Just how easy it is to do a domain or subdomain take over!?
Just how easy is it to take over a domain or a subdomain?
I will tell you now it is really easy to do!
First part is recon if you want to do check a specific domain then you will need to check all their subdomains and use something like https://github.com/anshumanbh/tko-subs to check if anything can be hijacked.
If you want random websites here is a quick way to find them!
S3 buckets… https://publicwww.com/websites/NoSuchBucket all you have to do is check where the A name record is pointing and create a S3 bucket in the name of the domain.
Example: z4.net points to 18.104.22.168 and when you do a PTR record for this you will see it’s s3-website-us-west-2.amazonaws.com so this means we just need to create a bucket in us-west-2 zone and it’s all done.
Another nice and easy one…
find a domain on the link below that does not have .github.io in the domain name.
Then just create a repo on your github and go to the settings and then add a file called CNAME and then put in each domain on a new line.
for more information check out ed’s github
Big Thanks to https://twitter.com/olihough86 for pointing this out.