User Controls

Subdomain takeover for phishing and profit!

  1. #1
    oatking Yung Blood
    Hi y'all, today I want to talk to you about our lord and savior, joshua ha nocri. Or not. Or really about using subdomains to launch uber-realistic phishing campaigns not only at the users of a service, but its employees as well.

    A lot of services today have subdomains that point your browser to some special area of a site - stuff like blog.example.com, helpdesk.niggasin.space, sales.bigcorp.com etc. If this area of a site is provided by a 3rd party service (ie. tumblr, hubspot, zendesk, wordpress, etc.) then there's a danger that at some point in time the company will stop using that service. Not many developers usually have access to the DNS records of their company, so taking a record out requires the presence of an beta-geek in the company. That person is usually pretty busy taking part in meetings and watching Silicon Valley or something, so they put this. It's a super low priority item. Here's where you come in.

    If the 3rd party service expired, it's usually possible to register with that service and get the exact same CNAME record (web address) that was in use before. Let's say BigCorp had a blog hosted at bigcorp.wordpress.com (CNAME under wordpress.com's control) and they had a CNAME record (under their control) "blog.bigcorp.com". They let that wordpress.com account expire, so you jump in and register your own blog at "bigcorp.wordpress.com". When a user enters "blog.bigcorp.com" into their browser, their browser loads your blog under the *.bigcorp.com domain!

    This leads to two things:
    1. Phishing. If you play around with graphics and stuff, you have a fool-proof phishing vector. You have a super-legit looking URL for your phishing page, just send it out and collect credentials.
    2. I think you can also do XSS, but I'm not sure. The single-origin policy should step in here and block any attempt, but maybe you can at least bypass CORS? What do you guys think?

    This is really low hanging fruit and worth a shot, especially since checking for it requires minimal interaction with the target. You can use a subdomain enumeration tool like https://github.com/TheRook/subbrute to list most subdomains for a domain. Let it do it's thing for a few minutes while you search for other vulnerabilities. When you have a list of subdomains you can check them out either by browsing to each URL and seeing if you get to a 3rd party service page or you can try using dig (http://linux.die.net/man/1/dig) to see if a given subdomain points to another CNAME. Usually the CNAME will give away if it belongs to a 3rd party service ie. 1vsfd-123as.hubspot.com or something similar. Using the dig approach, you still have to visit that URL to see if the service expired and if you can register your a new account in its place.

    edit: Here's how "serious" this stuff is: https://vulners.com/hackerone/H1:38007 (look at the 1000$ bounty awarded, hella yeah).
  2. #2
    Sophie Pedophile Tech Support
    Good write up, with regards to XSS and CORS i came across an article that might be interesting to add to the discussion. You can craft a request using XHR to exploit cross site request forgery vulnerabilities. Not exactly XSS, but similar. The XHR will fire the request, however if the CORS HTTP reponse headers are not present the XHR will fail the response. But in order for the browser to see if the headers are present it has to make the request regardless. Which would be useful for making CSRF exploits such as cross-site file upload attacks that wouldn't be possible under other circumstances.

    http://blog.kotowicz.net/2011/05/cro...le-upload.html
  3. #3
    oatking Yung Blood
    Thanks homie, hope it's something everyone here can add to their host of techniques, especially since it's so easy.
  4. #4
    oatking Yung Blood
    Here's another example of what subdomain takeover can give you: 10.000$ bug bounty or the ability to read logs/emails: http://blog.pentestnepal.tech/post/149985438982/how-i-was-able-to-read-uber-logs-and-internal. I admit that I don't get the email-related part of DNS, but I'm bookmarking this piece and coming back to it after figuring out how MX records work exactly.
  5. #5
    Sophie Pedophile Tech Support
    Here's another example of what subdomain takeover can give you: 10.000$ bug bounty or the ability to read logs/emails: http://blog.pentestnepal.tech/post/1...s-and-internal. I admit that I don't get the email-related part of DNS, but I'm bookmarking this piece and coming back to it after figuring out how MX records work exactly.

    Sweet bounty, personally i think i would certainly benefit from increasing my knowledge with regards to network architecture and networking in general.
Jump to Top