Hello everyone, Hope everyone is having good day. Today we are going learn about subdomain takeover vulnerability which is a good vulnerability but little bit difficult when it comes to finding the vulnerability.
I will be sharing some tips to how to find subdomain takeover vulnerability and tools used to do subdomain enumeration and techniques to find whether the domain is vulnerable.
Let’s get back to the main topic here,
What is Subdomain?
Subdomain is sub-division of the domain. And domain is refereed as, for example if we take Google for instance, google.com is the domain and ads.google.com is the subdomain of the google domain.
Like that Subdomain is next level of the domain.
- google.com à Domain
- ads.google.com -à subdomain
- example.ads.google.com à subdomain of the subdomain
These are the examples for subdomains. Now let’s go for subdomain enumeration.
Here is the procedure I follow while doing subdomain enumeration.
- I use some tools like subfinder, amass, crt.sh
- And then combine all the results of the subdomains which came from those tools.
- And then run httpx, httprobe for finding which domains are alive.
- Then go for 404 status code domains and check for CNAME.
- If the CNAME is vulnerable then, go for subdomain takeover otherwise there is no vulnerability.
Subdomain enumeration using subfinder:
subfinder -d google.com
This is how all the people do subdomain enumeration but, let me show you something different here. See when you try to enumerate subdomains using the command mentioned above you will get the results. And the output is.
We had got nearly 11379 subdomains for instance using the command. But shall we run the command again with some little change.
Command now to use is:
subfinder -d google.com -all
And let’s wait for the output. It may take some time while enumerating so wait patiently
Now compare the output with previous command
Output when using first command: 11379
Output when using second command: 17515
We had gathered some more subdomains by adding -all in the command.
Now it’s time for Amass
amass enum -brute -active -d google.com -o amassactive.txt (Active enumeration)
enumeration process take time, so just wait some time
The enumeration is done, the output is mentioned above.
amass enum -passive -d google.com -o amasspassive.txt (Passive enumeration)
the enumeration process take time, wait for some time.
The subdomain enumeration is done completely and combine both the outputs and make an amass subdomain enumeration file.
Before this install a tool called anew from GitHub that helps you combine these outputs.
Tool link: https://github.com/tomnomnom/anew
A tool which is quite popular I think you did hear about that too.
Combine both the outputs using this command.
cat amassenum.txt amasspassive.txt | anew amassout.txt
Now let’s for crt.sh tool
crt.sh is a good tool for subdomain enumeration and here is the procedure,
bash crt.sh -d google.com
And the output looks like
Now, combine all the outputs using the command mentioned below:
cat subfinderout.txt amassout.txt domain.google.com.txt | anew subdomains.txt
it will combine all the subdomains into a single txt file.
Now it’s time to send it for httpx tool, for finding out live subdomains:
Command used is:
link of httpx tool I used in this subdomain enumeration process is mentioned below:
Because it has the feature to find out status codes, technologies used by the website, and many more.
cat subdomains.txt | httpx -status-code
Now look for 404 status codes and take them separately and look manually, for CNAMES and check whether the CNAME is vulnerable to subdomain takeover and then go further.
I will show you the process to find out the CNAME of the website.
The command used is: I had taken ads.google.com subdomain
dig ads.google.com CNAME
In the output, if you see NXDOMAIN in the status like this
Then this subdomain is most likely vulnerable to subdomain takeover and check the CNAME and cross-check the CNAME through CAN-I-TAKE-OVER-XYZ
This GitHub repository contains the CNAME records which are vulnerable to subdomain takeover and check whether the CNAME is vulnerable to takeover or not.
CAN-I-TAKE-OVER-XYZ GitHub link: https://github.com/EdOverflow/can-i-take-over-xyz
Or You can use automation tools for checking whether the subdomain is vulnerable to subdomain takeover or not.
The tool name is: Subzy. And it is one of the tool which is used by most of the bug bounty hunters for automation purposes.
The tool link: https://github.com/LukaSikic/subzy
After confirming that the subdomain is vulnerable, make a report and report to the respective bug bounty program.
The links of the tools which I had used are:
- Subfinder: https://github.com/projectdiscovery/subfinder
- Amass: https://github.com/OWASP/Amass
- Crt.sh: https://github.com/az7rb/crt.sh
Anew tool link: https://github.com/tomnomnom/anew
Some Hacker one reports which are related to subdomain takeover vulnerability:
I hope you had liked this article, if you have any suggestion or any doubts feel free to comment below.