Updated: Apr 22
Hey Everyone, This is my third writeup this month and today I'll be writing about how I was able to take over a few subdomains of an organization as well as a DNS zone transfer with the help of a simple passive test.
A subdomain takeover occurs when an attacker gains control over a subdomain of a target domain. Typically, this happens when the subdomain has a canonical name (CNAME) in the Domain Name System (DNS), but no host is providing content for it whereas in DNS Zone Transfer If an attacker can perform a zone transfer with the primary or secondary name servers for a domain, the attacker will be able to view all DNS records for that domain.
Two critical bugs found with a very simple method so without wasting more time let's get to the methodology
When I selected the target I was going through the target website and started gathering information, I started enumerating DNS information, checked Nmap didn't found any interesting port to attack as all ports were either closed or filtered.
Then what I did was I used dnsenum and with the help of this tool and the command
I found I was able to view all DNS records for that domain reported the vulnerability it got duplicate.
Continued my testing started gathering as many subdomains I can for the application with the help of few tools
amass enum -d xxxx.com -o amass.txt
assetfinder xxxx.com >> assetfinder.txt
subfinder -d xxxx.com -o subfinder.txt
findomain -t xxxx.com -q -u findomain.txt
Then I put all the collected subdomains in a single file
cat amass.txt assetfinder.txt subfinder.txt findomain.txt >> total.txt
After getting so many subdomains, I used a tool subzy to check if there is any subdomain that has not been claimed by the application
the command that I used was
subzy -targets total.txt
and I got 2 subdomains that were not claimed by the organization that means an attacker can easily buy the subdomain and use it for evil purposes.
I checked them manually they were not registered with the primary domain
Reported the vulnerability, Got a revert back, and thank god it was not a duplicate again.
So, By this, I was recognized as a Responsible Security Researcher in that Organization.
Tip: Honestly I was not going to check for Subdomain takeovers because I thought I won't be lucky enough to find a critical bug that easily, but after looking at so many subdomains I told myself to give it a try, So what I learned is if we are performing pentest we should never leave any step because we don't know when we are going to get lucky.
Hope You Find My Write Up Informative.
Peace and Happy Hunting..