Hacktricks-skills subdomain-takeover-detection

Detect and analyze domain/subdomain takeover vulnerabilities. Use this skill whenever the user mentions subdomain takeover, domain takeover, dangling DNS records, CNAME vulnerabilities, orphaned cloud resources, or wants to audit DNS records for security issues. This skill helps identify when a subdomain points to a third-party service that's no longer claimed, allowing attackers to take control.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/pentesting-web/domain-subdomain-takeover/SKILL.MD

source content

Subdomain Takeover Detection

A skill for identifying and analyzing domain/subdomain takeover vulnerabilities during security assessments.

What is Subdomain Takeover?

Subdomain takeover occurs when a subdomain points to a third-party service (like GitHub Pages, S3, Heroku, etc.) that has been deleted or is unclaimed. An attacker can claim that resource and control the subdomain, potentially:

Phishing attacks - Display fake content on a trusted domain
Session hijacking - Steal cookies via browser transparency
CORS bypass - Access sensitive data from main domain
OAuth token theft - Intercept redirect URIs
CSP bypass - Inject malicious scripts
Email spoofing - Manipulate MX records

Detection Workflow

Step 1: Identify Target Subdomains

Gather all subdomains of the target domain:

# Using subfinder
subfinder -d target.com -o subdomains.txt

# Using amass
amass enum -d target.com -o subdomains.txt

# Using chaos projectdiscovery
chaos -d target.com -o subdomains.txt

Step 2: Resolve DNS Records

Check DNS records for each subdomain:

# Using subjack (recommended)
subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt

# Using dnsreaper
dnsreaper -w subdomains.txt -o results.txt

# Manual check with dig
dig CNAME subdomain.target.com

Step 3: Identify Dangling Records

Look for CNAME records pointing to:

AWS:

*.s3.amazonaws.com

*.cloudfront.net

*.elb.amazonaws.com

Azure:

*.azurewebsites.net

*.cloudapp.net

*.blob.core.windows.net

GCP:
```
*.appspot.com
```
,
```
*.storage.googleapis.com
```
GitHub:
```
*.github.io
```
,
```
*.github.com
```
Heroku:
```
*.herokudns.com
```
Fastly:
```
*.fastly.net
```
Netlify:
```
*.netlify.app
```
,
```
*.netlify.com
```
Vercel:
```
*.vercel.app
```
Shopify:
```
*.myshopify.com
```
Zendesk:
```
*.zendesk.com
```
Atlassian:
```
*.atlassian.net
```
Twitch:
```
*.twitchcdn.net
```
Ghost:
```
*.ghost.io
```
Surge:
```
*.surge.sh
```
Firebase:
```
*.firebaseapp.com
```
DigitalOcean:
```
*.digitaloceanspaces.com
```

Step 4: Verify Takeover Possibility

For each potential target:

Check HTTP response - Look for provider-specific error pages
Check TLS certificates - Provider certificates indicate takeover potential
Attempt to claim - Create account and try to register the resource name

Step 5: Document Findings

Record:

Subdomain and DNS record
Target service provider
Evidence (HTTP response, certificate, error message)
Exploitation steps (if verified)
Impact assessment

Automated Detection Tools

Primary Tools

Tool	Purpose	Command
subjack	Fast subdomain takeover scanner	`subjack -w subdomains.txt -o results.txt`
dnsreaper	DNS enumeration and takeover	`dnsreaper -w subdomains.txt -o results.txt`
can-i-take-over-xyz	Reference for provider patterns	Check GitHub repo
nuclei	Template-based scanning	`nuclei -u subdomain.com -tags takeover`
bbot	Full reconnaissance	`bbot -t subdomain-takeover -d target.com`
subzy	Subdomain takeover scanner	`subzy -d target.com`
tko-subs	Takeover detection	`tko-subs -d target.com`

Nuclei Templates

# Install nuclei templates
git clone https://github.com/projectdiscovery/nuclei-templates

# Run takeover templates
nuclei -u https://subdomain.target.com -tags takeover -t nuclei-templates/

# Specific templates
nuclei -u https://subdomain.target.com -t nuclei-templates/misconfigurations/

Provider-Specific Detection

AWS S3

Pattern:

