Subdomain takeover

A few years ago, taking over a subdomain was one of the easiest way to earn, several hundred dollars (sometimes thousands). It was a good salary for a beginner bounty hunter. Today, companies are more careful in this matter. Which does not mean that it is not worth trying. The rewards aren’t lower, but it is harder to spot this. You will need a lot of patience and time.

You do not need to be a super technical person and have some knowledge, to try your hand at this field. I will not go deep into the theoretical details, I will refer you to the pages where it has already been very well described and explained. Here we will focus on the search itself and the tools necessary to facilitate the search.

subdomain takeover

Image source: Microsoft Docs

Remember if you get any hits on this and you will receive a reward, don’t forget to give me 10% for showing you how to become a bounty hunter (just kidding you gotta give me all your winnings).

Can I take over

First of all you need to know which services provider can be taken over. Here you can find up to date list of services with dangling DNS records.

https://github.com/EdOverflow/can-i-take-over-xyz

Theory

If you want to know more than how to get money in easy way, check these links. These are good sources of knowledge about how it all works. Read and you will understand more. Don’t be like script kiddie.

Subdomain Takeover: Basics

Subdomain Takeover: Going beyond CNAME

Subdomain Takeover: Proof Creation for Bug Bounties

Subdomain Takeover: Finding Candidates

A guide to subdomain takeovers

Scope

Search for scope in bounty hunter programs like Bugcrowd, Hackerone, Intigriti. There is many more of course. Find the one that best fits you.

Enumeration

Once you have a scope. You need to prepare subdomain list. A few tools will help you with that.

I like subfinder tool for enumeration and knock for wordlist. But here are all, still developed and very good tools. Test each and choose the best.

Sublist3r

Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS.

1
sublist3r -d example.com -t 50 -o subdomainlist.txt

Subfinder

subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed. subfinder is built for doing one thing only - passive subdomain enumeration, and it does that very well.

After installation it is worth to add API’s to your config file. This will increase your list building efficiency.

1
subfinder -d example.com -o subdomainlist.txt -t 50

This tool can check multiple domains from a file:

1
subfinder -dL domainlist.txt -o subdomainlist.txt -t 50

-nW - Remove Wildcard & Dead Subdomains from output

knock

Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist. It is designed to scan for DNS zone transfer and to try to bypass the wildcard DNS record automatically if it is enabled.

Subdomain scan with internal wordlist

1
knockpy example.com

Subdomain scan with external wordlist

1
knockpy example.com -w wordlist.txt

-c output to cvs

You can take interesting wordlist for subdomain enumeration from dnscan repo or here.

Sometimes, when you will install scripts/tools from GitHub, you need provide full path to run it. Easier solution is to add symlink to the script.

Example for Sublist3r installed from GitHub repository:

1
2
3
4
chmod +x sublist3r.py
cd /usr/local/bin/
sudo ln -s /opt/Sublist3r/sublist3r.py
mv sublist3r.py sublist3r

Now, no matter where you are in the system just write a command sublister to run the script.

You can do the same for other scripts/tools. That’s just small tip, you are pro and probably already knew it.

Check if you can take over

Now it is time to check, if it is possible to takeover one of the subdomain from prepared list.

Never search manually. There is too much here to manually check one by one. It would be waste of time. Anyway below I showed for example how to do it manually using dig.

dig

You can use dig to manually check subdomain.

1
dig example.com

or list

1
dig -f subdomainlist.txt > dig.txt

Check then for status: NXDOMAIN and CNAME pointing to dangling DNS records.

takeover

Takeover - Subdomain Takeover Finder.

1
2
python3 takeover.py -l subdomainlist.txt -v -t 50 -o output.txt
python3 takeover.py -d example.com -v -t 50 -o output.txt

screen

Sometimes when you have a list with >10k entries it is worth to leave this on your VPS server as a session. Use screen for that.

1
screen -S your_session_name

New session will be opened, type there your command (eg. the one from takeover example) and then hit ctrl+a+d to keep your session in background.

You can now work on your VPS or run another session and not block your terminal, or just logoff. The process will still run in the background.

To check all your current session type screen -ls, to restore session type screen -r your_session_name or if you didn’t name your session, then session number provided on the session list. To kill session just enter to it, and type exit.

sub404

Sub 404 is a tool written in python which is used to check possibility of subdomain takeover vulnerability and it is fast as it is Asynchronous.

You can easily provide your subdomain list as a file:

1
python3 sub404.py -f subdomainlist.txt

or

1
python3 sub404.py -d example.com

this combines result from sublist3r and subfinder tool and checks for possibility of takeover.

This tool fetches CNAME of 404 response code URL and removes all URL which have target domain in CNAME. So chances of false positives are high.

Recsech

Recsech is a tool for doing Footprinting and Reconnaissance on the target web. Recsech collects information such as DNS Information, Sub Domains, HoneySpot Detected, Subdomain takeovers, Reconnaissance On Github and much more.

This tool is mentioned just as a bonus. One of its options is to check if a given domain has subdomains to take over, but it’s not a very efficient option.

1
Recsech.php example.com -o output.txt

Takeover and PoC

So, if you are lucky one and you get hit, go and register your resource/service/bucket with the same name as the one you discovered. Redirect it to your www server with PoC placeholder.

Here is example for Traffic Manager.

Create free subscription on Azure. Go to Home>New>Traffic Manager profile>Create traffic manager profile.

Create it with same name as the one from subdomain you want to take over. Once you put subdomain name, you will see if it is available to register.

Name: subdomain
Routing method: Performance
Subscription: your_subscription
Resource group: Create new
Name: PoC
Resource group location: eg. East Europe

Now you need to point this domain to one of your servers. Just set IP address of your server as target. On the server, create virtual host with landing page.

In the links I provided in the theory part, you can find more useful information about how to set this up for Azure, GitHub, Heroku etc.

That’s all. Your PoC is ready to go. If you visit subdomain it will redirect you to your server.

Now prepare a good and detailed report and deliver it in bug bounty. Check this report example.

How to protect your resources

Maintain order in your infrastructure ;)

Check this guide from Microsoft, this link/document can be also used as solution for bug bounties reports.

Good luck. You will need it.