SlideShare a Scribd company logo

Subdomain Takeover

Download as PPTX, PDF
A
AkshayPandurangi

The document discusses subdomain takeovers, which occur when a subdomain that was previously configured to point to a third-party service is left unupdated after canceling that service. Hackers can exploit this by registering the abandoned subdomain with the third-party service themselves, gaining control over it. The document provides examples of subdomain takeovers using expired Shopify, GitHub Pages, and Desk subdomains. It recommends monitoring DNS records to prevent subdomain takeovers and lists tools like HostileSubBruteforcer and Sublist3r that can detect vulnerable subdomains.

Internet
1 of 33
Downloaded 18 times
1
2
3
Most read
4
5
Most read
6
7
Most read
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
SUBDOMAIN TAKEOVER
What is Subdomain? β€’ A subdomain is a variation or forwarder address derived from your root domain name, such as help.yourdomainname.com. β€’ Your IT department, web master or you usually set subdomains for use with 3rd party services such as helpdesk applications, calendar or mail apps, and sometimes used to host a micro website.
What is DNS? β€’ The Domain Name System (DNS) translates Internet domain and host names to IP addresses and vice versa. β€’ On the Internet, DNS automatically converts between the names we type in our Web browser address bar to the IP addresses of Web servers hosting those sites. Larger corporations also use DNS to manage their own company intranet. Home networks use DNS when accessing the Internet but do not use it for managing the names of home computers.
What is DNS Records? β€’ The data that tells the web server how to respond to your input is known as the DNS records, or zone files. β€’ These records play a vital role in the functionality of the internet, and any aspiring internet technology expert should learn the facts about DNS records and how they are used. β€’ DNS records are basically mapping files that tell the DNS server which IP address each domain is associated with, and how to handle requests sent to each domain.
What is DNS Records? β€’ When someone visits a web site, a request is sent to the DNS server and then forwarded to the web server provided by a web hosting company, which contain the data contained on the site. β€’ Various strings of letters are used as commands that dictate the actions of the DNS server, and these strings of commands are called DNS syntax. β€’ Some DNS records syntax that are commonly used in nearly all DNS record configurations are A, AAAA, CNAME.
What Is β€˜A’ Configuration? β€’ A record (Address Record) points a domain or subdomain to an IP address. β€’ For example, you can use it for store.website.com or blog.website.com and point it to where you have your store. β€’ This is a common practice for people who use Amazon, eBay, Tumblr, etc.
What is β€˜AAAA’ Configuration? β€’ The AAAA record is similar to the A record, but it allows you to point the domain to an IPv6 address β€’ Zone File: This is where all the DNS records are stored for a domain. β€’ Host Record: This is the domain or subdomain you wish to use. The @ symbol is used to indicate the root domain itself. In our example the Host Record 'ftp' would be for the subdomain ftp.google.com and '@' would be google.com itself
What is CNAME? β€’ The β€œCNAME” record stands for β€œcanonical name” and serves to make one domain an alias of another domain. CNAME is often used to associate new subdomains with an existing domain's DNS records.
That’s enough of basics! Let’s look into the Vulnerability!!
Ever seen one of these?
The Attack Scenario β€’ Many websites do not just work with company.com technique or just www.company.com. For emails, blog, internal domains these companies tend to use subdomains. β€’ Subdomains map itself to a specific IP, 3rd party services, etc. to serve the contents. β€’ There are some very popular cloud e-commerce providers (e.g. Shopify, BigCommerce, Magento, Yokart, Big Kartel), so company setups a new store in one of these available offerings. β€’ After the setup and configuration, the cloud e-commerce provider assigns exampleshop.someecommerceplatform.com as a domain for the company. β€’ But, this doesn't look very compelling to share and communicate to the customers, so company want it to be present on their brand, under shop.company.com
