Subdomain Hijcking – Notes links & tools

I had previously read about Subdomain hijacking, but in all honesty I didn’t really “get it”.

All that changed starting with this Security Fest talk by Frans Rosén entitled: DNS hijacking using cloud providers:

Or more accurately I really started to get this going through Frans’s slides of the talk:

I don’t want to explain the premise of this to you as it’s one of those you have to investigate yourself to really get to grips with it.

But what I will do to (hopefully) bring your learning time down is detail below all of the links Frans mentions plus those from my own knowledge mining:

Links:

Detecify – Hostile Subdomain Takeover using Heroku/Github/Desk + more
Detectify – Hijacking of abandoned subdomains part 2
Detectify – The story of EV-SSL, AWS and trailing dot domains

Stefano – Onavo – CNAME records pointing to Heroku but no app configured

HackerOne – Authentication bypass on sso.ubnt.com via subdomain takeover of ping.ubnt.com
HackerOne – URGENT – Subdomain Takeover on media.vine.co due to unclaimed domain pointing to AWS

Jonathan Claudius – ‘Deep Thoughts’ on Subdomain Takeover Vulnerabilities

Graham Cluley – Hacker defaces Donald Trump fundraising site via subdomain takeover attack

Matthew Bryant – The Orphaned Internet – Taking Over 120K Domains via a DNS Vulnerability in AWS, Google Cloud, Rackspace and Digital Ocean

Bishop Fox – Fishing the AWS IP Pool for Dangling Domains

White Hats Nepal – Reading Uber’s Internal Emails [Uber Bug Bounty report worth $10,000]

Sweepatic – The Principles of a Subdomain Takeover

Matthew Bryant – Floating Domains – Taking Over 20K DigitalOcean Domains via a Lax Domain Import System

SecurityTraining – How to find subdomain take over

Tools:

See my Discovering Subdomains post

Massdns

Sub6

HostileSubBruteforcer

Knock Subdomain Scan

tko-subs

host command

dig command

EyeWitness

Below is yaworsk demonstrating how to find subdomains vulnerable to takeover:

In Frans’s talk he mentions automating the discovery of subdomains vulnerable to hijacking and has email alerts sent to him. I’m assuming he is focusing on specific targets and he was kind enough to tell me he uses a tool called Zapier to aid him in this.

Unfortunately the setup for this is beyond me and if anybody does know how to set this up, please do let me know.

I hope this helps in your learning process, if I’ve missed anything or you would like an resource added please let me know on Twitter.