# Subs or Top level Domain

* CNAME Record 0r A Record —> Points to third party services
* Check:

```
     for take-overs is to query a list of domains and check for any that are either:

    1. attached to a third party domain or destination via the use of a cname record 

    2.return a 404 not found error.

    example : domain that resolved to a CloudFront domain which gave the following error: "Error the request could not be satisfied, generated by CloudFront (CloudFront)"
```

### Technical Detail

* This attack vector utilizes DNS entries pointing to Service Providers where the pointed subdomain is currently not in use
* Service providers :

```
    Heroku, Github, Bitbucket, Squarespace, Shopify, Desk, Teamwork, Unbounce, Helpjuice, HelpScout, Pingdom, Tictail, Campaign Monitor, CargoCollective, [StatusPage.io](http://statuspage.io/) and Tumblr.
```

### Impact

* Attacker can now build a complete clone of the real site, add a login form, redirect the user, steal credentials (e.g. admin accounts), cookies and/or completely destroy business credibility for your company.
* Another senario:

```
    1. A Domain Owner points their * (wildcard) DNS-entry to e.g. Heroku.
    2. They forget to add the wildcard-entry to their Heroku-app.
    3. Attacker can now claim any subdomain they want from the Domain Owner.
    4. A Domain Owner will be unaware of the subdomain being exploited.
```

* In the not so rare case, the attacker can also “inherit” the Domain Owner’s Wildcard SSL used inside the Service Provider.

### Exploit

* Claim CloudFront:

```
    Singup to AWS —> head over CloudFront signup
```

### Remediation

```
    - Check your DNS-configuration for subdomains pointing to services not in use.
    - Set up your external service so it fully listens to your wildcard DNS. In Heroku’s case, this means running the following command in your App: heroku domains:add *.[example.com](http://example.com/)
```

### Reference

* Detectify article :<https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/>
* Zsec Blog: <https://blog.zsec.uk/subdomainhijack/>

### POC

```
- I found a website, for now call it [www.target.com](http://www.target.com)  
- I went to terminal and run a host command on that target

host www.target.com

- it was pointing its 'A' record to  23.227.38.65 this IP 
- Now i knew that this IP belongs to shopify cause i had setup a shop on shopify few days back (you can also go and check with whois record for this ip)
- I opened the website [www.target.com](http://www.target.com) , I found there shopify template stating  "only one step left to finish setting" (In some cases : it also state Sorry this shop is unavailable) 
- Now i knew what i have to do, i sing-up on shopify with trial account, after that i put the same target website name, it gave me error stating application name already exist, so put target.com as a name, finally it was created.
- I went to setting, it shows me two option "connect your domain automatically" and "connect you domain manually"
- I choose first one automatic one, just put that domain [www.target.com](http://www.target.com) , it got connected. We are done, now we owns this top level domain.
```

### Analysis

```
- The person registered this domain name from godaddy , and configured its DNS record pointing to shopify IP
- Either he might had forgotten to create a shop or he had created a shop used it for a while then deleted that shop from shopify but didn't removed the DNS entry pointing to shopify's IP
```

\*\* Pardon for any spelling or grammar mistake \*\*

### Author:

* Twitter Id: @Zero0x00


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kathan19.gitbook.io/howtohunt/subdomain-takeover/sub_or_top_level_domain_takeover.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.