The Attack Scenario β€’ In order to achieve this, company have two configuration options: 1. A 301/302 redirect HTTP will take care of redirecting visitors of shop.company.com to the domain of the e-commerce provider. This approach is less appealing because it will completely replace the domain in the URL bar of the user's browser. 2. Configuration of a CNAME DNS record that will delegate the DNS resolution directly to e-commerce provider. Using this approach, the domain in the URL bar keeps unchanged. (Note: not all cloud providers support DNS delegation using CNAME) β€’ Since the CNAME approach is more robust, company proceeds with option 2.
The Attack Scenario β€’ Now, due to whatever reason the company decided to stop utilizing this service. To save money, company cancels the subscription of the 3rd party e-commerce platform supplier. β€’ But, company can easily forget to update or simply remove the CNAME record in the DNS zone file. β€’ Hackers find out that your subdomain is offline but still offers active redirects to the 3rd party e-commerce platform - signs up for the same service and claims the subdomain as their own! β€’ As this subdomain is already setup and verified previously, no additional verification will be required for the new account created by the hacker.
The Attack Scenario β€’ Now, hacker can clone company’s website, create login pages, redirect users to login to the subdomain. β€’ Even to the worst, hacker can email company’s user-base in some cases - and in turn steal their credentials. β€’ This will lead to large scale hacking and in turn create a bad business credibility for company data handling and security practices.
NO BODY WAS EXCEPTION FOR THIS!!!
FEW PoC FOR BETTER UNDERSTANDING
iFIXIT SUBDOMAIN TAKOVER Subdomain Takeover in 3 easy steps!!! 1. Found a subdomain point to an expired Shopify shop.
iFIXIT SUBDOMAIN TAKOVER 2. Signed in into Shopify and linked the vulnerable subdomain with account
iFIXIT SUBDOMAIN TAKOVER 3. Subdomain successfully taken over!!!
Hijacking Expired/Unlinked Github Pages
β€’ First You need to check the DNS info for CNAME Entry that should b something like (something.github.io) β€’ After that visit the CNAME, also it should show the same Error as The subdomain is showing. β€’ Now You need to create a New repository in Your Github account matching with the CNAME of the website then simply go to the settings of the repository and do the configurations. Hijacking Expired/Unlinked Github Pages
Hijacking Expired/Unlinked Github Pages
β€’ Now Scroll down to the GitHub Pages section. Press Choose a theme and Select a New Theme for your Github page. Hijacking Expired/Unlinked Github Pages
β€’ Now you can upload index and other files to the repository and edit them. Hijacking Expired/Unlinked Github Pages
β€’ Last step is just to add the vulnerable subdomain as Custom Domain. Hijacking Expired/Unlinked Github Pages
Hijacking Expired/Unlinked Desk Pages
β€’ To verify check the DNS entry for CNAME record it should be something like (site.desk.com) β€’ After confirmation create an account on desk.com with the same CNAME. β€’ Go to settings and add the subdomain in the Web address. Hijacking Expired/Unlinked Desk Pages
β€’ After that just switch the status to Enable and the Subdomain will be yours Hijacking Expired/Unlinked Desk Pages
Is it really β€œhacking”? β€’ It isn’t a hack even though it looks that way. β€’ Its just that the subdomains point another domain using a CNAME-record. β€’ However, imagine the case where someone aiming to steal credentials.
PREVENTION! β€’ Preventing subdomain takeover starts with proper monitoring and analysis of the DNS records of your digital footprint. β€’ Building and maintaining visibility on your dynamic digital footprint including the changes to your DNS configuration is key to address this problem before it's too late.
Tools to Enumerate Subdomains β€’ HostileSubBruteforcer This tool was written by Ben Sadeghipour aka (@Nahamsec). It is written in Ruby and is one of the best tools for takeovers. This tool not only lists out subdomains by bruteforcing them, it also maps out where it points to. Along with that, if the domain throws out errors like ”This Github pages does not exist”, ”NoSuchBucket”, etc., it will print it out in red alert and asks you to check them for possible takeovers. β€’ Sublist3r This tool is a package of multiple website’s results. It contains subdomains from VirusTotal, ThreatCrowd, DNSDumpster, PassiveDNS and many others. One bad side of this tool is that it might give out false positives. Some websites like DNSDumpster update their website after 1 month. Due to this, if a service was updated within that time period, DNSDumpster will take time to show it. Nonetheless, this is a great tool to have on your side
FEW MORE TOOLS… 1. Aquatone 2. Subjack 3. Sub6 4. Knockpy 5. Crt.sh
HAPPY HACKING!

