Subdomain Takeovers
Intro
In this article I'm going to show you how to use aquatone to find subdomains and perform takeovers. A subdomain takeover involves finding a subdomain with a DNS entry that is pointing at services such as AWS, CloudFront, or Unbounce but is not claimed within the service. This allows anyone with an account on one of these services to claim the subdomain. The most common occurrence of a dangling subdomain occurs when an entity discontinues a service but fails to remove the DNS entry with their domain name registrar. While the mistake seems petty the repercussions of a dangling subdomain can be catastrophic.
Discover
To takeover a subdomain we must first do a little recon on the target. Once we get a good look at our target's infrastructure we can find out which subdomains are vulnerable. As recommended by the developer of aquatone I'm using the latest version of Kali Linux. For this write-up our target's domain name will be example.com.
First we want to run this aquatone command to discover subdomains:
aquatone-discover --domain example.com
This command will discover subdomains by using online databases and simple dictionary brute force. Once finished it will create a list of subdomains in ~/aquatone/example.com/hosts.txt.
Filter
Now that we have a nice list of subdomains that the target utilizes we can use aquatone to find vulnerable subdomains.
We now execute the following command that checks the subdomains found by aquatone-discover for the possibility of a takeover:
aquatone-takeover --domain example.com
This command will print information about potentially vulnerable subdomains as well as create a a nice JSON file called takeovers.json in ~/aquatone/example.com/.
Takeover
Executing the takeover is as simple as signing up to the affected service and pointing your content to the vulnerable subdomain. From here a hostile entity could phish, defame, or perhaps perform a more complex attack such as bypassing single sign-on demonstrated here. Also note that this vulnerability is quite common out in the wild. To put that statement into perspective I spent around ~4 hours of scanning local businesses I frequent and I was able to successfully perform takeovers on two subdomains.
Conclusion
On the bright side it is very easy to avoid subdomain takeovers. Always check DNS entries when discontinuing services and perhaps spin up aquatone to audit infrastructure. Shoutout to the creator of aquatone michenriksen.