Pentest Book
Search…
Subdomain Takeover

Explanation

    1.
    Domain name (sub.example.com) uses a CNAME record for another domain (sub.example.com CNAME anotherdomain.com).
    2.
    At some point, anotherdomain.com expires and is available for anyone's registration.
    3.
    Since the CNAME record is not removed from the DNS zone of example.com, anyone who records anotherdomain.com has full control over sub.example.com until the DNS record is present.

Resources

Subdomain Takeover: Proof Creation for Bug Bounties
Patrik Hudak
GitHub - EdOverflow/can-i-take-over-xyz: "Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.
GitHub
Google
Google

Tools

1
# https://github.com/LukaSikic/subzy
2
subzy -targets list.txt
3
subzy -concurrency 100 -hide_fails -targets subs.txt
4
5
# https://github.com/haccer/subjack
6
subjack -w /root/subdomain.txt -a -v -t 100 -timeout 30 -o results.txt -ssl # Subdomains generated with subgen
7
8
# https://github.com/guptabless/unclaim-s3-finder
9
bucket-takeover.py -u https://qweqwe.asasdasdad.com
10
11
# https://github.com/In3tinct/Taken
12
Copied!
Last modified 9mo ago
Export as PDF
Copy link