More Related Content

PPTX
Subdomain takeover
Hina Rawal
Β 
PDF
Securing dns records from subdomain takeover
n|u - The Open Security Community
Β 
PDF
AWS Connectivity, VPC Design and Security Pro Tips
Shiva Narayanaswamy
Β 
PPTX
Attacking GraphQL
KavishaSheth1
Β 
PPTX
DNS spoofing/poisoning Attack
Fatima Qayyum
Β 
PDF
Introduction to Web Application Penetration Testing
Netsparker
Β 
PPTX
Domain name system (dns)
Atikur Rahman
Β 
PPTX
Subdomain Enumeration
AkshayPandurangi
Β 
Subdomain takeover
Hina Rawal
Β 
Securing dns records from subdomain takeover
n|u - The Open Security Community
Β 
AWS Connectivity, VPC Design and Security Pro Tips
Shiva Narayanaswamy
Β 
Attacking GraphQL
KavishaSheth1
Β 
DNS spoofing/poisoning Attack
Fatima Qayyum
Β 
Introduction to Web Application Penetration Testing
Netsparker
Β 
Domain name system (dns)
Atikur Rahman
Β 
Subdomain Enumeration
AkshayPandurangi
Β 

What's hot (20)

PPTX
AWS Lambda Tutorial For Beginners | What is AWS Lambda? | AWS Tutorial For Be...
Simplilearn
Β 
PPTX
Xss ppt
penetration Tester
Β 
PPTX
OAuth 2
ChrisWood262
Β 
PPTX
Windows privilege escalation by Dhruv Shah
OWASP Delhi
Β 
PPTX
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
Β 
PPTX
Bug bounty
n|u - The Open Security Community
Β 
PPTX
API Security Fundamentals
JosΓ© Haro Peralta
Β 
PPTX
HTTP Request Smuggling
Akash Ashokan
Β 
PDF
Intro to DNS
ThousandEyes
Β 
PPTX
Understanding NMAP
Phannarith Ou, G-CISO
Β 
PPTX
System hacking
CAS
Β 
PDF
Api security-testing
n|u - The Open Security Community
Β 
PDF
데이터 κ³Όν•™μžλ₯Ό μœ„ν•œ μ‹ κ·œ 인곡지λŠ₯ μ„œλΉ„μŠ€ - κΉ€λŒ€κ·Ό, μ΄μœ λ™, AWS AI/ML μŠ€νŽ˜μ…œλ¦¬μŠ€νŠΈ μ†”λ£¨μ…˜μ¦ˆ μ•„ν‚€ν…νŠΈ / μ†Œμ„±μš΄, μΉ΄μΉ΄μ˜€μŠ€νƒ€μΌ ...
Amazon Web Services Korea
Β 
PDF
Amazon VPC와 ELB/Direct Connect/VPN μ•Œμ•„λ³΄κΈ° - κΉ€μ„Έμ€€, AWS μ†”λ£¨μ…˜μ¦ˆ μ•„ν‚€ν…νŠΈ
Amazon Web Services Korea
Β 
PDF
DNS - Domain Name System
Peter R. Egli
Β 
PPTX
Cross Site Scripting ( XSS)
Amit Tyagi
Β 
PDF
OWASP Top 10 Web Application Vulnerabilities
Software Guru
Β 
PDF
Web Application Penetration Testing
Priyanka Aash
Β 
PPTX
Click jacking
Ronan Dunne, CEH, SSCP
Β 
PDF
Owasp zap
ColdFusionConference
Β 
AWS Lambda Tutorial For Beginners | What is AWS Lambda? | AWS Tutorial For Be...
Simplilearn
Β 
Xss ppt
penetration Tester
Β 
OAuth 2
ChrisWood262
Β 
Windows privilege escalation by Dhruv Shah
OWASP Delhi
Β 
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
Β 
Bug bounty
n|u - The Open Security Community
Β 
API Security Fundamentals
JosΓ© Haro Peralta
Β 
HTTP Request Smuggling
Akash Ashokan
Β 
Intro to DNS
ThousandEyes
Β 
Understanding NMAP
Phannarith Ou, G-CISO
Β 
System hacking
CAS
Β 
Api security-testing
n|u - The Open Security Community
Β 
