subdomain-takeover

Understanding Subdomain Takeover: A Comprehensive Guide

Introduction

Subdomains are integral components of domain names, serving as unique identifiers for subdomains that range from one character to three digits. Each subdomain is associated with a hostname and IP address, making them essential in hosting infrastructure. However, these subdomains can be manipulated to bypass security measures, leading to the term "subdomain takeover." This guide explores the mechanisms behind subdomains, potential vulnerabilities, attacks, and how hackers can exploit them.

Technical Explanation

How Subdomains Work

Subdomains are nested within each other, with each level serving as a unique identifier. For example, .com has a hostname of 127.0.0.1 and an IP address of 98.36.76.55. Each subdomain can be targeted to manipulate the flow of requests on a hosting platform.

Port Forwarding

Subdomains leverage port forwarding by redirecting requests to another domain using hostnames. This technique allows attackers to force specific services to respond, enabling them to capture traffic or breach systems. For instance, a request to www.subdomains.com may be redirected to www.subdomains.com.br if the subdomain .br is targeted.

Brute-Force Attacks

Bruteforce attacks involve guessing passwords or usernames in an exhaustive manner. Subdomains can be accessed by targeting each subdomain individually. This approach requires a combination of port forwarding and brute-force methods, as access might be granted through ports like 80 (HTTPS) or 443 (TLS).

Code Examples

Port Forwarding Example with Python

from subdomain import Subdomain, IP

# Create a subdomain instance
subdomain = Subdomain(domain='subdomains.com.br', port='80')

# Request to www.subdomains.com can be redirected to www.subdomains.com.br
response = subdomain('www.subdomains.com')
print(response.text)

Brute-Force Attack Script

from urllib.parse import parse_qs
import requests

url = f"https://example.com"
headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101',
    'Access-Control': 'Kernel-Supplied'
}

data = {
    'domain': 'subdomains.example.com.br',
    'query': f'key=hello'
}

response = requests.get(url, headers=headers, params=data)
print('Response:', response.text)

# Extract the query parameters
parsed_data = parse_qs(response.text.split('\n')[10].strip())
print(parsed_data['key'] == 'hello')

Defense Techniques

Exploiting Subdomains and IPs

Access to subdomains or IPs can be exploited by targeting specific servers using known usernames and passwords. Developers and administrators must ensure that sensitive data is stored in a secure environment.

Domain-Specific defenses

Utilizing DNS records for domains, subdomains, and IP addresses is crucial. Proper configuration ensures that the target domain's IP address is reserved for authorized traffic only.

Conclusion

Subdomains offer critical services yet are vulnerable to malicious attacks. By understanding their mechanisms and employing defense strategies, organizations can mitigate risks associated with subdomain takeover.