Well said by somebody…
Everything in the world has flaws in it, If you can dream it be courageous to achieve it
With that said lets get started with this blog post.
Hey folks, In this blog you will learn how to hunt for subdomain takeover vulnerability.
So first of all what is subdomain takeover vulnerability?
As it is stated everywhere so I will just tell you in short, If a subdomain has a CNAME pointing to an invalid site then it may be vulnerable to this attack.
Tools to be used in testing :
- Sublist3r (GitHub – aboul3la/Sublist3r: Fast subdomains enumeration tool for penetration testers)
- Subdomain-Takeover (GitHub – SaadAhmedx/Subdomain-Takeover)
It is really a very easy task to hunt for subdomain takeover vulnerability and its the most found vulnerabilities of these days.
Steps to hunt for this vulnerability :
- Just clone the above two repositories using commands ‘git clone https://github.com/aboul3la/Sublist3r’ and ‘git clone https://github.com/SaadAhmedx/Subdomain-Takeover ‘
- Change the directory to the sublist3r directory and run ‘pip install -r requirements.txt’ and the same for the next subdomain-takeover directory too. As these are written in python so it is required to install their requirements too.
- Now navigate to sublist3r directory and open terminal there and run the python code using the commands ‘python sublist3r.py -d xyz.com’ (in this xyz.com is taken as example)
Above screenshot is taken from the sublist3r repository.
4. The sublist3r will enumerate all the subdomains and also the sub sub domains of the target url. Copy the list of subdomains in a file say targets.list or any of your wish you can also skip this by adding ‘-o nameofthefile.extention’ to the command for running sublist3r for automatically saving the output to a file.
5. Now place the targets.list file created in step 4 in the Subdomain-takeover directory.
6. Open a terminal in Subdomain-takeover directory and run the python file using command ‘python ItsOver.py -l targets.list’ and press enter.
Image taken from the Subdomain-Takeover repository.
7. Just relax and go for a coffee break it will take sometime and when it is completed in the Subdomain-takeover directory you will find two more files that are validurl.txt(containing valid urls) and takeover.txt(containing urls which are vulnerable to subdomain takeover attack)
If you were following along and got any vulnerable url then Congrats for that and now just make a poc video and report it.
If you have any questions feel free to ask me at my twitter handle : SanmargParanjpe