데이터 κ³Όν•™μžλ₯Ό μœ„ν•œ μ‹ κ·œ 인곡지λŠ₯ μ„œλΉ„μŠ€ - κΉ€λŒ€κ·Ό, μ΄μœ λ™, AWS AI/ML μŠ€νŽ˜μ…œλ¦¬μŠ€νŠΈ μ†”λ£¨μ…˜μ¦ˆ μ•„ν‚€ν…νŠΈ / μ†Œμ„±μš΄, μΉ΄μΉ΄μ˜€μŠ€νƒ€μΌ ...
Amazon Web Services Korea
Β 
Amazon VPC와 ELB/Direct Connect/VPN μ•Œμ•„λ³΄κΈ° - κΉ€μ„Έμ€€, AWS μ†”λ£¨μ…˜μ¦ˆ μ•„ν‚€ν…νŠΈ
Amazon Web Services Korea
Β 
DNS - Domain Name System
Peter R. Egli
Β 
Cross Site Scripting ( XSS)
Amit Tyagi
Β 
OWASP Top 10 Web Application Vulnerabilities
Software Guru
Β 
Web Application Penetration Testing
Priyanka Aash
Β 
Click jacking
Ronan Dunne, CEH, SSCP
Β 
Owasp zap
ColdFusionConference
Β 
Ad

Similar to Subdomain Takeover (20)

PDF
Setting Up a Web Site
webhostingguy
Β 
PDF
Securing dns records from subdomain takeover
OWASP Delhi
Β 
PPTX
DNS hijacking at cloud
Bangladesh Network Operators Group
Β 
PDF
Alternative Dns Servers Choice And Deployment And Optional Sql Ldap Backends ...
zemedaryely
Β 
PPTX
Dot Com In A Day
Andrew Wright
Β 
PPTX
Get Your Website Off the Ground
Vanessa Hurst
Β 
DOCX
Internet dns introduction
Bogdan Chiribau
Β 
PPT
Download Presentation
webhostingguy
Β 
PPTX
How we hijacked 26+ subdomains
n|u - The Open Security Community
Β 
PDF
DNS Cache Poisoning
Kourosh Sajjadi
Β 
PPT
BA 65 Hour 3 - Getting Your Site Online
dpd
Β 
PDF
2010 techconf hosting_domain
John Carter
Β 
PPT
BA 65 - Getting Your Site Online
dpd
Β 
DOCX
Linux basics andng hosti
Patruni Chidananda Sastry
Β 
PPTX
Web hosting and concepts of SEO UNIT 5
Dr. SURBHI SAROHA
Β 
PPTX
Domain name system presentation
Anchit Dhingra
Β 
ODP
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
JosephTesta9
Β 
PDF
Hosting the Content
webhostingguy
Β 
PPTX
Web Hosting Terminology
HTS Hosting
Β 
PPTX
DNS Security Issues NES 554 for DNS Security
AliAlwesabi
Β 
Setting Up a Web Site
webhostingguy
Β 
Securing dns records from subdomain takeover
OWASP Delhi
Β 
DNS hijacking at cloud
Bangladesh Network Operators Group
Β 
Alternative Dns Servers Choice And Deployment And Optional Sql Ldap Backends ...
zemedaryely
Β 
Dot Com In A Day
Andrew Wright
Β 
Get Your Website Off the Ground
Vanessa Hurst
Β 
Internet dns introduction
Bogdan Chiribau
Β 
Download Presentation
webhostingguy
Β 
How we hijacked 26+ subdomains
n|u - The Open Security Community
Β 
DNS Cache Poisoning
Kourosh Sajjadi
Β 
BA 65 Hour 3 - Getting Your Site Online
dpd
Β 
2010 techconf hosting_domain
John Carter
Β 
BA 65 - Getting Your Site Online
dpd
Β 
Linux basics andng hosti
Patruni Chidananda Sastry
Β 
Web hosting and concepts of SEO UNIT 5
Dr. SURBHI SAROHA
Β 
Domain name system presentation
Anchit Dhingra
Β 
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
JosephTesta9
Β 
Hosting the Content
webhostingguy
Β 
Web Hosting Terminology
HTS Hosting
Β 
DNS Security Issues NES 554 for DNS Security
AliAlwesabi
Β 
Ad

