# Subdomain Takeover - Easy Method ## 1. Method by [@Virdoex\_hunter](https://twitter.com/Virdoex_hunter) Easy Subdomain Takeover Method ``` Step: 1:Grab all subdomains of target. i.e, subfinder -d flaws.cloud | tee -a domains.txt 2:Run this one liner 3:cat domains.txt | while read domain;do dig $domain;done | tee -a digs.txt 4::Grab all the CNAME Entries i.e, cat digs.txt | grep CNAME 5:Find a domain that is pointed to third party domain like sub.exampple.com CNAME x.aws.com 6:Check wheather the main subdomain is down 7:Go to host provider where the domain is pointed to and register that domain if you registered congrats you have takeover the subdomain. ``` ## 2. Method by [@WhoIs1nVok3r](https://twitter.com/WhoIs1nVok3r) ``` Step-1:- First of all collect all subdomain of the target using assetfinder,subfinder,chaos(needs API key). Step-2:- Next sort out duplicate URLs using -- cat unresolved | sort -u | tee -a resolved Step-3:- Pass it to subzy,subjack or other subdomain-takeover tool -- using subzy tool -- subzy -targets resolved , or use subjack Step-4:- We can also use nuclei templates but we need to first use httpx -- cat resolved | httpx | tee -a hosts Step-5:- Next use nuclei-templates -- cat hosts | nuclei -t nuclei-templates/vulnerabilites -o nuclei.txt -v Tools Used:- https://github.com/projectdiscovery/nuclei https://github.com/projectdiscovery/subfinder https://github.com/projectdiscovery/httpx https://github.com/projectdiscovery/nuclei-templates https://github.com/projectdiscovery/chaos-client https://github.com/haccer/subjack https://github.com/LukaSikic/subzy ``` ### Author * [@Virdoex\_hunter](https://twitter.com/Virdoex_hunter) * [@WhoIs1nVok3r](https://twitter.com/WhoIs1nVok3r) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kathan19.gitbook.io/howtohunt/subdomain-takeover/easy_methods.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.