Basics-Of -Subdomain-takeovers
Subdomain takeover is a high-security vulnerability via which an attacker can control an expired management service from where the subdomain of the site was pointing
What is that service?
It can be anything some of the vendors uses services like Shopify to build their shopping platform without changing their official subdomain you may have seen while shopping into some of the site something like powered by Shopify or something else this whole process of connecting one service to another is done by Cname.
What is Cname and How it works -
Cname stands for the canonical name it is something that is related to hosting and domain connecting system so suppose you buy one domain from godaddy.com and hosting from hostinger.com for connecting this space we have things like nameserver did setup with nameserver and web services to get started this is the whole process apply on the name as well it is used to pointing one domain to another domain without getting the change with an actual subdomain.And if the name record expired then any malicious actor can perform a takeover
How to find Subdomain TakeOver
┌──(root㉿shadow)-[/home/rooter/Desktop/Scopes]
└─# subfinder -d Takeway.com > subdomain.txt
Step 2
MassDns to find Subdomain Cname
┌──(root㉿shadow)-[/home/rooter/Desktop/Scopes]
└─# massdns -r resolvers.txt -t CNAME -o S -w scope-CNAME.txt subdomain.txt
Step 3
Grep 3rd party services
┌──(root㉿shadow)-[/home/rooter/Desktop/Scopes]
└─# cat scope-CNAME.txt | grep -v -e"takeaway\.com\.$" | cut -f 3 -d" " | sed 's/.$//g'
thuisbezorgdbeta.hypernode.io
geomaps.takeaway.com.s3.amazonaws.com
Use nuclei for detect vulnerability
┌──(root㉿shadow)-[/home/rooter/Desktop/Scopes]
└─# nuclei -l Cname.txt -t /home/rooter/Desktop/nuclei-templates/takeovers
Cross check venerable Domain CNAME
┌──(root㉿shadow)-[/home/rooter/Desktop/Scopes]
└─# dig images.takeaway.com
check Cname webserver search