Recently uploaded (20)

PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
Β 
PPTX
E -tech empowerment technologies PowerPoint
kylebalatero12
Β 
PDF
Introduction to the IoT system, how the IoT system works
TinBinh
Β 
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
Β 
PDF
Smart Home Technology for Health Monitoring (www.kiu.ac.ug)
publication11
Β 
PPTX
Introduction to Information and Communication Technology
AkmadArzieAyao1
Β 
PPTX
artificial intelligence overview of it and more
yafotin445
Β 
PPTX
Internet___Basics___Styled_ presentation
poonam62133
Β 
PDF
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
Β 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
Β 
PPTX
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
Β 
PDF
πŸ’° π”πŠπ“πˆ πŠπ„πŒπ„ππ€ππ†π€π πŠπˆππ„π‘πŸ’πƒ π‡π€π‘πˆ 𝐈𝐍𝐈 πŸπŸŽπŸπŸ“ πŸ’°
GRAB
Β 
PPTX
innovation process that make everything different.pptx
SoumyadipPaul18
Β 
PPTX
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
Β 
PPTX
artificialintelligenceai1-copy-210604123353.pptx
b45r14
Β 
PDF
Exploring VPS Hosting Trends for SMBs in 2025
Liquid Web
Β 
PPTX
Funds Management Learning Material for Beg
NKKumar16
Β 
PDF
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
Β 
PDF
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
Β 
PPTX
Introduction to cybersecurity and digital nettiquette
shanefrancisjavier21
Β 
Digital Literacy And Online Safety on internet
riksa rifqi
Β 
E -tech empowerment technologies PowerPoint
kylebalatero12
Β 
Introduction to the IoT system, how the IoT system works
TinBinh
Β 
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
Β 
Smart Home Technology for Health Monitoring (www.kiu.ac.ug)
publication11
Β 
Introduction to Information and Communication Technology
AkmadArzieAyao1
Β 
artificial intelligence overview of it and more
yafotin445
Β 
Internet___Basics___Styled_ presentation
poonam62133
Β 
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
Β 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
Β 
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
Β 
πŸ’° π”πŠπ“πˆ πŠπ„πŒπ„ππ€ππ†π€π πŠπˆππ„π‘πŸ’πƒ π‡π€π‘πˆ 𝐈𝐍𝐈 πŸπŸŽπŸπŸ“ πŸ’°
GRAB
Β 
innovation process that make everything different.pptx
SoumyadipPaul18
Β 
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
Β 
artificialintelligenceai1-copy-210604123353.pptx
b45r14
Β 
Exploring VPS Hosting Trends for SMBs in 2025
Liquid Web
Β 
Funds Management Learning Material for Beg
NKKumar16
Β 
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
Β 
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
Β 
Introduction to cybersecurity and digital nettiquette
shanefrancisjavier21
Β 

