How to find subdomain take over

3
512

First what is subdomain takeover ?
A service named ‘assets’ on your website which located at assets.mysite.com hosted at third party like bitbucket or heroku at this url mysiteasset2015.heroku.com , and this service is not used on heroku , you just decided to use it and it expired or you did not claim it before but you added a dns entry pointing to heroku , so an attacker can claim it , then when you visit assets.mysite.com you are redirected to attacker site on heroku .


Scenario

1- Facebook starts new service like shop
2- Facebook points a subdomain to the Shop-service, eg shop.facebook.com
3- Mark stops the project and facebook forgets to remove the subdomain redirection pointing to the shop system.
4-Attacker signs up for the Service and claims the domain as theirs.
5- Attacker now can post a defacement or put an HTML Form and asks users to login (Perform phishing attack)


Solution

Check your DNS-configuration for subdomains pointing to services not in use.

Note From detectify
Hackers can claim subdomains with the help of external services. This attack is practically non-traceable, and affects at least 17 large service providers and multiple domains are affected. Find out if you are one of them by using our quick tool, or go through your DNS-entries and remove all which are active and unused OR pointing to External Services which you do not use anymore.

How to detect??
So here we go for detecting !
Detection of this issue is so simple , you just to need to get a list of subdomains and visit them
if you find a page error not found like this

Screen Shot 2016-08-24 at 2.41.09 AM

or this
zendesk error not calimed

“this errors is related to heroku and zendesk, Consider other errors of bitbucket, Squarespace, Shopify, Desk, Teamwork, Unbounce, Helpjuice, HelpScout, Pingdom, Tictail, Campaign Monitor, CargoCollective, StatusPage.io and Tumblr”

if you note an error like above.
so you found a vulnerable subdomain , Congrats !!


How to find subdomains ?

We have a two amazing tools and we are going to explain both

SubLister
The first tool is by Ahmed abuEl3la it searchs many points (google ask , ssl certs) and get you a list of valid subdomains

usage
python sublist3r.py -d example.com

sublister
sublister

The second tool is knockpy

amazing tool , perform some bruteforce and gets you a list of subdomains and if there is a subdomain points to an external service it will notify you

knockpy
knockpy

Installing
python knockpy.py install

Usage of knockpy
knockpy snapchat.com

Result of knock

as you see knock notifies you , the yellow-colored lines tell us that there is a domain points to a service on heroku


atlas.instacart.com >>> tochigi-6557.herokussl.com
bugs.instacart.com >>> akita-7862.herokussl.com

you need to visit this domains to check whether vulnerable or not , if you found a no such app error then this subdomain is vulnerable

error not claimed



EXTRA Tool

But what if we have about 250 subdomains this process is very fatiguing and needs much time .

we have a solution you can create a list of ‘unclaimed services source codes’ like ‘no such app ‘ incase of heroku and write a script to detect this codes .

we can use sup6 to do this
python sub6.py mylist.txt

sub6
usage of sub6

and watching the result

null

Exploitation

you just need to register this unclaimed subdomain at its company , example if you found snapchat.heroku.com , you need to regiser it on heroku .
References
Detectify
Peter yaworsk Video

Tools
knock
sublister
sub6 ‘UnderDev’


3 COMMENTS

    • Look , we did not cover the exploitation because it is not the not the same on all cases , you are not injecting a payload , it is a matter of registration , suppose the following

      1-you found something point to this subdomain uber.egyserv.com
      2-the vulnerable subdomain is owned by uber , but they did not claim it at egyserv.com
      3- Search google for ‘register domain at egyserv.com
      4- go and register ,upload something like html page
      5- now you exploit it

LEAVE A REPLY

Please enter your comment!
Please enter your name here