*.s3.amazonaws.com

*.s3-*.amazonaws.com

Detection:

curl -I https://subdomain.target.com
# Look for: "NoSuchBucket" or "404 Not Found" with S3 headers

Verification: Create S3 bucket with same name in different region

AWS CloudFront

Pattern:

*.cloudfront.net

Detection:

curl -I https://subdomain.target.com
# Look for: "NoSuchDistribution" or CloudFront error pages

GitHub Pages

Pattern:

*.github.io

Detection:

curl -I https://subdomain.target.com
# Look for: "404" with GitHub Pages error

Verification: Create GitHub Pages site with same name

Heroku

Pattern:

*.herokudns.com

Detection:

curl -I https://subdomain.target.com
# Look for: "No such app" or Heroku error page

Verification: Create Heroku app with same name

Azure Websites

Pattern:

*.azurewebsites.net

Detection:

curl -I https://subdomain.target.com
# Look for: "404" with Azure error page

GCP App Engine

Pattern:

*.appspot.com

Detection:

curl -I https://subdomain.target.com
# Look for: "404" with GCP error page

Exploitation Verification

Before Testing

Confirm scope - Ensure target is in authorized scope
Document baseline - Record current DNS and HTTP responses
Plan rollback - Know how to undo changes if needed

Verification Steps

Create account on the third-party service
Attempt to claim the resource name
Verify DNS resolution - Check if subdomain now points to your resource
Test impact - Check for cookie leakage, CORS access, etc.
Document evidence - Screenshots, HTTP responses, DNS records

Impact Testing

# Check for cookie leakage
curl -v https://subdomain.target.com -H "Cookie: test=value"

# Check CORS policy
curl -I https://subdomain.target.com -H "Origin: https://attacker.com"

# Check CSP
curl -I https://subdomain.target.com | grep -i content-security-policy

# Check for OAuth redirect
curl "https://subdomain.target.com/oauth?redirect_uri=https://attacker.com"

Mitigation Recommendations

For Organizations

Remove vulnerable DNS records - Delete CNAMEs for unused subdomains
Claim domain names - Register resources with cloud providers
Implement monitoring - Use tools like aquatone for continuous scanning
Process improvement - Make DNS cleanup part of resource decommissioning
Domain verification - Use provider verification mechanisms

For Assessments

Report all findings - Even unverified potential takeovers
Prioritize by impact - Focus on subdomains with sensitive data
Provide remediation - Clear steps to fix each vulnerability
Verify fixes - Re-test after remediation

Safety and Ethics

Authorized Testing Only

Never test domains without explicit authorization
Never claim resources you don't have permission to test
Always document scope and rules of engagement
Report findings responsibly to the organization

Responsible Disclosure

Document findings with evidence
Report to security team or bug bounty program
Wait for remediation before public disclosure
Follow responsible disclosure timelines

Common False Positives

Wildcard DNS -
```
*.target.com
```
pointing to valid IP
Active resources - CNAMEs to existing, claimed services
Load balancers - CNAMEs to active infrastructure
CDN services - Legitimate CDN configurations

Always verify by checking HTTP responses and attempting to claim the resource.

Quick Reference

DNS Record Types to Check

CNAME - Most common takeover vector
A/AAAA - Direct IP records (less common)
ALIAS/ANAME - Alias records (provider-specific)
MX - Email records (email takeover)
NS - Nameserver records (NS takeover)

Key HTTP Status Codes

404 - Resource not found (potential takeover)
403 - Forbidden (may indicate active resource)
500 - Server error (investigate further)
200 - Active resource (not vulnerable)

Error Page Indicators

"NoSuchBucket" - AWS S3
"No such app" - Heroku
"404 Not Found" with provider branding
Default error pages from cloud providers

Resources

can-i-take-over-xyz - Comprehensive takeover guide
0xpatrik subdomain takeover - Detailed tutorial
Stratus Security guide - Best practices
HackerOne guide - Bug bounty perspective