Domain/Subdomain takeover

Tip

Μάθετε & εξασκηθείτε στο AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Μάθετε & εξασκηθείτε στο GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Μάθετε & εξασκηθείτε στο Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Υποστηρίξτε το HackTricks

Domain takeover

If you discover some domain (domain.tld) that is being used by some service inside the scope but the company has lost the ownership of it, you can try to register it (if cheap enough) and let the company know. If this domain is receiving some sensitive information like a session cookie via GET parameter or in the Referer header, this is for sure a vulnerability.

Subdomain takeover

Μία υπο-δομή (subdomain) της εταιρείας δείχνει σε μια third-party service με όνομα που δεν έχει καταχωρηθεί. Αν μπορείτε να δημιουργήσετε έναν λογαριασμό σε αυτήν την third party service και να εγγράψετε το όνομα που χρησιμοποιείται, μπορείτε να εκτελέσετε subdomain takeover.

There are several tools with dictionaries to check for possible takeovers:

Subdomain Takeover Generation via DNS Wildcard

Όταν χρησιμοποιείται DNS wildcard σε ένα domain, οποιοδήποτε υπο-όνομα αυτού του domain που δεν έχει ρητά διαφορετική διεύθυνση θα αναλύεται προς την ίδια πληροφορία. Αυτό μπορεί να είναι μια A ip address, ένα CNAME…

Για παράδειγμα, αν *.testing.com είναι wildcarded σε 1.1.1.1. Τότε, not-existent.testing.com θα δείχνει στο 1.1.1.1.

Ωστόσο, αν αντί να δείχνει σε διεύθυνση IP, ο sysadmin το δείχνει σε μια third party service μέσω CNAME, όπως για παράδειγμα μια GitHub subdomain (sohomdatta1.github.io). Ένας επιτιθέμενος θα μπορούσε να δημιουργήσει τη δική του third party page (σε GitHub στην προκειμένη περίπτωση) και να δηλώσει ότι something.testing.com δείχνει εκεί. Επειδή το CNAME wildcard θα συμφωνήσει, ο επιτιθέμενος θα είναι σε θέση να δημιουργήσει αυθαίρετα υπο-τομείς για το domain του θύματος που δείχνουν στις σελίδες του.

You can find an example of this vulnerability in the CTF write-up: https://ctf.zeyu2001.com/2022/nitectf-2022/undocumented-js-api

Exploiting a subdomain takeover

Subdomain takeover is essentially DNS spoofing for a specific domain across the internet, allowing attackers to set A records for a domain, leading browsers to display content from the attacker’s server. This transparency in browsers makes domains prone to phishing. Attackers may employ typosquatting or Doppelganger domains for this purpose. Especially vulnerable are domains where the URL in a phishing email appears legitimate, deceiving users and evading spam filters due to the domain’s inherent trust.

Check this post for further details

SSL Certificates

SSL certificates, if generated by attackers via services like Let’s Encrypt, add to the legitimacy of these fake domains, making phishing attacks more convincing.

Browser transparency also extends to cookie security, governed by policies like the Same-origin policy. Cookies, often used to manage sessions and store login tokens, can be exploited through subdomain takeover. Attackers can gather session cookies simply by directing users to a compromised subdomain, endangering user data and privacy.

CORS Bypass

It might be possible that every subdomain is allowed to access CORS resources from the main domain or other subdomains. This could be exploited by an attacker to access sensitive information abusing CORS requests.

CSRF - Same-Site Cookies bypass

It could be possible that the subdomain is allowed to send cookies to the domain or other subdomains which was prevented by the Same-Site attribute of the cookies. However, note that anti-CSRF tokens will still prevent this attack if they are properly implemented.

OAuth tokens redirect

It might be possible that the compromised subdomain is allowed to be used in the redirect_uri URL of an OAuth flow. This could be exploited by an attacker to steal the OAuth token.

CSP Bypass

It might be possible that the compromised subdomain (or every subdomain) is allowed to be used for example the script-src of the CSP. This could be exploited by an attacker to inject malicious scripts and abuse potential XSS vulnerabilities.

Emails and Subdomain Takeover

Another aspect of subdomain takeover involves email services. Attackers can manipulate MX records to receive or send emails from a legitimate subdomain, enhancing the efficacy of phishing attacks.

Higher Order Risks

Further risks include NS record takeover. If an attacker gains control over one NS record of a domain, they can potentially direct a portion of traffic to a server under their control. This risk is amplified if the attacker sets a high TTL (Time to Live) for DNS records, prolonging the duration of the attack.

CNAME Record Vulnerability

Attackers might exploit unclaimed CNAME records pointing to external services that are no longer used or have been decommissioned. This allows them to create a page under the trusted domain, further facilitating phishing or malware distribution.

Mitigation Strategies

Mitigation strategies include:

  1. Removing vulnerable DNS records - This is effective if the subdomain is no longer required.
  2. Claiming the domain name - Registering the resource with the respective cloud provider or repurchasing an expired domain.
  3. Regular monitoring for vulnerabilities - Tools like aquatone can help identify susceptible domains. Organizations should also revise their infrastructure management processes, ensuring that DNS record creation is the final step in resource creation and the first step in resource destruction.

For cloud providers, verifying domain ownership is crucial to prevent subdomain takeovers. Some, like GitLab, have recognized this issue and implemented domain verification mechanisms.

Detection techniques

  • Find dangling DNS records: look for CNAME/A/AAAA/ALIAS/ANAME records pointing to non-existent resources (deleted buckets, apps, pages, load balancers).
  • Check provider error signatures: match HTTP responses, TLS certs, or DNS errors to known takeover patterns (see can-i-take-over-xyz).
  • Look for orphaned cloud assets: verify S3/CloudFront, Azure Websites, GCP App Engine/Storage, GitHub Pages, Heroku, Fastly, Netlify, Vercel, Zendesk, Shopify, Atlassian, and similar services.
  • Passive DNS and historical records: old CNAMEs often reveal previously used third-party services that may still be vulnerable.
  • Wildcard pitfalls: confirm wildcard DNS vs. explicit records to avoid false positives and understand takeover amplification.

APIs and data sources

References

Tip

Μάθετε & εξασκηθείτε στο AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Μάθετε & εξασκηθείτε στο GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Μάθετε & εξασκηθείτε στο Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Υποστηρίξτε το HackTricks