Comment on page

Subdomain Takeover

MITRE ATT&CK, Resource Development, Sub-technique T1584.001

A subdomain takeover occurs if a subdomain is configured to a 3rd party service but is no longer registered. If we are able to create an account in the identified 3rd party and register the domain, we can potentially host content on the subdomain.
Can I Take Over XYZ
This repository should be a goto for anyone attempting a subdomain takeover. This repository will identify is the service you have identified is vulnerable to a subdomain takeover and if so, provide detailed steps on how to exploit it and potentially host content. 
GitHub - EdOverflow/can-i-take-over-xyz: "Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.
GitHub
dnsReaper
DNSReaper is an automated subdomain takeover tool that tests with known takeover signatures. While you shouldn't rely on a tool to do the job, this tool does a pretty good job and I'd highly recommend it if performing a quick sweep. 
# Run with Python against a single domain
python3 main.py single --domain $domain
​
# Run with Python against multiple domains
python3 main.py file --filename $domains
​
# Run with Docker against a single domain
docker run punksecurity/dnsreaper single --domain $domain
GitHub - punk-security/dnsReaper: dnsReaper - subdomain takeover tool for attackers, bug bounty hunters and the blue team!
GitHub
Subjack
Subjack is a subndomain takeover tool written in Go. 
# Identify subdomains with a tool such as subfinder
subfinder -dL subdomains.txt --silent | tee -a subdomains.out
​
# Run subjack against list
subjack -w subdomains.out -ssl | tee -a takeover | grep -V "Vulnerable"
GitHub - haccer/subjack: Subdomain Takeover tool written in Go
GitHub
References
A Guide To Subdomain Takeovers
HackerOne

SSH

Next - Pentesting

Infrastructure

Last modified 1yr ago