Subdomain Takeover - A common vulnerability in many domains

Subdomain Takeover - A common vulnerability in many domains

One of the subdomains of the scanned domain is pointing to an external service but the external service account was cancelled or has expired. Because the account is not in use anymore, an attacker can claim this account and takeover your subdomain. The attacker can use this subdomain for phishing or to spread malware.

Many websites do not just work with example.com technique or just www.example.com. For emails, blog, internal domains these companies tend to use subdomains. Subdomains map itself to a specific IP, 3rd party servicec etc to serve the contents. 

Ok so we are start from basic,

what is domain and subdomain?

A subdomain is a domain that is part of a larger domain; the only domain that is not also a subdomain is the root domain. For example, west.example.com and east.example.com are subdomains of the example.com domain, which in turn is a subdomain of the com top-level domain (TLD).

Subdomain Takeover 

Hackers can claim subdomains with the help of external services. This attack is practically non-traceable, and affects at least 17 large service providers and multiple domains are affected. Find out if you are one of them by using our quick tool, or go through your DNS-entries and remove all which are active and unused OR pointing to External Services which you do not use anymore.

Subdomain Enumeration tools

HostileSubBruteforcer

This tool was written by Ben Sadeghipour aka (@Nahamsec). It is written in Ruby and in my personal opinion is one of the best tools for takeovers. This tool not only lists out subdomains by bruteforcing them, it also maps out where it points to. Along with that, if the domain throws out errors like This Github pages does not exist, NoSuchBucketetc, it will print it out in red alert and asks you to check them for possible takeovers. I personally have found some takeovers with this tool.

Sublist3r

This tool is a package of multiple websites' results. It contains subdomains from VirusTotal, ThreatCrowd, DNSDumpster, PassiveDNS and many others. One bad side of this tool is that it might give out false positives. Some websites like DNSDumpster update their website after 1 month. Due to this, if a service was updated within that time period, DNSDumpster will take time to show it. Nonetheless, this is a great tool to have on your side.

There are also websites that we can disucss about like VirusTotal, but because they are integrated in Sublist3r I am not going to discuss much.

Certificates tool

Some companies like Facebook and Google allow you to check certificates of website under ownership of the company. This will allow you to enumerate many more subdomains.

https://developers.facebook.com/tools/ct is what I have been using quite frequenly now. It also allows you to subscribe to the domain's alert so that you can get an alert when a new certificate is issued (this could mean new subdomains or just a renewal of certificates).

Attack Scenario

Your company starts using a new service, eg an external Support Ticketing-service.

Your company points a subdomain to the Support Ticketing-service, eg support.your-domain.com

Your company stops using this service but does not remove the subdomain redirection pointing to the ticketing system.

Attacker signs up for the Service and claims the domain as theirs. No verification is done by the Service Provider, and the DNS-setup is already correctly setup.

Attacker can now build a complete clone of the real site, add a login form, redirect the user, steal credentials (e.g. admin accounts), cookies and/or completely destroy business credibility for your company.

Three things that make this scenario dangerous

It’s SUPER easy. Sign up for a new account and claim the domain. Done.

It’s completely hidden. The Domain Owner won’t notice. The attacker won’t leave any traces for the Domain Owner. Good luck monitoring this in an IDS!

The Service Provider is unlikely to be able to fix this in a feasible way.

Now if this wasn’t bad enough, imagine this scenario

A Domain Owner points their * (wildcard) DNS-entry to e.g. Heroku.

They forget to add the wildcard-entry to their Heroku-app.

Attacker can now claim any subdomain they want from the Domain Owner.

A Domain Owner will be unaware of the subdomain being exploited.

Technical Details

This attack vector utilizes DNS entries pointing to Service Providers where the pointed subdomain is currently not in use. Depending on the DNS-entry configuration and which Service Provider it points to, some of these services will allow unverified users to claim these subdomains as their own.

In the not so rare case, the attacker can also “inherit” the Domain Owner’s Wildcard SSL used inside the Service Provider.

Here’s an example of a DNS entry that could be used for this attack:

If x.example.com has no service attached to it, the subdomain could be taken over by an attacker. Below are examples of how some of the services will indicate the existence of this vulnerability:

Recommendations

Check your DNS-configuration for subdomains pointing to services not in use.

Set up your external service so it fully listens to your wildcard DNS. In Heroku’s case, this means running the following command in your App: heroku domains:add *.example.com

Our advice is to keep your DNS entries constantly vetted and restricted.