This document explains subdomain takeover, a vulnerability resulting from misconfigured DNS CNAME records that can allow attackers to claim subdomains pointing to unutilized external services. It describes what subdomains and CNAME records are, the impact of subdomain takeovers, and methods for discovering CNAME records. Mitigation strategies include removing outdated DNS configurations and utilizing domain monitoring services.

1. Subdomain Take Over
PRESENTED BY
HEENA RAWAL
ATTACK & PENTEST TEAM

2. Index
What is Domain Name Service?
How it works?
What is Subdomain?
What is Subdomain Takeover?
All About CNAME
How to find CNAME records?
Impact of the issue
Let’s Takeover Subdomain (Practical_approach)
Mitigation
Reference

3. What is domain name services ?

5. How DNS work?
Facebook.com
Hey resolver !!
What is the IP
address of
facebook.com

6. What is subdomain?
support.facebook.com
Main Domain
Subdomain Domain
Extension
Subdomain is a part of main domain. In above URL, main domain name
is facebook with extension .com and part of this main domain is support which
is called subdomain of this main domain.

7. Why?

8. What is subdomain takeover?
Subdomain Takeover is a type of vulnerability which occurs due to
Misconfiguration of DNS CNAME records or forget to delete DNS entry.
Scenario Example: when a company has configured a DNS CNAME entry for
one of its subdomains pointing to an external service (ex: Heroku, Github
Pages, Bitbucket, Tilda, AWS S3 Bucket, Shopify etc.) but the service is no
longer utilized by that company. In that condition, an attacker could register
to the external service and claim the affected subdomain to configure
his/her services to point affected subdomain.

9. All about CNAME
A (CNAME) Canonical Name record is a type of resource record in the
Domain Name System which maps one domain name to another This can
prove convenient when running multiple services from a single IP address
such as www, mail, blog etc are used while using domain hosting.

10. How to find CNAME records?
There is n-number of ways to find the CNAME record to
associate subdomain. In this section, I'll show you a few
of techniques to find the CNAME record of the specific
subdomain.
DIG COMMAND
Command
DNS Server
Subdomain Name
Type

11. Output

12. Impact of the issue
Easy to sign up for a new account
An attacker can build a complete clone of the site
It is a covert operation that even the domain owner won’t notice
Authentication bypass, CORS bypass & Many other high risk vulnerabilities.

14. Mitigation
Remove the DNS-configuration of the external service on your subdomain.
SOC Analyst Part
Domain monitoring is a service for monitoring your subdomains for potential
subdomain takeovers. It monitors changes within public DNS resolvers and
warns you as soon as we detect any anomalies.

15. References
 https://blog.initd.sh/others-attacks/mis-configuration/subdomain-takeover-
explained/
 https://0xpatrik.com/subdomain-takeover-ns/
https://cloudacademy.com/blog/how-dns-works/

16. Thank You …