subdomain-takeover

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

SKILL: Subdomain Takeover — Detection & Exploitation Playbook

SKILL: 子域名接管 —— 检测与利用手册

AI LOAD INSTRUCTION: Covers CNAME/NS/MX takeover, per-provider fingerprint matching, claim procedures, and defensive monitoring. Base models often confuse "CNAME exists" with "takeover possible" — the key is whether the resource behind the CNAME is unclaimed and claimable.

AI加载说明：覆盖CNAME/NS/MX接管、各服务商指纹匹配、认领流程和防御监控。基础模型常将「存在CNAME记录」与「可被接管」混淆，核心判断标准是CNAME背后的资源是否处于未认领且可认领的状态。

0. RELATED ROUTING

0. 相关关联技能

ssrf-server-side-request-forgery when a subdomain takeover is used to bypass SSRF allowlists trusting
```
*.target.com
```
cors-cross-origin-misconfiguration when CORS trusts
```
*.target.com
```
— takeover → full cross-origin read
xss-cross-site-scripting takeover gives you script execution under target origin (cookie theft, OAuth redirect abuse)
http-host-header-attacks when Host routing leads to subdomain-scoped cache or auth issues
web-cache-deception when a taken-over subdomain shares cache with the main domain

当子域名接管被用于绕过信任
```
*.target.com
```
的SSRF白名单时，参考ssrf-server-side-request-forgery
当CORS信任
```
*.target.com
```
时，参考cors-cross-origin-misconfiguration——接管后可实现完整跨域读取
接管后可在目标源下执行脚本（Cookie窃取、OAuth重定向滥用），参考xss-cross-site-scripting
当Host路由导致子域名范围的缓存或认证问题时，参考http-host-header-attacks
当被接管的子域名与主域名共享缓存时，参考web-cache-deception

1. CORE CONCEPT

1. 核心概念

Subdomain takeover occurs when:

```
sub.target.com
```
has a DNS record (CNAME, NS, A) pointing to an external service
The external resource is no longer provisioned (deleted S3 bucket, removed Heroku app, etc.)
The attacker can register/claim that exact resource name on the provider
The attacker now controls content served under
```
sub.target.com
```

Impact: cookie theft (parent domain cookies), OAuth token interception, phishing under trusted domain, CORS bypass, CSP bypass via whitelisted subdomain.

子域名接管发生需满足以下条件：

```
sub.target.com
```
存在指向外部服务的DNS记录（CNAME、NS、A）
对应外部资源已被释放（如删除的S3存储桶、移除的Heroku应用等）
攻击者可在对应服务商处注册/认领完全同名的资源
攻击者由此可控制
```
sub.target.com
```
下提供的所有内容

影响：Cookie窃取（父域Cookie）、OAuth令牌拦截、可信域名下钓鱼、CORS绕过、通过白名单子域名绕过CSP。

2. DETECTION METHODOLOGY

2. 检测方法

2.1 CNAME Enumeration

2.1 CNAME枚举

1. Collect subdomains (amass, subfinder, assetfinder, crt.sh, SecurityTrails)
2. Resolve DNS for each:
   dig CNAME sub.target.com +short
3. For each CNAME → check if the CNAME target returns NXDOMAIN or a provider error
4. Match error response against fingerprint table (Section 3)

1. 收集子域名（amass、subfinder、assetfinder、crt.sh、SecurityTrails）
2. 解析每个子域名的DNS记录：
   dig CNAME sub.target.com +short
3. 对每个CNAME，检查其目标是否返回NXDOMAIN或服务商错误
4. 将错误响应与指纹对照表（第3节）匹配

2.2 Key Signals

2.2 关键信号

Signal	Meaning
CNAME → `xxx.s3.amazonaws.com` + HTTP 404 "NoSuchBucket"	S3 bucket deleted, claimable
CNAME → `xxx.herokuapp.com` + "No such app"	Heroku app deleted
CNAME → `xxx.github.io` + 404 "There isn't a GitHub Pages site here"	GitHub Pages unclaimed
NXDOMAIN on the CNAME target domain itself	Target domain expired or never existed
CNAME → provider but HTTP 200 with default parking page	May or may not be claimable — verify

