Bug Bounty / Hacking tips / Networking / Payloads / Programming

Subdomain Takeover: What It Is, How to Exploit It, and How to Prevent It

spyboy's avatarPosted by

Subdomain takeover is a critical vulnerability that occurs when an attacker gains control of an unused or misconfigured subdomain of a website. This can lead to serious consequences, such as phishing attacks, data theft, and loss of trust in a brand. In this blog post, we’ll explain what subdomain takeover is, how attackers exploit it, provide examples, suggest tools for testing, and offer best practices for prevention.

What is Subdomain Takeover?

A Subdomain Takeover occurs when a subdomain (e.g., sub.example.com) is pointed to a third-party service (such as a hosting platform like AWS, GitHub Pages, or Heroku), but the resource associated with that subdomain is no longer available or has been deleted. If the DNS records for the subdomain are not removed, an attacker can claim ownership of the orphaned subdomain by creating a resource on the third-party platform and thereby take control of it.

How It Works:

  • DNS Misconfiguration: The vulnerable subdomain points to a cloud or hosting service (such as AWS S3, Heroku, or GitHub Pages) that is no longer in use.
  • Orphaned Resource: The original resource (bucket, page, app) on the cloud platform is deleted, but the DNS entry still points to it.
  • Exploitation: An attacker claims the resource by registering a new instance of it (like creating a new S3 bucket with the same name) and takes over the subdomain.

Exploiting Subdomain Takeover Vulnerabilities

Exploiting a subdomain takeover involves three main steps:

1. Identifying Vulnerable Subdomains

The first step is to find subdomains of a target domain and check if they point to an external service. Common platforms prone to subdomain takeovers include:

  • Amazon AWS (S3 Buckets)
  • GitHub Pages
  • Heroku
  • Microsoft Azure
  • Bitbucket
  • Shopify

2. Checking DNS Configuration

Once a subdomain is found, inspect its DNS configuration using tools like dig or nslookup. You’re looking for CNAME records that point to an external service provider. If the service no longer exists, the subdomain could be vulnerable.

3. Claiming the Subdomain

If the service has been orphaned, the attacker can create a new resource on the same third-party service (e.g., create a new S3 bucket or GitHub Pages site). This will allow them to control the subdomain and serve content from it.

Example of a Subdomain Takeover

Let’s say a company has a subdomain:

shop.example.com

This subdomain is configured with a CNAME record pointing to an Amazon S3 bucket:

shop.example.com -> shop-example-bucket.s3.amazonaws.com

At some point, the company deletes the S3 bucket shop-example-bucket. However, they forget to remove the DNS record. Now, the DNS still points to shop-example-bucket.s3.amazonaws.com, but the bucket no longer exists.

An attacker can create an S3 bucket with the same name, shop-example-bucket. Now, they have control over shop.example.com and can host whatever content they want, including phishing pages, malicious files, or simply defacing the site.

Tools for Finding Subdomain Takeover Vulnerabilities

There are several tools available to help identify subdomain takeover vulnerabilities:

1. Sublist3r

  • Purpose: Sublist3r is a tool that enumerates subdomains of a website using open-source intelligence (OSINT) techniques.
  • How to Use: You can run Sublist3r to find subdomains of your target. After identifying the subdomains, you can manually check if any of them are pointing to third-party services.
  • Example:
    bash sublist3r -d example.com

2. Subjack

  • Purpose: Subjack is an open-source tool designed specifically to detect subdomains that are vulnerable to takeover.
  • How to Use: Run Subjack against a list of subdomains to automatically check if they are pointing to external services that can be claimed by an attacker.
  • Example:
    bash subjack -w subdomains.txt -t 100 -ssl -c fingerprints.json -o results.txt

3. Amass

  • Purpose: Amass is a powerful tool for network mapping and reconnaissance. It can be used to find subdomains and check for misconfigurations that could lead to subdomain takeovers.
  • How to Use: Use Amass to discover subdomains and combine it with other tools to identify vulnerable ones.
  • Example:
    bash amass enum -d example.com

4. Aquatone

  • Purpose: Aquatone is a tool for visual inspection of websites across many subdomains. It helps with reconnaissance and identifying potentially vulnerable subdomains.
  • How to Use: After finding subdomains, you can use Aquatone to generate screenshots of the websites to manually check for takeovers.
  • Example:
    bash cat subdomains.txt | aquatone

Real-World Consequences of Subdomain Takeover

Subdomain takeovers can have severe consequences, particularly for organizations with large user bases. Here are some potential outcomes:

1. Phishing Attacks

Attackers can set up a phishing page on a hijacked subdomain. Since the subdomain belongs to a legitimate organization, users are more likely to trust the phishing page, making it easier to steal credentials or other sensitive information.

2. Malware Distribution

Attackers can serve malware from the compromised subdomain, tricking users into downloading malicious files by presenting them as legitimate content.

3. Brand Damage

Having a subdomain hijacked can damage a company’s reputation. If an attacker uses the subdomain for malicious purposes, the trust users place in the brand may be eroded.

4. SEO and Traffic Manipulation

Subdomain takeovers can affect search engine rankings and divert traffic away from legitimate business sites to malicious ones.

Preventing Subdomain Takeover

To prevent subdomain takeovers, organizations must follow best practices for DNS management and third-party service configuration. Here are some strategies:

1. Regularly Audit DNS Records

  • Regularly check your DNS records to identify any subdomains pointing to external services that are no longer in use. Remove any orphaned DNS records immediately.

2. Monitor Cloud Services

  • Ensure that if you delete or stop using a cloud service (e.g., AWS, Heroku, GitHub Pages), you remove the corresponding DNS entry. Additionally, establish processes to monitor the status of cloud services linked to your domain.

3. Use DNS Wildcard Records Cautiously

  • Avoid using wildcard DNS records (*.example.com) without proper validation. These can make it easier for attackers to exploit subdomain misconfigurations.

4. Configure Access Control

  • Use strict access control mechanisms on cloud services. Ensure that subdomains and DNS configurations are only managed by authorized personnel and are audited regularly.

5. Enable Alerts for DNS Changes

  • Set up monitoring and alerting for any changes made to DNS records. This can help detect unauthorized changes or accidental misconfigurations early.

Conclusion

Subdomain takeovers are a dangerous vulnerability that can have far-reaching consequences, from phishing attacks to brand damage. By understanding how these takeovers occur and using tools like Subjack, Sublist3r, and Amass, bug bounty hunters can identify these issues and report them. On the defensive side, regular DNS audits, careful monitoring of cloud resources, and strict DNS management can help protect organizations from falling victim to these attacks.

Ensuring that subdomains are properly configured and regularly reviewed is essential to maintaining the security and integrity of any web-based system. Stay vigilant, and prevent attackers from taking over your subdomains!

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.