Exercise 18: Subdomain Takeover

Objective

Learn how to exploit Subdomain Takeover vulnerabilities caused by improperly configured DNS or web server settings, and understand how to prevent such attacks by securing DNS configurations and managing subdomains.

Scenario

You are assessing a company’s web infrastructure and discover that a subdomain (test.example.com) points to a decommissioned or unclaimed server. Due to improper DNS management, this subdomain is vulnerable to a takeover, allowing attackers to control it and host malicious content.

Lab Setup

Prerequisites:

• Basic knowledge of DNS, web hosting, and security.
• Access to a DNS management platform (or simulated DNS setup).
• Tools installed: Sublist3r, Subfinder, and a web hosting platform (e.g., GitHub Pages or Heroku).

Step 1: Configure a Vulnerable Subdomain

1. Simulate a Vulnerable Subdomain
   • Set up a DNS record for test.example.com to point to a non-existent service:
     • CNAME: test.example.com → nonexistentapp.herokuapp.com
2. Verify the Subdomain is Inactive
   • Open http://test.example.com in the browser.
   • Expected Result: A 404 Not Found or Heroku Application Error message appears.

Exploitation Steps

Step 1: Discovering Vulnerable Subdomains

Use Sublist3r to enumerate subdomains:

sublist3r -d example.com

Output might reveal:

test.example.com
blog.example.com
dev.example.com

Verify if test.example.com is inactive by visiting the URL.

Step 2: Claiming the Unused Service

Create a new Heroku app:

heroku create nonexistentapp

Deploy content to the app:

echo "<h1>Subdomain Taken Over!</h1>" > index.html
heroku deploy -a nonexistentapp

Visit http://test.example.com.

Expected Result:

• The attacker’s content (Subdomain Taken Over!) is now visible, confirming the takeover.

Step 3: Hosting Malicious Content (Optional)

• An attacker could:
  • Host phishing pages.
  • Serve malware.
  • Use the subdomain for social engineering.

Solution and Prevention

Problem Analysis

• The subdomain is still resolving but points to an unclaimed service, allowing an attacker to take control.

Fixing the Vulnerability

1. Remove Unused DNS Records
   • Regularly audit and delete stale DNS records for decommissioned services.
2. Monitor DNS Changes
   • Set up DNS monitoring tools to detect unauthorized or unused subdomains.
3. Claim and Control Third-Party Services
   • Ensure all services tied to DNS records are actively managed.
4. Implement DNS Security Extensions (DNSSEC)
   • Use DNSSEC to authenticate DNS records and prevent tampering.

Testing After Fix

1. Remove or update the DNS record for test.example.com.
2. Attempt to reclaim the subdomain using a third-party service.
3. Expected Result:
   • The subdomain no longer resolves, or it is properly secured.

Conclusion

In this lab, you exploited a Subdomain Takeover vulnerability by claiming an orphaned subdomain and hosting unauthorized content. You also learned how to prevent such attacks by auditing DNS records, monitoring subdomains, and managing third-party services.