Subdomain Takeover

Bug Bounty Cybersecurity
subdomain-takeover-cover-image

Hello everyone, Hope everyone is having good day. Today we are going learn about subdomain takeover vulnerability which is a good vulnerability but little bit difficult when it comes to finding the vulnerability.

I will be sharing some tips to how to find subdomain takeover vulnerability and tools used to do subdomain enumeration and techniques to find whether the domain is vulnerable.

Let’s get back to the main topic here,

What is Subdomain?

Subdomain is sub-division of the domain. And domain is refereed as, for example if we take Google for instance, google.com is the domain and ads.google.com is the subdomain of the google domain.

Like that Subdomain is next level of the domain.

Examples are:

  1. google.com à Domain
  2. ads.google.com -à subdomain
  3. example.ads.google.com à subdomain of the subdomain

These are the examples for subdomains. Now let’s go for subdomain enumeration.

Here is the procedure I follow while doing subdomain enumeration.

  1. I use some tools like subfinder, amass, crt.sh
  2. And then combine all the results of the subdomains which came from those tools.
  3. And then run httpx, httprobe for finding which domains are alive.
  4. Then go for 404 status code domains and check for CNAME.
  5. If the CNAME is vulnerable then, go for subdomain takeover otherwise there is no vulnerability.

Subdomain enumeration using subfinder:

 subfinder -d google.com

This is how all the people do subdomain enumeration but, let me show you something different here. See when you try to enumerate subdomains using the command mentioned above you will get the results. And the output is.

We had got nearly 11379 subdomains for instance using the command. But shall we run the command again with some little change.

Command now to use is:

subfinder -d google.com -all

And let’s wait for the output. It may take some time while enumerating so wait patiently

Now compare the output with previous command

Output when using first command: 11379

Output when using second command: 17515

We had gathered some more subdomains by adding -all in the command.

Now it’s time for Amass

Amass:

Active Enumeration:

amass enum -brute -active -d google.com -o amassactive.txt (Active enumeration)

enumeration process take time, so just wait some time

The enumeration is done, the output is mentioned above. 

amass enum -passive -d google.com -o amasspassive.txt (Passive enumeration)

the enumeration process take time, wait for some time.

The subdomain enumeration is done completely and combine both the outputs and make an amass subdomain enumeration file.

Before this install a tool called anew from GitHub that helps you combine these outputs.

Tool link:  https://github.com/tomnomnom/anew

 A tool which is quite popular I think you did hear about that too.

Combine both the outputs using this command.

cat amassenum.txt amasspassive.txt | anew amassout.txt

Now let’s for crt.sh tool

Crt.sh:

crt.sh is a good tool for subdomain enumeration and here is the procedure,

command used:

bash crt.sh -d google.com

And the output looks like

Now, combine all the outputs using the command mentioned below:

cat subfinderout.txt amassout.txt domain.google.com.txt |  anew subdomains.txt

it will combine all the subdomains into a single txt file.

Now it’s time to send it for httpx tool, for finding out live subdomains:

Command used is:
link of httpx tool I used in this subdomain enumeration process is mentioned below:

https://github.com/projectdiscovery/httpx/releases/tag/v1.1.3

Because it has the feature to find out status codes, technologies used by the website, and many more.

cat subdomains.txt | httpx -status-code

Now look for 404 status codes and take them separately and look manually, for CNAMES and check whether the CNAME is vulnerable to subdomain takeover and then go further.

I will show you the process to find out the CNAME of the website.

The command used is: I had taken ads.google.com subdomain

dig ads.google.com CNAME

In the output, if you see NXDOMAIN in the status like this

STATUS: NXDOMAIN

Then this subdomain is most likely vulnerable to subdomain takeover and check the CNAME and cross-check the CNAME through CAN-I-TAKE-OVER-XYZ  

This GitHub repository contains the CNAME records which are vulnerable to subdomain takeover and check whether the CNAME is vulnerable to takeover or not.

CAN-I-TAKE-OVER-XYZ GitHub link: https://github.com/EdOverflow/can-i-take-over-xyz

Or You can use automation tools for checking whether the subdomain is vulnerable to subdomain takeover or not.

The tool name is: Subzy. And it is one of the tool which is used by most of the bug bounty hunters for automation purposes.

The tool link: https://github.com/LukaSikic/subzy

After confirming that the subdomain is vulnerable, make a report and report to the respective bug bounty program.

The links of the tools which I had used are:

  1. Subfinder: https://github.com/projectdiscovery/subfinder
  2. Amass: https://github.com/OWASP/Amass
  3. Crt.sh: https://github.com/az7rb/crt.sh

Anew tool link: https://github.com/tomnomnom/anew

Some Hacker one reports which are related to subdomain takeover vulnerability:

  1. https://hackerone.com/reports/202767
  2. https://hackerone.com/reports/202767
  3. https://hackerone.com/reports/325336
  4. https://hackerone.com/reports/181665
  5. https://hackerone.com/reports/121461
  6. https://hackerone.com/reports/159156

I hope you had liked this article, if you have any suggestion or any doubts feel free to comment below.

amass subdomain subdomains subdomaintakeover subfinder takeover

Asif Pathan

Related Articles

cover-image
HTML Injection
Continue Reading
all-about-idor-image
All about IDOR
Continue Reading
no-rate-limit-on-forgot-password-page-cover-image
No Rate Limit on Forgot Password Pages
Continue Reading