Lab 3: NS Subdomain Takeover

NS subdomain takeover vulnerabilities

Difficulty: Medium

Lab Overview

This lab demonstrates NS subdomain takeover vulnerabilities where attackers can take control of subdomains by hijacking their nameservers.

Objective: Understand how NS subdomain takeover attacks work and how to exploit them.

NS Takeover Scanner
Check NS Records

This tool checks if a subdomain's NS records are vulnerable to takeover:

NS Takeover Tester
⚠️ NS Takeover Warning

This lab demonstrates NS subdomain takeover vulnerabilities:

  • NS Misconfiguration - Pointing to vulnerable nameservers
  • Nameserver Hijacking - Hijacking nameserver control
  • Weak Authentication - Weak nameserver authentication
  • No Validation - No NS validation
Vulnerable Nameservers

Common vulnerable nameservers:

  • ns1.digitalocean.com - DigitalOcean DNS
  • ns1.awsdns.com - AWS Route 53
  • ns1.cloudflare.com - Cloudflare DNS
  • ns1.google.com - Google Cloud DNS
Vulnerable Nameservers
Common Vulnerable Nameservers:
DigitalOcean DNS
ns1.digitalocean.com
High Risk
DigitalOcean DNS
ns2.digitalocean.com
High Risk
AWS Route 53
ns1.awsdns.com
High Risk
AWS Route 53
ns2.awsdns.com
High Risk
Cloudflare DNS
ns1.cloudflare.com
High Risk
Cloudflare DNS
ns2.cloudflare.com
High Risk
Google Cloud DNS
ns1.google.com
High Risk
Google Cloud DNS
ns2.google.com
High Risk
NS Subdomain Takeover Techniques
NS Enumeration
# Enumerate NS records dig subdomain.example.com NS nslookup -type=NS subdomain.example.com host -t NS subdomain.example.com
Nameserver Detection
# Detect vulnerable nameservers # Look for patterns like: # - ns1.digitalocean.com # - ns1.awsdns.com # - ns1.cloudflare.com # - ns1.google.com
Nameserver Verification
# Verify nameserver control dig @ns1.vulnerable.com subdomain.example.com # Check if nameserver responds # and what records it serves
Nameserver Hijacking
# Hijack nameserver control # 1. Register vulnerable nameserver # 2. Point subdomain NS to it # 3. Serve malicious records # 4. Verify takeover
DNS Record Manipulation
# Manipulate DNS records # - Point A records to malicious IPs # - Create malicious CNAME records # - Serve phishing content # - Redirect traffic
Impact Assessment
# Assess takeover impact # - Complete DNS control # - Traffic redirection # - Phishing attacks # - Credential theft
Vulnerability Details
  • Type: NS Subdomain Takeover
  • Severity: High
  • Method: Nameserver hijacking
  • Issue: NS points to vulnerable nameservers
Attack Vectors
  • NS Enumeration: Find NS records
  • Nameserver Detection: Detect vulnerable nameservers
  • Nameserver Verification: Verify nameserver control
  • Nameserver Hijacking: Hijack nameserver control
NS Subdomain Takeover Examples

Use these techniques to exploit NS subdomain takeover vulnerabilities:

