WSTG - v4.2
Test for Subdomain Takeover
ID |
---|
WSTG-CONF-10 |
Summary
A successful exploitation of this kind of vulnerability allows an adversary to claim and take control of the victim’s subdomain. This attack relies on the following:
- The victim’s external DNS server subdomain record is configured to point to a non-existing or non-active resource/external service/endpoint. The proliferation of XaaS (Anything as a Service) products and public cloud services offer a lot of potential targets to consider.
- The service provider hosting the resource/external service/endpoint does not handle subdomain ownership verification properly.
If the subdomain takeover is successful a wide variety of attacks are possible (serving malicious content, phising, stealing user session cookies, credentials, etc.). This vulnerability could be exploited for a wide variety of DNS resource records including: A
, CNAME
, MX
, NS
, TXT
etc. In terms of the attack severity an NS
subdomain takeover (although less likely) has the highest impact because a successful attack could result in full control over the whole DNS zone and the victim’s domain.
GitHub
- The victim (victim.com) uses GitHub for development and configured a DNS record (
coderepo.victim.com
) to access it. - The victim decides to migrate their code repository from GitHub to a commercial platform and does not remove
coderepo.victim.com
from their DNS server. - An adversary finds out that
coderepo.victim.com
is hosted on GitHub and uses GitHub Pages to claimcoderepo.victim.com
using their GitHub account.
Expired Domain
- The victim (victim.com) owns another domain (victimotherdomain.com) and uses a CNAME record (www) to reference the other domain (
www.victim.com
–>victimotherdomain.com
) - At some point, victimotherdomain.com expires and is available for registration by anyone. Since the CNAME record is not deleted from the victim.com DNS zone, anyone who registers
victimotherdomain.com
has full control overwww.victim.com
until the DNS record is present.
Test Objectives
- Enumerate all possible domains (previous and current).
- Identify forgotten or misconfigured domains.
How to Test
Black-Box Testing
The first step is to enumerate the victim DNS servers and resource records. There are multiple ways to accomplish this task, for example DNS enumeration using a list of common subdomains dictionary, DNS brute force or using web search engines and other OSINT data sources.
Using the dig command the tester looks for the following DNS server response messages that warrant further investigation:
NXDOMAIN
SERVFAIL
REFUSED
no servers could be reached.
Testing DNS A, CNAME Record Subdomain Takeover
Perform a basic DNS enumeration on the victim’s domain (victim.com
) using dnsrecon
:
$ ./dnsrecon.py -d victim.com
[*] Performing General Enumeration of Domain: victim.com
...
[-] DNSSEC is not configured for victim.com
[*] A subdomain.victim.com 192.30.252.153
[*] CNAME subdomain1.victim.com fictioussubdomain.victim.com
...
Identify which DNS resource records are dead and point to inactive/not-used services. Using the dig command for the CNAME
record:
$ dig CNAME fictioussubdomain.victim.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> ns victim.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42950
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
The following DNS responses warrant further investigation: NXDOMAIN
.
To test the A
record the tester performs a whois database lookup and identifies GitHub as the service provider:
$ whois 192.30.252.153 | grep "OrgName"
OrgName: GitHub, Inc.
The tester visits subdomain.victim.com
or issues a HTTP GET request which returns a “404 - File not found” response which is a clear indication of the vulnerability.
Figure 4.2.10-1: GitHub 404 File Not Found response
The tester claims the domain using GitHub Pages:
Figure 4.2.10-2: GitHub claim domain
Testing NS Record Subdomain Takeover
Identify all nameservers for the domain in scope:
$ dig ns victim.com +short
ns1.victim.com
nameserver.expireddomain.com
In this fictious example the tester checks if the domain expireddomain.com
is active with a domain registrar search. If the domain is available for purchase the subdomain is vulnerable.
The following DNS responses warrant further investigation: SERVFAIL
or REFUSED
.
Gray-Box Testing
The tester has the DNS zone file available which means DNS enumeration is not necessary. The testing methodology is the same.
Remediation
To mitigate the risk of subdomain takeover the vulnerable DNS resource record(s) should be removed from the DNS zone. Continous monitoring and periodic checks are recommended as best practice.
Tools
- dig - man page
- recon-ng - Web Reconnaissance framework
- theHarvester - OSINT intelligence gathering tool
- Sublist3r - OSINT subdomain enumeration tool
- dnsrecon - DNS Enumeration Script
- OWASP Amass DNS enumeration