信号	含义
CNAME指向 `xxx.s3.amazonaws.com` + HTTP 404 "NoSuchBucket"	S3存储桶已删除，可认领
CNAME指向 `xxx.herokuapp.com` + "No such app"	Heroku应用已删除
CNAME指向 `xxx.github.io` + 404 "There isn't a GitHub Pages site here"	GitHub Pages未被认领
CNAME目标域名本身返回NXDOMAIN	目标域名已到期或从未注册
CNAME指向服务商但HTTP 200返回默认停放页	可能可认领，需进一步验证

2.3 Automated Tools

2.3 自动化工具

Tool	Purpose
`subjack`	Automated CNAME takeover checking
`nuclei -t takeovers/`	Nuclei takeover detection templates
`can-i-take-over-xyz` (GitHub)	Reference for which services are vulnerable
`dnsreaper`	Multi-provider takeover scanner
`subzy`	Fast subdomain takeover verification

工具	用途
`subjack`	自动化CNAME接管检查
`nuclei -t takeovers/`	Nuclei接管检测模板
`can-i-take-over-xyz` (GitHub)	各服务脆弱性参考手册
`dnsreaper`	多服务商接管扫描器
`subzy`	快速子域名接管验证工具

3. SERVICE PROVIDER FINGERPRINT TABLE

3. 服务商指纹对照表

Provider	CNAME Pattern	Fingerprint (HTTP Response)	Claimable?
AWS S3	`.s3.amazonaws.com` / `.s3-website-*.amazonaws.com`	`NoSuchBucket` (404)	Yes — create bucket with matching name
GitHub Pages	`*.github.io`	`There isn't a GitHub Pages site here` (404)	Yes — create repo + enable Pages
Heroku	`.herokuapp.com` / `.herokudns.com`	`No such app`	Yes — create app with matching name
Azure	`.azurewebsites.net` / `.cloudapp.azure.com` / `*.trafficmanager.net`	Various default pages, NXDOMAIN	Yes — register matching resource
Shopify	`*.myshopify.com`	`Sorry, this shop is currently unavailable`	Yes — create shop, add custom domain
Fastly	CNAME to Fastly edge	`Fastly error: unknown domain`	Yes — add domain to Fastly service
Pantheon	`*.pantheonsite.io`	`404 Site Not Found` with Pantheon branding	Yes
Tumblr	`*.tumblr.com` (custom domain CNAME)	`There's nothing here` / `Whatever you were looking for doesn't exist`	Yes
WordPress.com	CNAME to `*.wordpress.com`	`Do you want to register`	Yes — claim domain in WP.com
Zendesk	`*.zendesk.com`	`Help Center Closed` / Zendesk branding on error	Yes — create matching subdomain
Unbounce	`*.unbouncepages.com`	`The requested URL was not found`	Yes
Ghost	`*.ghost.io`	`404 Not Found` Ghost error	Yes
Surge.sh	`*.surge.sh`	`project not found`	Yes
Fly.io	CNAME to `*.fly.dev`	Fly.io default 404	Yes

服务商	CNAME匹配规则	指纹（HTTP响应）	可认领？
AWS S3	`.s3.amazonaws.com` / `.s3-website-*.amazonaws.com`	`NoSuchBucket` (404)	是——创建同名存储桶即可
GitHub Pages	`*.github.io`	`There isn't a GitHub Pages site here` (404)	是——创建仓库并开启Pages即可
Heroku	`.herokuapp.com` / `.herokudns.com`	`No such app`	是——创建同名应用即可
Azure	`.azurewebsites.net` / `.cloudapp.azure.com` / `*.trafficmanager.net`	各类默认页面、NXDOMAIN	是——注册同名资源即可
Shopify	`*.myshopify.com`	`Sorry, this shop is currently unavailable`	是——创建店铺，添加自定义域名即可
Fastly	CNAME指向Fastly边缘节点	`Fastly error: unknown domain`	是——在Fastly服务中添加域名即可
Pantheon	`*.pantheonsite.io`	带Pantheon品牌标识的 `404 Site Not Found`	是
Tumblr	`*.tumblr.com` （自定义域名CNAME）	`There's nothing here` / `Whatever you were looking for doesn't exist`	是
WordPress.com	CNAME指向 `*.wordpress.com`	`Do you want to register`	是——在WP.com认领域名即可
Zendesk	`*.zendesk.com`	`Help Center Closed` / 带Zendesk品牌标识的错误页	是——创建同子域名即可
Unbounce	`*.unbouncepages.com`	`The requested URL was not found`	是
Ghost	`*.ghost.io`	`404 Not Found` Ghost错误页	是
Surge.sh	`*.surge.sh`	`project not found`	是
Fly.io	CNAME指向 `*.fly.dev`	Fly.io默认404页	是

