Subdomain Takeover


Subdomain Takeover

Hello, everyone. We have talked a lot about the TOP 10 web application vulnerabilities by OWASP in the other posts. This time we are going to learn something new which is being quite a common submission in the recent bug bounty reports. The vulnerability which we will discuss is Subdomain Takeover and we will see the different methods and tools which will help you to know which subdomain is vulnerable to this kind of attack.

So what is Subdomain Takeover?

A subdomain takeover is exactly what it sounds like. When an attacker can claim a subdomain of a site, it is said to be subdomain takeover.

Simple Example:

  • Let’s say there is a company called xyz.com
  • This company opens a service called “blogs” and registers this on Amazon S3.
  • So the DNS entry of the subdomain blog.xyz.com now points to the Amazon S3 bucket.
  • After some time, the company decided to stop this service but by mistake forget to remove the DNS entry and the S3 bucket remains unclaimed.
  • Now what the attacker does is register this S3 bucket as their own and all the traffic of the blog.xyz.com will be directed to a malicious site owned by you.
  • So the attacker can now use it as a phishing site because everything will seem legitimate to the user. The attacker can simply put an HTML form asking the user to log in and the user will do so due to their trust in the company xyz.com.

This kind of subdomain takeover vulnerabilities generally happens due to unclaimed DNS entries for external services like Github, Amazon S3 buckets, Heroku, Shopify etc.

So let’s get to the practical side.

How to test for Subdomain takeover?

There are several tools available for testing this. Let’s go through each of them one by one.

    • HostileSubBruteForcer This is one of the best tools available for testing for subdomain takeover written by Nahamsec. Just download it from here.
      After downloading, just go the folder where you have downloaded it and type the command:ruby sub_brute.rbIt will open a tab like in the screenshot. Just enter the domain name for which you want to test which subdomains are not correctly configured. In case this tool finds something suspicious it will show them in a red color.It will show you where the subdomains are pointing to. In case it finds that the DNS entries for a certain subdomain are pointing to something suspicious or to a 3rd party service which is not being used it will notify you.
    • Knockpy Knockpy is one of the more popular tools. It is actually a subdomain enumeration tool. In case, it finds that a subdomain is pointing to an external service it will notify you of that.
      You can download Knockpy from here.
      Now in case, if Knockpy notifies you of external services, you need to visit that domain to check if it is vulnerable or not.
      Let’s say that the DNS entry was pointing to a service on Heroku. Now when you visit the domain, it shows you this picture.

      Now, this in almost most of the cases makes sure that the subdomain might be vulnerable to takeover. In case, to be fully assured of the vulnerability, you will need to register on that service, in this case, the Heroku one and just host some of your content there to fully demonstrate that you have claimed the subdomain and it is now a perfect place to get user’s credentials.
    • Sublist3r Sublist3r is actually a very popular subdomain enumeration tool. Actually, it enumerates subdomains using many search engines such as Google, Bing, Yahoo etc. Download it from here.After you have downloaded it, and done with all the Python settings, just use this command to get started.
      Go to the folder where sublist3r.py has been downloaded and type:
      python sublist3r.py -d xyz.com

      Now this will enumerate all the subdomains of the domain xyz.com. The motive of this is after we get all the subdomains we will need to check the CNAME or the Canonical Name of each subdomain. It can be found in the DNS information of a particular subdomain. Otherwise, there are online tools also to get the CNAME of a particular subdomain like this one(See the screenshot below). Now if you find that the CNAME is pointing to a 3rd party service like Amazon, Heroku, Shopify etc., you will need to go to that service and verify if it can really be claimed so that the service now points to our malicious site and the subdomain takeover is complete.

      Another method which is there is to use the host command in Linux to check where the subdomain is pointing to. Just type the command:

      host blogs.xyz.com

      and it will show where the subdomain is pointing to and now we can verify it from there by applying the steps from the previous methods.

      There is one other subdomain enumeration tool called Subbrute which increases the possibility of finding more subdomains which automatically increases your chances of getting any subdomain available for takeover. You can download the tool from here.

    • Aquatone Last but not the least, there is one other tool which has been there for less than a year but slowly gaining some name for this kind of testing known as Aquatone. Download the tool from here.
      After downloading and all the setup type this command to use the aquatone takeover tool.

      aquatone-takeover --domain xyz.com

      The best thing is that the result is a JSON file in which you will get the name of possible subdomains vulnerable to takeover along with their CNAMES. So now you can go the respective service and try to claim it for the attack to be successful.

So this was all for this post. In a summary, subdomain takeover is a critical security issue which commonly occurs when a company assigns a subdomain to a third-party service provider and then later discontinues use, but doesn’t remove the DNS configuration. This leaves the subdomain vulnerable to complete takeover by attackers by signing up to the same service provider and claiming the subdomain.
And while submitting for this kind of bugs, it’s always better to claim the subdomain and don’t just report as soon you see the error message. Hosting something simple to fully show that the subdomain has been claimed will always be considered a better valid report in this case.

Hope you enjoyed this one. There are lots of reports for this kind of issues, so do read them as it doesn’t require any fancy testing like for other OWASP TOP 10 vulnerabilities. In case you didn’t understand something, please comment below and ENCIPHERS will always be there for your help. Until then, KEEP HACKING.:)

Blogger
I am the one who publishes all the blogs for ENCIPHERS :-)