Subs or Top level Domain

CNAME Record 0r A Record —> Points to third party services
Check:

     for take-overs is to query a list of domains and check for any that are either:

    1. attached to a third party domain or destination via the use of a cname record 

    2.return a 404 not found error.

    example : domain that resolved to a CloudFront domain which gave the following error: "Error the request could not be satisfied, generated by CloudFront (CloudFront)"

Technical Detail

This attack vector utilizes DNS entries pointing to Service Providers where the pointed subdomain is currently not in use
Service providers :

    Heroku, Github, Bitbucket, Squarespace, Shopify, Desk, Teamwork, Unbounce, Helpjuice, HelpScout, Pingdom, Tictail, Campaign Monitor, CargoCollective, [StatusPage.io](http://statuspage.io/) and Tumblr.

Impact

Attacker can now build a complete clone of the real site, add a login form, redirect the user, steal credentials (e.g. admin accounts), cookies and/or completely destroy business credibility for your company.
Another senario:

    1. A Domain Owner points their * (wildcard) DNS-entry to e.g. Heroku.
    2. They forget to add the wildcard-entry to their Heroku-app.
    3. Attacker can now claim any subdomain they want from the Domain Owner.
    4. A Domain Owner will be unaware of the subdomain being exploited.

In the not so rare case, the attacker can also “inherit” the Domain Owner’s Wildcard SSL used inside the Service Provider.

Exploit

Claim CloudFront:

    Singup to AWS —> head over CloudFront signup

Remediation

    - Check your DNS-configuration for subdomains pointing to services not in use.
    - Set up your external service so it fully listens to your wildcard DNS. In Heroku’s case, this means running the following command in your App: heroku domains:add *.[example.com](http://example.com/)

Reference

Detectify article :https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/
Zsec Blog: https://blog.zsec.uk/subdomainhijack/

POC

- I found a website, for now call it [www.target.com](http://www.target.com)  
- I went to terminal and run a host command on that target

host www.target.com

- it was pointing its 'A' record to  23.227.38.65 this IP 
- Now i knew that this IP belongs to shopify cause i had setup a shop on shopify few days back (you can also go and check with whois record for this ip)
- I opened the website [www.target.com](http://www.target.com) , I found there shopify template stating  "only one step left to finish setting" (In some cases : it also state Sorry this shop is unavailable) 
- Now i knew what i have to do, i sing-up on shopify with trial account, after that i put the same target website name, it gave me error stating application name already exist, so put target.com as a name, finally it was created.
- I went to setting, it shows me two option "connect your domain automatically" and "connect you domain manually"
- I choose first one automatic one, just put that domain [www.target.com](http://www.target.com) , it got connected. We are done, now we owns this top level domain.

Analysis

- The person registered this domain name from godaddy , and configured its DNS record pointing to shopify IP
- Either he might had forgotten to create a shop or he had created a shop used it for a while then deleted that shop from shopify but didn't removed the DNS entry pointing to shopify's IP

** Pardon for any spelling or grammar mistake **

Author:

Twitter Id: @Zero0x00

PreviousSubdomain Takeover - Easy Method NextTabnabbing

Last updated 1 year ago