.png)
2 months ago
29 BOOK THIS SPACE FOR AD
ARTICLE AD
So, you’ve watched all the videos, read countless tutorials, and even combed through bug bounty reports like a pro. But somehow, the concept of subdomain takeover still feels like trying to solve a Rubik’s cube blindfolded, right? 🤔 Well, don’t sweat it! In this blog, I’m going to de-mystify the whole subdomain takeover thing, explain the sneaky security loopholes that make it possible, and (drum roll, please 🥁) show you how to pounce on those vulnerable subdomains like a bounty hunter on a treasure chest. 💰🏴☠️
By the end of this, you’ll be equipped to confidently spot those juicy targets 🎯 and perform your own subdomain takeovers like a pro! Ready? Let’s dive in! 🏊♂️💻
📚 Jump Right In: Your Subdomain Takeover Adventure Awaits! 🕵️♂️
🔍 What’s Subdomain Takeover?📖 Understand DNS Records, Connect hosting to domains🕵️♂️Sniff Out other Cloud Plateform Subdomain Takeover!🔍 Subdomain Enumeration: Let’s Dig Deep Like a Pro! 🕵️♂️️🛠️ Automate Your Subdomain TakeoversBefore We Dive In: Hosting, Domains, and DNS Magic Explained 🧙♂️
Hold up! 🚦 Before you go all-in on subdomain takeovers, it’s super important to understand how hosting and domains are managed. You also need to know what the heck DNS records are (spoiler: they’re like the phonebook of the internet! ☎️).
Don’t worry; I’m not here to promote anything — these YouTube videos are just here to help you out. I haven’t even watched them myself! 😂
Connect Hosting to Domains Explained:https://youtu.be/BLk9DlLD5Jo?si=vaSCqtcEIYaNWyYp
2. DNS Records Made Simple:
Alright, buckle up! 🚀 To fully understand subdomain takeover, you first need to know about two superstar DNS records: the “A” record and “CNAME”. These are like the GPS and signposts of the internet. 🌍
“A” Record: This is the OG! It points a domain (like your website) to an IP address. Think of it as the home address for your site. 🏠CNAME (Canonical Name): This one’s the sidekick that points one domain name (an alias) to another domain name. It’s like telling visitors, “Hey, you’re in the right neighborhood, but the party’s at the next house!” 🎉Let’s make it real with an example:
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
👉 Imagine you’ve got a domain called KaizenTech.com. In the DNS records, you set:
Type: AName: KaizenTech.comValue: 178.198.45.240 (this is the IP address)Now, you want a subdomain like “blog.KaizenTech.com.” In the DNS, you’d set:
Type: CNAMEName: blogValue: blog.KaizenTech.comBut wait, let’s spice it up! 🌶️ You can also use CNAME to send users to other platforms (like GitHub, AWS, Azure, etc.). For example:
Type: CNAMEName: blog.KaizenTech.comValue: blog.github.comNow, when someone visits “blog.KaizenTech.com,” they get redirected to your cool GitHub-hosted(blog.github.com) blog. 💻
BUT… let’s say you decide to delete your GitHub repo for “blog.github.com” but forget to remove the CNAME record(3rd DNS Reocrd) from KaizenTech.com’s DNS settings. 🤦♂️ Uh-oh! Now, anyone who visits “blog.KaizenTech.com” will see an ugly GitHub error page instead. 🙈
And boom 💥 — this is where things get vulnerable for subdomain takeover! 😬
Remember, DNS misconfigurations are common in medium to large companies, meaning this could lead you to a sweet P1 to P3 bounty! 💰💥
🕵️♂️ Is It Vulnerable? Here’s How to Sniff Out Cloud Subdomain Takeover! ☁️
So, we talked about GitHub, but what if your subdomain is redirecting to a cloud platform like AWS, Vercel, or Azure? 😲 How do you know if it’s vulnerable to takeover or not? Well, my friend, you’re in luck! 🍀 There’s an easy way to find out. 🎉
