A subdomain is a domain that is part of a larger parent domain. For example, “blog.example.com” is a subdomain of the parent domain “example.com“.
When you want to set up a subdomain, you typically create two types of DNS records:
- A Record (Address Record): An A record maps a domain or subdomain name to an IP address. For example, the A record for “example.com” might map it to the IP address “192.168.1.100”.
- CNAME Record (Canonical Name Record): A CNAME record maps a subdomain to another domain name instead of directly to an IP address. This allows you to alias one name to another.
Here’s how it works with subdomains:
Let’s say you want to set up “blog.example.com” to point to your blog hosted on another server or service.
Step 1: Create an A record for your parent domain (example.com) pointing to the IP of your main server.
Step 2: Create a CNAME record for your subdomain (blog.example.com) pointing to the domain of your blog hosting service (e.g. exampleblog.wordpress.com).
So when someone tries to access blog.example.com, their computer will:
- Look up the A record for example.com to get the IP address of your main server.
- See there is a CNAME record telling it blog.example.com is an alias for exampleblog.wordpress.com.
- Look up the IP address for exampleblog.wordpress.com and connect to that server to load the blog content.
CNAMEs allow you to seamlessly point your subdomain to another provider without exposing that provider’s IP addresses under your own domain.
This provides flexibility to use different services (hosting, CDNs etc.) for subdomains while maintaining your main domain’s DNS configuration and branding.
Subdomain takeover
A subdomain takeover is a type of vulnerability that can occur when an organization creates a subdomain that points to an external service or host but then fails to properly manage or remove that subdomain when the external service is discontinued or decommissioned.
In simple terms, it works like this:
- An organization sets up a subdomain (like videos.example.com) and creates a CNAME DNS record to point that subdomain to an external service (like example-videos.cloudprovider.com).
- Later, if the organization stops using that external service and the external domain (example-videos.cloudprovider.com) becomes available for anyone to re-register, it creates an opportunity.
- An attacker can register the now-available external domain that the original subdomain still incorrectly points to.
- This allows the attacker to potentially gain control over the subdomain (videos.example.com) on the organization’s main domain, since it is still resolving to the location the attacker controls.
- The attacker can now serve malicious content, phishing pages, or perform other nefarious actions through the subdomain on the organization’s trusted domain.
It’s a vulnerability caused by failing to properly update or remove DNS entries for subdomains when their external services change ownership or are terminated. The subdomain remains configured to follow the old mapping that an attacker can now re-map somewhere malicious.
Second-order subdomain takeover
A second-order subdomain takeover vulnerability occurs when an organization’s subdomain points to a cloud service or external provider, and that provider’s asset or service is vulnerable to takeover, leading to potential control over the original organization’s subdomain.
Here’s a basic example of how it works:
- Company A creates a subdomain analytics.companyA.com
- They configure it to point to a service on a cloud provider, e.g. companyAAnalytics.cloudprovider.com
- Unknowingly, the cloudprovider.com domain has a subdomain takeover vulnerability
- An attacker discovers and exploits this, taking over companyAAnalytics.cloudprovider.com
- Now analytics.companyA.com resolves to the location the attacker controls on the cloud provider
So while Company A may have secured their own subdomain configurations, the second layer of indirect mapping through the cloud service introduced an attack vector.
The core premise is that even if your house is secure, you need to also secure any services or external parties that your subdomains interact with or transit through.d
Tools for subdomain takeover
Subjack
Subjack is a tool used for subdomain takeover vulnerability detection. Subdomain takeover occurs when a subdomain (e.g., subdomain.example.com) points to a service or resource that is no longer in use or controlled by the organization. Check it out here.
Sub404
Sub404 is a tool used for detecting subdomain takeover vulnerabilities by scanning for HTTP 404 (Not Found) responses on subdomains. It is designed to identify subdomains that are pointing to non-existent resources, which could potentially be taken over by an attacker if they manage to register the resource that the subdomain was intended to point to. Check it out here.
Subover
SubOver is a reconnaissance tool designed to enumerate subdomains by utilizing various techniques such as passive DNS, certificate transparency logs, and web scraping. Check it out here.
Amass
Amass is an open-source reconnaissance tool used for gathering information about target domains and discovering potential attack vectors. Check it out here.
Subfinder
Subfinder is a subdomain discovery tool that returns valid subdomains for websites, using passive online sources. It has a simple, modular architecture and is optimized for speed. subfinder is built for doing one thing only – passive subdomain enumeration, and it does that very well.
Aquatone
Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.
Conclusion
Subdomain takeovers pose significant risks, serving as a gateway for attackers to launch various malicious activities, including phishing and malware distribution. Detecting and preventing such vulnerabilities is vital for enhancing cybersecurity. By leveraging tools like Amass and adopting best practices in subdomain management, organizations can fortify their defenses and reduce the likelihood of subdomain takeovers impacting their infrastructure. Thanks for emphasizing the importance of this issue!
Reference
https://blog.projectdiscovery.io/guide-to-dns-takeovers/
https://blog.projectdiscovery.io/guide-to-dns-takeovers/
About me
Hello, I’m Harshi Gupta, a seasoned penetration tester with expertise in both internal and external assessments. Cybersecurity is not just a career path for me; it’s my hobby and passion. With a wealth of experience in identifying and mitigating security vulnerabilities, I am dedicated to ensuring the resilience of organizations’ digital assets. For networking opportunities and engaging discussions, feel free to reach out to me viaLinkedInandTwitter.
