Likso – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