Check out this amazing GitHub repository: Can I Take Over XYZ? 📚 It’s like your cheat sheet for spotting vulnerable subdomains across various cloud platforms. Whether it’s AWS, GitHub, or even fancy platforms like Vercel, this repo has all the tips and tricks you need to identify whether a subdomain is ripe for takeover. 🕵️♀️💻
🔍 Subdomain Enumeration: Let’s Dig Deep Like a Pro! 🕵️♂️
Before we jump into the fun part of taking over subdomains, we first need to find them! 🏗️ If you’re new to this, don’t worry, I’ve got you covered. Check out my blog post on Subdomain Enumeration Tools, Techniques, and Tips here. It’s packed with everything you need to start digging up hidden subdomains. 🛠️
🤖 Automate Subdomain Takeovers Like a Boss! 🚀
Why waste time manually checking subdomains when you can automate the whole thing? ⚙️ After you’ve done your subdomain enumeration (if not, go back and read this 👉 Subdomain Enumeration Tools, Techniques, and Tips), it’s time to level up with some automation magic! 🧙♂️✨
Here are some supercharged tools that will do the hard work for you:
==> Subzy Tool (Link)
$ subzy [command] -h #For more information$ subzy run --targets domains.txt #For list of subdomains file
$ subzy run --target domains.com #For single domain name
$ subzy run --targets domains.txt --vuln # Save only vulnerable subdomains
Other Flags
------------------------------------------------------------------------------------------------------------
# -hide_fails Don't display failed results
# --https Force https protocol if not no protocol defined for target (default false)
# --output string JSON output filename
# --target string Comma separated list of domains
# --targets string File containing the list of subdomains
# --timeout int Request timeout in seconds (default 10)
# --verify_ssl If set to true it won't check sites with insecure SSL and return HTTP Error
# --vuln Save only vulnerable subdomains
==> Subjack Tool (Link)
$ subjack -w domains.txt -v #For list of subdomains file$ subjack -d domains1.com -d domains2.com -v #For single domain name
Other Flags
---------------------------------------------------------------------------
# -d test.com if you want to test a single domain.
# -w domains.txt is your list of subdomains.
# -t the number of threads (Default: 10 threads).
# -timeout the seconds to wait before timeout connection (Default: 10 seconds).
# -o results.txt where to save results to. For JSON: -o results.json
# -ssl enforces HTTPS requests which may return a different set of results and increase accuracy.
==> Sub404 Tool (Link)
$ python sub404.py -f domains.txt #For list of subdomains file$ python sub404.py -d domain.com #For Single subdomain
$ python sub404.py -f domains.txt -o result.txt #Save output into a file
$ python sub404.py -f domains.txt -p HTTPS #Force to Set use that protocol
OR
$ python sub404.py -f domains.txt -p HTTP #Force to Set use that protocol
==> Dnsreaper Tool (Github / Web Link)
For here I am using “WEB Link” you can use whatever you want.
Here you can upload file or enter a list of subdomains with comma separated
🎉 Wrapping Up: Mastering Subdomain Takeover Like a Pro! 🏆
Congratulations, you’ve made it to the end of our deep dive into subdomain takeover! 🎉 By now, you should have a solid grasp on what subdomain takeover is, how to spot those sneaky vulnerabilities, and even how to use cool tools to automate your findings. 🛠️💡
If you enjoyed this journey into the world of subdomain takeover, don’t forget to share this post with your fellow tech enthusiasts and hackers! 🚀👩💻👨💻 And as always, feel free to drop any questions or thoughts in the comments below. Until next time, happy hunting and stay secure! 🎯🔍
#SubdomainTakeover #DNSRecords #Cybersecurity #BugBounty #EthicalHacking #InfoSec #SecurityTesting #TechTips #KaizenCyberServices
Bengali (Bangladesh) · 
English (United States) ·