Subdomain Takeover

  • 2. What is Subdomain? β€’ A subdomain is a variation or forwarder address derived from your root domain name, such as help.yourdomainname.com. β€’ Your IT department, web master or you usually set subdomains for use with 3rd party services such as helpdesk applications, calendar or mail apps, and sometimes used to host a micro website.
  • 3. What is DNS? β€’ The Domain Name System (DNS) translates Internet domain and host names to IP addresses and vice versa. β€’ On the Internet, DNS automatically converts between the names we type in our Web browser address bar to the IP addresses of Web servers hosting those sites. Larger corporations also use DNS to manage their own company intranet. Home networks use DNS when accessing the Internet but do not use it for managing the names of home computers.
  • 4. What is DNS Records? β€’ The data that tells the web server how to respond to your input is known as the DNS records, or zone files. β€’ These records play a vital role in the functionality of the internet, and any aspiring internet technology expert should learn the facts about DNS records and how they are used. β€’ DNS records are basically mapping files that tell the DNS server which IP address each domain is associated with, and how to handle requests sent to each domain.
  • 5. What is DNS Records? β€’ When someone visits a web site, a request is sent to the DNS server and then forwarded to the web server provided by a web hosting company, which contain the data contained on the site. β€’ Various strings of letters are used as commands that dictate the actions of the DNS server, and these strings of commands are called DNS syntax. β€’ Some DNS records syntax that are commonly used in nearly all DNS record configurations are A, AAAA, CNAME.
  • 6. What Is β€˜A’ Configuration? β€’ A record (Address Record) points a domain or subdomain to an IP address. β€’ For example, you can use it for store.website.com or blog.website.com and point it to where you have your store. β€’ This is a common practice for people who use Amazon, eBay, Tumblr, etc.
  • 7. What is β€˜AAAA’ Configuration? β€’ The AAAA record is similar to the A record, but it allows you to point the domain to an IPv6 address β€’ Zone File: This is where all the DNS records are stored for a domain. β€’ Host Record: This is the domain or subdomain you wish to use. The @ symbol is used to indicate the root domain itself. In our example the Host Record 'ftp' would be for the subdomain ftp.google.com and '@' would be google.com itself
  • 8. What is CNAME? β€’ The β€œCNAME” record stands for β€œcanonical name” and serves to make one domain an alias of another domain. CNAME is often used to associate new subdomains with an existing domain's DNS records.
  • 9. That’s enough of basics! Let’s look into the Vulnerability!!
  • 10. Ever seen one of these?
  • 11. The Attack Scenario β€’ Many websites do not just work with company.com technique or just www.company.com. For emails, blog, internal domains these companies tend to use subdomains. β€’ Subdomains map itself to a specific IP, 3rd party services, etc. to serve the contents. β€’ There are some very popular cloud e-commerce providers (e.g. Shopify, BigCommerce, Magento, Yokart, Big Kartel), so company setups a new store in one of these available offerings. β€’ After the setup and configuration, the cloud e-commerce provider assigns exampleshop.someecommerceplatform.com as a domain for the company. β€’ But, this doesn't look very compelling to share and communicate to the customers, so company want it to be present on their brand, under shop.company.com
  • 12. The Attack Scenario β€’ In order to achieve this, company have two configuration options: 1. A 301/302 redirect HTTP will take care of redirecting visitors of shop.company.com to the domain of the e-commerce provider. This approach is less appealing because it will completely replace the domain in the URL bar of the user's browser. 2. Configuration of a CNAME DNS record that will delegate the DNS resolution directly to e-commerce provider. Using this approach, the domain in the URL bar keeps unchanged. (Note: not all cloud providers support DNS delegation using CNAME) β€’ Since the CNAME approach is more robust, company proceeds with option 2.
