Practical [Sub]domain

takeover
g4mm4@vnsecurity.net
Ground Zero
Subdomain takeover is a process of registering a non-existing domain name to gain
control over another domain. The most common scenario of this process follows:
1. Domain name (e.g., sub.example.com) uses a CNAME record to another domain
(e.g., sub.example.com CNAME anotherdomain.com).
2. At some point in time, anotherdomain.com expires and is available for registration
by anyone.
3. Since the CNAME record is not deleted from example.com DNS zone, anyone who
registers anotherdomain.com has full control over sub.example.com until the DNS
record is present.
I see your CNAME ;)
I see your CNAME ;)
Available Tools
Domain WILDCARD
vulnerability
Dork
Dork
Dork
Dork
Dork
Dork
Dork
Dork
OK, WildCard
domain in the
wild
Case Study 0x05: CISCO
Case Study 0x05: CISCO
Case Study 0x05: CISCO
Case Study 0x05: CISCO
Case Study 0x06: Tenable
Ok, and the next Victim is…
The Biggest of Big4
Ok, and the next Victim is…
The Biggest of Big4
Ok, and the next Victim is…
The Biggest of Big4
CNAME *.trafficmanager.net
http://royaltyadmin.microsoft.com/
http://cam.microsoft.com/
…..
CNAME *.azurewebsites.net
*.cloudapp.net
Bản tin trong nước
 References

https://github.com/EdOverflow/can-i-take-over-xyz
https://blog.sweepatic.com/subdomain-takeover-principles/
https://0xpatrik.com/takeover-proofs/
https://www.hackerone.com/blog/Guide-Subdomain-Takeovers
https://0xpatrik.com/subdomain-takeover-basics/
http://www.theryangriffin.com/uncategorized/subdomain-takeover-of-stat-pubnub-co
https://bsideszh.ch/wp-content/uploads/2017/10/bsideszh-Daniel.pdf
https://medium.com/@thebuckhacker/the-pandora-bucket-unleashed-e7fac79cbe19
Questions?