1. NS Enumeration:
# Enumerate NS records dig subdomain.example.com NS nslookup -type=NS subdomain.example.com host -t NS subdomain.example.com # Use tools like: # - dig # - nslookup # - host # - dnsrecon
2. DigitalOcean DNS Takeover:
# Check DigitalOcean NS dig subdomain.example.com NS # If NS points to ns1.digitalocean.com # Check if nameserver is vulnerable dig @ns1.digitalocean.com subdomain.example.com # If vulnerable: # 1. Register DigitalOcean account # 2. Create DNS zone for subdomain # 3. Point NS to your nameservers # 4. Serve malicious records # Example: # Create DNS zone in DigitalOcean # Point subdomain NS to your nameservers # Serve malicious A records
3. AWS Route 53 Takeover:
# Check AWS Route 53 NS dig subdomain.example.com NS # If NS points to ns1.awsdns.com # Check if nameserver is vulnerable dig @ns1.awsdns.com subdomain.example.com # If vulnerable: # 1. Register AWS account # 2. Create hosted zone # 3. Point NS to your nameservers # 4. Serve malicious records # Example: aws route53 create-hosted-zone --name subdomain.example.com # Update NS records to point to your nameservers
4. Cloudflare DNS Takeover:
# Check Cloudflare NS dig subdomain.example.com NS # If NS points to ns1.cloudflare.com # Check if nameserver is vulnerable dig @ns1.cloudflare.com subdomain.example.com # If vulnerable: # 1. Register Cloudflare account # 2. Add domain to Cloudflare # 3. Point NS to Cloudflare nameservers # 4. Serve malicious records # Example: # Add domain to Cloudflare # Update NS records to Cloudflare nameservers # Configure DNS records
5. Google Cloud DNS Takeover:
# Check Google Cloud NS dig subdomain.example.com NS # If NS points to ns1.google.com # Check if nameserver is vulnerable dig @ns1.google.com subdomain.example.com # If vulnerable: # 1. Register Google Cloud account # 2. Create DNS zone # 3. Point NS to your nameservers # 4. Serve malicious records # Example: gcloud dns managed-zones create subdomain-zone --dns-name=subdomain.example.com # Update NS records to point to your nameservers
6. Nameserver Verification:
# Verify nameserver control dig @ns1.vulnerable.com subdomain.example.com dig @ns2.vulnerable.com subdomain.example.com # Check what records nameserver serves dig @ns1.vulnerable.com subdomain.example.com ANY # Look for: # - A records # - CNAME records # - MX records # - TXT records
7. DNS Record Manipulation:
# Manipulate DNS records # Point A records to malicious IPs # Create malicious CNAME records # Serve phishing content # Redirect traffic # Example malicious records: # A record: 1.2.3.4 (malicious IP) # CNAME: phishing-site.com # MX record: malicious-mail-server.com
8. Traffic Redirection:
# Redirect traffic to malicious sites # 1. Point A records to malicious IPs # 2. Create CNAME records to phishing sites # 3. Serve malicious content # 4. Capture credentials # Example: # A record: subdomain.example.com -> 1.2.3.4 # CNAME: www.subdomain.example.com -> phishing-site.com
9. Phishing Attack Setup:
# Set up phishing attack # 1. Create phishing site # 2. Point subdomain to phishing site # 3. Serve convincing content # 4. Capture credentials # Example: # Create phishing page that looks like legitimate site # Point subdomain.example.com to phishing site # Serve convincing login form # Capture user credentials
10. Credential Harvesting:
# Harvest credentials # 1. Create fake login page # 2. Point subdomain to fake page # 3. Serve convincing content # 4. Capture and store credentials # Example: # Create fake login page # Point subdomain.example.com to fake page # Serve convincing login form # Capture and store credentials
11. Automated NS Takeover Detection:
# Use automated tools # - subjack # - takeover # - subzy # - subdomain-takeover # Example with subjack: subjack -w subdomains.txt -t 100 -o results.txt # Example with takeover: takeover -l subdomains.txt -t 10 # Example with subzy: subzy run --targets subdomains.txt
12. Manual NS Verification:
# Manual verification steps # 1. Check NS records # 2. Verify nameserver control # 3. Test for vulnerable nameservers # 4. Attempt nameserver hijacking # 5. Confirm takeover # 6. Document findings # Example verification: dig subdomain.example.com NS dig @ns1.vulnerable.com subdomain.example.com # Check if nameserver responds and what records it serves
13. NS Takeover Prevention:
# Prevent NS takeovers # 1. Use secure nameservers # 2. Implement DNS monitoring # 3. Regular security audits # 4. DNS security controls # 5. Subdomain monitoring # Example monitoring: # - Set up DNS monitoring # - Monitor for NS changes # - Alert on suspicious activity # - Regular security scans
14. NS Takeover Impact:
# Assess takeover impact # - Complete DNS control # - Traffic redirection # - Phishing attacks # - Credential theft # - Brand reputation damage # Document findings: # - Vulnerable NS records # - Affected nameservers # - Potential impact # - Remediation steps
15. NS Takeover Remediation:
# Remediate NS takeovers # 1. Change NS records to secure nameservers # 2. Implement proper monitoring # 3. Regular security audits # 4. DNS security controls # 5. Subdomain monitoring # Example remediation: # - Change NS to secure nameservers # - Set up monitoring # - Regular security scans # - DNS security controls
Real-World Attack Scenarios
Mitigation Strategies
  • Use secure nameservers and DNS providers
  • Implement proper DNS monitoring and alerting
  • Regular DNS security audits and assessments
  • Implement proper DNS security controls
  • Regular security testing and vulnerability assessments
  • Monitor for unusual DNS activity
  • Implement proper subdomain monitoring
  • Use secure coding practices
  • Implement proper error handling
  • Educate users about security threats
  • Use multi-factor authentication
  • Implement proper logging and monitoring
  • Use NS takeover detection tools
  • Implement proper audit trails