  • 13. The Attack Scenario β€’ Now, due to whatever reason the company decided to stop utilizing this service. To save money, company cancels the subscription of the 3rd party e-commerce platform supplier. β€’ But, company can easily forget to update or simply remove the CNAME record in the DNS zone file. β€’ Hackers find out that your subdomain is offline but still offers active redirects to the 3rd party e-commerce platform - signs up for the same service and claims the subdomain as their own! β€’ As this subdomain is already setup and verified previously, no additional verification will be required for the new account created by the hacker.
  • 14. The Attack Scenario β€’ Now, hacker can clone company’s website, create login pages, redirect users to login to the subdomain. β€’ Even to the worst, hacker can email company’s user-base in some cases - and in turn steal their credentials. β€’ This will lead to large scale hacking and in turn create a bad business credibility for company data handling and security practices.
  • 15. NO BODY WAS EXCEPTION FOR THIS!!!
  • 17. iFIXIT SUBDOMAIN TAKOVER Subdomain Takeover in 3 easy steps!!! 1. Found a subdomain point to an expired Shopify shop.
  • 18. iFIXIT SUBDOMAIN TAKOVER 2. Signed in into Shopify and linked the vulnerable subdomain with account
  • 19. iFIXIT SUBDOMAIN TAKOVER 3. Subdomain successfully taken over!!!
  • 21. β€’ First You need to check the DNS info for CNAME Entry that should b something like (something.github.io) β€’ After that visit the CNAME, also it should show the same Error as The subdomain is showing. β€’ Now You need to create a New repository in Your Github account matching with the CNAME of the website then simply go to the settings of the repository and do the configurations. Hijacking Expired/Unlinked Github Pages
  • 23. β€’ Now Scroll down to the GitHub Pages section. Press Choose a theme and Select a New Theme for your Github page. Hijacking Expired/Unlinked Github Pages
  • 24. β€’ Now you can upload index and other files to the repository and edit them. Hijacking Expired/Unlinked Github Pages
  • 25. β€’ Last step is just to add the vulnerable subdomain as Custom Domain. Hijacking Expired/Unlinked Github Pages
  • 27. β€’ To verify check the DNS entry for CNAME record it should be something like (site.desk.com) β€’ After confirmation create an account on desk.com with the same CNAME. β€’ Go to settings and add the subdomain in the Web address. Hijacking Expired/Unlinked Desk Pages
  • 28. β€’ After that just switch the status to Enable and the Subdomain will be yours Hijacking Expired/Unlinked Desk Pages
  • 29. Is it really β€œhacking”? β€’ It isn’t a hack even though it looks that way. β€’ Its just that the subdomains point another domain using a CNAME-record. β€’ However, imagine the case where someone aiming to steal credentials.
  • 30. PREVENTION! β€’ Preventing subdomain takeover starts with proper monitoring and analysis of the DNS records of your digital footprint. β€’ Building and maintaining visibility on your dynamic digital footprint including the changes to your DNS configuration is key to address this problem before it's too late.
  • 31. Tools to Enumerate Subdomains β€’ HostileSubBruteforcer This tool was written by Ben Sadeghipour aka (@Nahamsec). It is written in Ruby and is one of the best tools for takeovers. This tool not only lists out subdomains by bruteforcing them, it also maps out where it points to. Along with that, if the domain throws out errors like ”This Github pages does not exist”, ”NoSuchBucket”, etc., it will print it out in red alert and asks you to check them for possible takeovers. β€’ Sublist3r This tool is a package of multiple website’s results. It contains subdomains from VirusTotal, ThreatCrowd, DNSDumpster, PassiveDNS and many others. One bad side of this tool is that it might give out false positives. Some websites like DNSDumpster update their website after 1 month. Due to this, if a service was updated within that time period, DNSDumpster will take time to show it. Nonetheless, this is a great tool to have on your side
  • 32. FEW MORE TOOLS… 1. Aquatone 2. Subjack 3. Sub6 4. Knockpy 5. Crt.sh