Subdomain Takeover - Tomando Controle de Subdomínios

Introduction

This tutorial provides a comprehensive guide on subdomain takeover, a common vulnerability in web security that allows an attacker to gain control of a subdomain associated with a domain. Understanding how to identify and exploit this vulnerability is crucial for security professionals and pentesters. This guide walks you through the essential steps to detect and take control of subdomains safely and ethically.

Step 1: Understanding Subdomain Takeover

• A subdomain takeover occurs when a subdomain points to an external service (like AWS, Heroku, etc.) that has been deleted or is unclaimed.
• Attackers can register the deleted or unclaimed resource and take control of the subdomain, potentially leading to data breaches or phishing attacks.

Step 2: Identifying Target Subdomains

• Use tools like Sublist3r, Amass, or online services such as SecurityTrails to enumerate subdomains.
• Command example using Sublist3r:

  sublist3r -d example.com
  

• Check the status of each subdomain to identify which ones are vulnerable to takeover.

Step 3: Checking for Takeover Vulnerabilities

• Investigate if the subdomain is pointing to a service that can be claimed.
• Tools like Subjack or Takeover can automate this process.
• Command example using Subjack:

  subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl
  

• Review the output for any subdomains that are vulnerable.

Step 4: Claiming the Subdomain

• If a subdomain is identified as vulnerable, register the service that the subdomain points to (e.g., AWS, GitHub Pages).
• Follow the service’s process to claim or create the resource.
• Ensure that you have permission to conduct this testing, as unauthorized actions can lead to legal consequences.

Practical Tips

• Always conduct these activities in a controlled environment and ensure you have permission.
• Maintain documentation of your findings and actions for reporting purposes.
• Familiarize yourself with ethical hacking laws in your region to avoid legal issues.

Common Pitfalls to Avoid

• Do not attempt to take control of subdomains without explicit permission from the domain owner.
• Ensure that the subdomain is genuinely unclaimed and not in use by the organization.
• Keep your tools updated to avoid missing vulnerabilities due to outdated software.

Conclusion

Subdomain takeover can be a significant security risk, but by following these steps, you can effectively identify and mitigate these vulnerabilities. Always operate ethically and legally within the bounds of your penetration testing engagements. For further learning, consider exploring advanced pentesting techniques and tools to enhance your skills in web application security.