Introduction

Before we jump into the world of subdomain hijacking/ takeover, let's try and understand what a subdomain is: A subdomain is an extension to your primary domain name. It helps you organize the content of your websites into different sections. Think of it as a folder with subfolders on your laptop to organize your data.

Example Subdomains

In the image above, you can see two examples of subdomains on the primary domain yourdomain[.]com. blog[.]yourdomain[.]com can be used to redirect users to your blogs, and shop[.]yourdomain[.]com can be used to host your shop. You can also have a sub-subdomain on your website (example: tshirt[.]shop[.]yourdomain[.]com). DNS does not impose limits, and you can go as deep as you want, as long as your entire hostname is within the 255 character limit.

What is Subdomain Hijacking?

An attacker having control of your subdomain even though you own the domain is called a subdomain takeover. This can happen due to us hosting our domains on hosting providers like AWS, GitHub, Shopify, Zendesk and having incorrect configurations. One example of incorrect configurations is Dangling CNAME Records. Admins make DNS records but never claim them.

Let us go through an example to understand this better. You want to start selling merchandise for your brand and decide to use Shopify's services. Here is what you would be doing:

  1. Create your shop on Shopify - yourbrand[.]shopify[.]com
  2. Now, create a CNAME record that points shop[.]yourdomain[.]com to yourbrand[.]shopify[.]com

Every time a user tries accessing shop[.]yourdomain[.]com they will start seeing the online store you created using Shopify. It is all good until you decide to cancel Shopify's subscription and forget to remove the associated CNAME. Once you cancel Shopify's subscription yourbrand[.]shopify[.]com becomes available for anyone to purchase and host their shop. And because you forgot to remove shop[.]yourdomain[.]com, every time a user tries to access it, they will still be redirected to yourbrand[.]shopify[.]com, which you don't own anymore. Shopify is just an example. Think about the subdomains of a brand using multiple third-party services like AWS, GitHub, Zendesk, and more.

There are two stages to taking over a subdomain:

  1. Discovering the subdomains on a given domain
  2. Scanning each domain for an outstanding threat

In this blog, we will be going through each of the stages in details

Discovering the subdomains on a given domain

Multiple free and open-source tools are available to discover subdomains on a given domain. Two of the most common subdomain discovery tools are Sublist3r and Findomain. Both are easy to use open-source intelligence to gather subdomains. Once you enter a domain into one of these tools, they search on multiple sources including VirusTotal, Threatcrowd, Google, Yahoo and DNSDumpster.

Sublist3r

It is available as terminal version. You can download the Sublist3r git and execute it in your terminal. If you are a python user, Sublit3r can also be downloaded via pip using 'pip install sublist3r'. Below is the screenshot of an example run for searching subdomains on yahoo[.]com. It detected 101,168 subdomains in under a minute.

Sublist3r sample run for yahoo.com

Findomain

Findomain can also be run via a terminal. For mac users, you can install it using 'brew install findomain'. Here is a sample run for yahoo[.]com. It discovered over 113,055 subdomains in 15 seconds.

Findomain sample run for yahoo.com

Detecting subdomains at risk

One, you have a list of these subdomains, it's easy to find which of these are at risk. We can determine if a given subdomain is a threat for hijacking by a simple regex matching on the content of the webpage.

Here is an example of a subdomain using Freshservice to host its services. An attacker can now claim this subdomain and use it to host a phishing/ scam page.

Here is another example of a subdomain using Acquia Cloud to host its services.

We compile a list of CNAMEs and Fingerprints associated with them. For example, from the Freshservice example: ‘Maybe this is still fresh!' is the fingerprint and 'freshservice.com’ is the CNAME. Similarly for the Acquia Cloud example: 'If you are an Acquia Cloud customer' can be fingerprint.

There are multiple open-source GitHub repositories out there that maintain a list of these fingerprints and keep updating them on a daily basis. All an attacker needs to do is combine the discovery tools with the fingerprinting tools to find subdomains at risk to take them over.

Here are a few

https://github.com/EdOverflow/can-i-take-over-xyz
https://github.com/haccer/subjack/blob/master/fingerprints.json
https://github.com/anshumanbh/tko-subs/blob/master/providers-data.csv
https://github.com/ArifulProtik/sub-domain-takeover/blob/master/subdomain.py
https://github.com/SaadAhmedx/Subdomain-Takeover/blob/master/ItsOver.py
https://github.com/Ice3man543/SubOver/blob/master/providers.json
https://github.com/m4ll0k/takeover/blob/master/takeover.py
https://github.com/antichown/subdomain-takeover/blob/master/takeover.py

Conclusion

Subdomain monitoring, like typosquatting monitoring, should be done regularly to proactively identify and mitigate threats against your domain. There are also open-source tools that can perform both discovery and detection of subdomains at risk.

About Us

This blog is published by Bolster Research Labs. We are also creators of https://checkphish.ai -  a free URL scanner to detect phishing and scams sites in real time.

If you are interested in advanced research and uncovering of new scams or working with cutting edge AI, come work with us at the Bolster Research Labs. Check out open positions here

References

Sublist3r - https://github.com/aboul3la/Sublist3r

Findomain - https://github.com/Findomain/Findomain