My-pentest-book
  • My-pentest-book
  • Index
  • Recon
    • Public info gathering
    • AIO Recon Tools
    • Domain Enum
    • Subdomain Enum
      • Subdomain Takeover
    • Network Scanning
    • Host Scanning
    • Packet Scanning
  • Enumeration
    • Files
    • SSL/TLS
    • Ports
    • Web Attacks
      • General Info
      • Quick tricks
      • Header injections
      • Bruteforcing
      • Online hashes cracked
      • Crawl/Fuzz
      • LFI/RFI
      • File upload
      • SQLi
      • SSRF
      • Open redirects
      • XSS
      • CSP
      • XXE
      • Cookie Padding
      • Webshells
      • CORS
      • CSRF
      • Web Cache Poisoning
      • Broken Links
      • Clickjacking
      • HTTP Request Smuggling
      • Web Sockets
      • CRLF
      • IDOR
      • Web Cache Deception
      • Session fixation
      • Email attacks
      • Pastejacking
      • HTTP Parameter pollution
      • SSTI
      • Prototype Pollution
      • Command Injection
      • Deserialization
    • Web Technologies
      • APIs
      • JS
      • ASP.NET
      • JWT
      • GitHub
      • GitLab
      • WAFs
      • Firebird
      • Wordpress
      • WebDav
      • Joomla
      • Jenkins
      • IIS
      • VHosts
      • Firebase
      • OWA
      • OAuth
      • Flask
      • Symfony && Twig
      • Drupal
      • NoSQL (MongoDB, CouchDB)
      • PHP
      • RoR (Ruby on Rails)
      • JBoss - Java Deserialization
      • OneLogin - SAML Login
      • Flash SWF
      • Nginx
      • Python
      • Tomcat
      • Adobe AEM
      • Magento
      • SAP
      • MFA
      • GWT
      • Jira
      • OIDC (Open ID Connect)
      • ELK
      • Others
    • Cloud
      • General
      • Cloud Info Gathering
      • AWS
      • Azure
      • GCP
      • Docker && Kubernetes
      • CDN - Comain Fronting
  • Exploitation
    • Payloads
    • Reverse Shells
    • File transfer
  • Post Exploitation
    • Linux
    • Pivoting
    • Windows
      • AD
        • Kerberos
      • PS tips & tricks
  • Mobile
    • General
    • Android
    • iOS
  • Others
    • Burp Suite
    • Password cracking
    • VirtualBox
    • Code review
    • Pentesting Web checklist
    • Internal Pentest
    • Web fuzzers review
    • Recon suites review
    • Subdomain tools review
    • Random
    • Master assessment mindmaps
    • BugBounty
    • Exploiting
    • tools everywhere
Powered by GitBook
On this page
  • Explanation
  • Resources
  • Tools

Was this helpful?

  1. Recon
  2. Subdomain Enum

Subdomain Takeover

PreviousSubdomain EnumNextNetwork Scanning

Last updated 3 years ago

Was this helpful?

Explanation

  1. Domain name (sub.example.com) uses a CNAME record for another domain (sub.example.com CNAME anotherdomain.com).

  2. At some point, anotherdomain.com expires and is available for anyone's registration.

  3. Since the CNAME record is not removed from the DNS zone of example.com, anyone who records anotherdomain.com has full control over sub.example.com until the DNS record is present.

Resources

Tools

# https://github.com/LukaSikic/subzy
subzy -targets list.txt
subzy -concurrency 100 -hide_fails -targets subs.txt

# https://github.com/haccer/subjack
subjack -w /root/subdomain.txt -a -v -t 100 -timeout 30 -o results.txt -ssl # Subdomains generated with subgen

# https://github.com/guptabless/unclaim-s3-finder
bucket-takeover.py -u https://qweqwe.asasdasdad.com

# https://github.com/In3tinct/Taken
Subdomain Takeover: Proof Creation for Bug BountiesPatrik Hudak
GitHub - EdOverflow/can-i-take-over-xyz: "Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.GitHub
https://blog.initd.sh/others-attacks/mis-configuration/subdomain-takeover-explained/blog.initd.sh
Logo
Logo