Subdomain Takeover

Explanation

Domain name (sub.example.com) uses a CNAME record for another domain (sub.example.com CNAME anotherdomain.com).
At some point, anotherdomain.com expires and is available for anyone's registration.
Since the CNAME record is not removed from the DNS zone of example.com, anyone who records anotherdomain.com has full control over sub.example.com until the DNS record is present.

Resources

Subdomain Takeover: Proof Creation for Bug BountiesPatrik Hudak

GitHub - EdOverflow/can-i-take-over-xyz: "Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.GitHub

https://blog.initd.sh/others-attacks/mis-configuration/subdomain-takeover-explained/blog.initd.sh

Tools

# https://github.com/LukaSikic/subzy
subzy -targets list.txt
subzy -concurrency 100 -hide_fails -targets subs.txt

# https://github.com/haccer/subjack
subjack -w /root/subdomain.txt -a -v -t 100 -timeout 30 -o results.txt -ssl # Subdomains generated with subgen

# https://github.com/guptabless/unclaim-s3-finder
bucket-takeover.py -u https://qweqwe.asasdasdad.com

# https://github.com/In3tinct/Taken

PreviousSubdomain Enum NextNetwork Scanning

Last updated 4 years ago

hashtagExplanation

hashtagResources

hashtagTools

Explanation

Resources

Tools