The Subdomain Takeover Hunter’s Arsenal: 25+ Commands to Claim Your Bounty

Listen to this Post

Featured Image

Introduction:

Subdomain takeover vulnerabilities represent a critical and often high-impact security flaw where an attacker can seize control of a subdomain pointing to a deprovisioned third-party service. This exploit can lead to phishing campaigns, data theft, and significant reputational damage, making it a prized finding in any bug bounty program. Mastering the reconnaissance and verification process is key to uncovering these hidden vulnerabilities before malicious actors do.

Learning Objectives:

  • Understand the core methodology for identifying potentially vulnerable subdomains.
  • Master the use of open-source intelligence (OSINT) and scanning tools for enumeration.
  • Learn to verify and exploit a subdomain takeover, specifically against a common service like Fastly.

You Should Know:

1. Subdomain Enumeration Fundamentals

The first step is building a comprehensive list of an organization’s subdomains. Using tools like subfinder, assetfinder, and `amass` allows you to aggregate data from dozens of public sources.

subfinder -d target.com -o subdomains.txt
assetfinder --subs-only target.com | tee -a subdomains.txt
amass enum -passive -d target.com -o amass_subs.txt
cat subdomains.txt amass_subs.txt | sort -u > all_subs.txt

Step-by-step guide: Begin by installing the tools (go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest). Run `subfinder` to query public databases for subdomains of target.com. Use `assetfinder` to pull similar data, and employ `amass` in passive mode for a broader, non-intrusive sweep. Finally, combine and deduplicate all results into a single file (all_subs.txt) for the next phase. This consolidated list is your primary target list.

2. Probing for Live Hosts and CNAME Records

Not all subdomains are active. You need to filter for live hosts and, most importantly, extract their CNAME records. A CNAME that points to a service like Fastly, GitHub Pages, or AWS S3 is the primary indicator of a potential takeover.

cat all_subs.txt | httpx -silent -o live_subs.txt
cat live_subs.txt | while read sub; do host -t CNAME "$sub" | grep "is an alias"; done > cname_records.txt

Step-by-step guide: Use httpx, a fast HTTP probe, to check which subdomains in your list are live and responding, saving the results to live_subs.txt. Then, iterate through this live list with the `host` command, specifically querying for CNAME records (-t CNAME). The `grep` command filters the output to show only the confirmed aliases. The resulting `cname_records.txt` file is your shortlist for investigation.

3. Identifying Fastly Service Pointers

Fastly is a popular Content Delivery Network (CDN). When a customer leaves Fastly but their subdomain’s CNAME still points to it, a vulnerability is created. You need to identify these specific pointers.

grep "fastly" cname_records.txt > fastly_candidates.txt
cat fastly_candidates.txt | awk '{print $1, $6}' | sed 's/.$//' > clean_fastly_list.txt

Step-by-step guide: Search your CNAME records file for any line containing the string “fastly”. This will isolate all subdomains potentially reliant on the Fastly service. The `awk` and `sed` commands are used to clean up the output, extracting just the subdomain name and its target CNAME for easier analysis in the next step.

4. The Crucial DNS Check

A subdomain is only vulnerable if it does not have a valid Fastly service attached to it. The simplest way to check this is via a DNS lookup. If the CNAME resolves to a generic Fastly domain but that domain does not resolve to an IP, it’s a strong sign of abandonment.

cat clean_fastly_list.txt | awk '{print $2}' | while read cname; do
ip=$(host "$cname" | grep "has address" | head -n1)
if [ -z "$ip" ]; then
echo "VULNERABLE CANDIDATE: $cname"
fi
done

Step-by-step guide: This script reads the list of target Fastly CNAMEs and performs a DNS lookup on each one. The `host` command checks for an associated IP address. The `if [ -z “$ip” ]` conditional statement checks if the result of that lookup is empty. If no IP address is found for the Fastly CNAME, it prints a “VULNERABLE CANDIDATE” message, indicating the subdomain is a prime target for takeover.

5. Proof-of-Concept with cURL

To confirm the vulnerability, you must demonstrate control. This is often done by sending an HTTP request to the vulnerable subdomain. If it returns a 404 or similar error from the service provider (e.g., Fastly), it confirms the subdomain is pointing to an unclaimed resource.

curl -I -H "Host: vulnerable.target.com" http://<fastly-ip>/
curl -X POST -H "Host: vulnerable.target.com" -d "Your Content Here" http://<fastly-ip>/poc.html

Step-by-step guide: The first command uses `curl -I` to fetch only the HTTP headers from the target. You specify the vulnerable subdomain in the `Host` header and direct the request to a known Fastly IP address. A response like `404 Not Found` is a positive indicator. For a more concrete proof, the second command attempts to `POST` data to a file on the server. If successful (returning a 2xx status code), it proves you can serve content from the target’s subdomain.

6. Automating with Nuclei

Nuclei is a powerful vulnerability scanner with dedicated templates for subdomain takeovers. This allows for scalable, automated testing across your entire list of subdomains.

nuclei -l live_subs.txt -t /path/to/subdomain-takeover-templates/ -o nuclei_takeover_results.txt

Step-by-step guide: After installing Nuclei and its template library (nuclei -update-templates), run the command against your `live_subs.txt` file. The `-t` flag points to the directory containing subdomain takeover templates. Nuclei will automatically test each live subdomain against a battery of checks for various services (Fastly, AWS, GitHub, etc.), outputting confirmed vulnerabilities into nuclei_takeover_results.txt.

7. Cloud Asset Discovery with AWS CLI

In a cloud environment, subdomains often point to services like S3 buckets. If a bucket is deleted but the DNS record remains, it becomes vulnerable. The AWS CLI can help check for the existence of these resources.

aws s3 ls s3://bucket-name/
nslookup potential-bucket.target.com

Step-by-step guide: For subdomains pointing to S3 buckets (CNAME like bucket.s3-website-us-east-1.amazonaws.com), use the `aws s3 ls` command to check if the bucket exists and you have list permissions. If the command returns an error like NoSuchBucket, the resource is available for takeover. Corroborate this with `nslookup` to confirm the DNS record still points to the AWS endpoint.

What Undercode Say:

  • The automation of reconnaissance is non-negotiable for efficient attack surface mapping. Manual processes cannot compete with the scale provided by tools like subfinder, amass, and httpx.
  • Verification is the critical differentiator between a potential finding and a confirmed, billable bug. A CNAME record pointing to a third-party service is only a hint; proof of a missing resource (via DNS and HTTP checks) is the exploit.

The landscape of subdomain takeovers is evolving beyond simple CNAME checks to include complex DNS configurations and cloud service dependencies. The core vulnerability, however, remains a failure in asset lifecycle management. As organizations rapidly adopt and discard cloud services, the attack surface for these misconfigurations will only expand. Automation will become even more central, with scanners like Nuclei integrating deeper checks. Furthermore, the rise of infrastructure-as-code (IaC) introduces a new vector; vulnerabilities can now be “baked in” at the provisioning stage, making pre-deployment security audits just as important as post-hoc bug hunting.

Prediction:

The financial and reputational impact of subdomain takeovers will escalate as attackers increasingly weaponize them for large-scale, credible phishing attacks. We predict a shift towards automated botnets continuously scanning for and exploiting these takeovers within minutes of a service being decommissioned, forcing a paradigm shift from reactive bug bounty programs to proactive, automated asset and DNS monitoring integrated directly into the DevOps pipeline.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Sohail Ahmed – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky