7 Steps guide to CNAME Subdomain Takeover

7 Steps guide for Identifying and Exploring CNAME Takeovers

CNAME takeovers are one of the lesser-known but highly impactful vulnerabilities in the cybersecurity world. If a domain points to an external service no longer in use, an attacker could potentially claim the service and take control of the subdomain. This guide will walk you through the process of identifying and ethically exploiting CNAME takeovers, step-by-step.

---

Step 1: Understand CNAME Records

CNAME (Canonical Name) records are DNS entries that point a domain or subdomain to another domain. For example:

sub.example.com -> some-service.com

When the target service (some-service.com) is no longer active, the subdomain becomes vulnerable to a takeover.

---

Step 2: Identify CNAME Records

To identify subdomains and their associated CNAME records, use tools like dig, nslookup, or automated subdomain enumeration tools.

Run the following command to inspect a subdomain's DNS configuration:

dig sub.example.com

Look for a CNAME entry in the output.

Alternatively, use tools such as:

Sublist3r

Amass

Subfinder

These tools can help automate subdomain discovery.

---

Step 3: Investigate the CNAME Target

Once you’ve identified a subdomain with a CNAME record, check if the target service is still active.

Use curl or your browser to access the target service:

curl -I https://target-service.com

Watch for error messages indicating that the service is unclaimed. Common error messages include:

Amazon S3: "No such bucket"

GitHub Pages: "There isn't a GitHub Pages site here."

Heroku: "No such app"

Azure: "Resource not found"

---

Step 4: Cross-Check Vulnerable Services

Not all services are vulnerable to takeovers. Research common platforms with known vulnerabilities, including:

Amazon S3

GitHub Pages

Heroku

Microsoft Azure

Shopify

Find a comprehensive list of services susceptible to subdomain takeovers in resources like

Can I take over XYZ : https://github.com/EdOverflow/can-i-take-over-xyz

---

Step 5: Claim the Resource

If the service is unclaimed:

1. Register an account on the platform (e.g., AWS, GitHub, etc.).

2. Create a new resource with the exact name as the unclaimed target (e.g., a bucket name, repository, or app name).

3. Confirm that you can now control the subdomain.

Example: If sub.example.com points to my-bucket.s3.amazonaws.com and the bucket does not exist, create a bucket named my-bucket in your AWS account.

---

Step 6: Validate the Takeover

Once you’ve claimed the resource, test if the subdomain now resolves to your content:

1. Upload a simple HTML page or placeholder file to the service.

2. Access the subdomain to confirm it’s displaying your content.

Example: If sub.example.com now displays the content from your bucket, the takeover is successful.

---

Step 7: Report Responsibly

Ethical hacking requires responsible disclosure. If you identify a vulnerable subdomain:

1. Document your findings with evidence (screenshots, logs, etc.).

2. Report the issue to the domain owner or via their bug bounty program.

3. Suggest remediation steps to prevent future vulnerabilities.

---

Preventing CNAME Takeovers

For organizations, here’s how to prevent CNAME takeovers:

1. Audit DNS Records: Regularly review DNS records for outdated or unused entries.

2. Delete Unused Services: Remove CNAME records pointing to inactive services.

3. Verify Ownership: Use platforms that verify domain ownership before activation.

4. Use Wildcard Certificates: Ensure all subdomains are covered under a valid SSL certificate.

If you follow this Step by Step guide you are able to Take over a Subdomain using CNAME.

That’s it for Today…….

Follow me on medium and x :

https://x.com/spectat0rguy?t=bp6JxuQNWRYHwnVRcX_2UQ&s=09

Recommended Book 📚 :

https://amzn.to/40DXkxZ

For Buying me a coffee ☕ :

https://buymeacoffee.com/spectatorguy