Just how easy it is to do a domain or subdomain take over!?

Just how easy is it to take over a domain or a subdomain?

 

I will tell you now it is really easy to do!

First part is recon if you want to do check a specific domain then you will need to check all their subdomains and use something like https://github.com/anshumanbh/tko-subs to check if anything can be hijacked.

If you want random websites here is a quick way to find them!

S3 buckets… https://publicwww.com/websites/NoSuchBucket all you have to do is check where the A name record is pointing and create a S3 bucket in the name of the domain.

Example: z4.net points to 54.231.168.35 and when you do a PTR record for this you will see it’s s3-website-us-west-2.amazonaws.com so this means we just need to create a bucket in us-west-2 zone and it’s all done.

Github pages

Another nice and easy one…

find a domain on the link below that does not have .github.io in the domain name.

https://publicwww.com/websites/”There+isn%27t+a+Github+Pages+site+here”/

Then just create a repo on your github and go to the settings and then add a file called CNAME and then put in each domain on a new line.

Example: http://sgr-ksmt.org/

for more information check out ed’s github

https://github.com/EdOverflow/can-i-take-over-xyz

Big Thanks to https://twitter.com/olihough86 for pointing this out.