4. TAKEOVER PROCEDURE — COMMON PROVIDERS

4. 接管流程——常见服务商

4.1 AWS S3

1. Confirm: curl -s http://sub.target.com → "NoSuchBucket"
2. Extract bucket name from CNAME (e.g., sub.target.com.s3.amazonaws.com → bucket = "sub.target.com")
3. aws s3 mb s3://sub.target.com --region <region>
4. Upload index.html proving control
5. Enable static website hosting

1. 确认：curl -s http://sub.target.com → 返回"NoSuchBucket"
2. 从CNAME中提取存储桶名称（例如sub.target.com.s3.amazonaws.com → 存储桶名= "sub.target.com"）
3. aws s3 mb s3://sub.target.com --region <region>
4. 上传证明控制权的index.html
5. 开启静态网站托管

4.2 GitHub Pages

1. Confirm: curl -s https://sub.target.com → "There isn't a GitHub Pages site here"
2. Create GitHub repo (any name)
3. Add CNAME file containing "sub.target.com"
4. Enable GitHub Pages in repo settings
5. Wait for DNS propagation (GitHub verifies CNAME match)

1. 确认：curl -s https://sub.target.com → 返回"There isn't a GitHub Pages site here"
2. 创建GitHub仓库（名称任意）
3. 添加内容为"sub.target.com"的CNAME文件
4. 在仓库设置中开启GitHub Pages
5. 等待DNS传播（GitHub会验证CNAME匹配）

4.3 Heroku

1. Confirm: curl -s http://sub.target.com → "No such app"
2. heroku create <app-name-from-cname>
3. heroku domains:add sub.target.com
4. Deploy proof-of-concept page

1. 确认：curl -s http://sub.target.com → 返回"No such app"
2. heroku create <从CNAME提取的应用名>
3. heroku domains:add sub.target.com
4. 部署验证页面

5. NS TAKEOVER — HIGH SEVERITY

5. NS记录接管——高风险

NS takeover is far more dangerous than CNAME takeover: you control all DNS resolution for the zone.

NS记录接管的危险性远高于CNAME接管：你可以控制整个域名解析区的所有DNS解析。

How It Happens

发生原理

target.com NS → ns1.expireddomain.com
                 ↓
attacker registers expireddomain.com
                 ↓
attacker now controls ALL DNS for target.com
(A records, MX records, TXT records — everything)

target.com NS → ns1.expireddomain.com
                 ↓
攻击者注册expireddomain.com
                 ↓
攻击者现在控制target.com的所有DNS记录
（A记录、MX记录、TXT记录——所有内容）

Detection

检测方法

1. Enumerate NS records: dig NS target.com +short
2. Check each NS domain: whois ns1.example.com → is the domain expired or available?
3. Also check: dig A ns1.example.com → NXDOMAIN/SERVFAIL?
4. Subdelegated zones: check NS for sub.target.com specifically

1. 枚举NS记录：dig NS target.com +short
2. 检查每个NS域名：whois ns1.example.com → 域名是否到期或可注册？
3. 额外检查：dig A ns1.example.com → 是否返回NXDOMAIN/SERVFAIL？
4. 子委派区域：专门检查sub.target.com的NS记录

Impact

影响

Full domain takeover (serve any content, intercept email, issue TLS certs via DNS-01)
Issue DV certificates from any CA using DNS challenge
Modify SPF/DKIM/DMARC → send authenticated email as target

完整域名接管（提供任意内容、拦截邮件、通过DNS-01颁发TLS证书）
可通过DNS挑战向任意CA申请DV证书
修改SPF/DKIM/DMARC → 以目标域名名义发送认证邮件

6. MX TAKEOVER — EMAIL INTERCEPTION

6. MX记录接管——邮件拦截

When MX records point to deprovisioned mail services:

target.com MX → mail.deadservice.com (service discontinued)

If attacker can claim

mail.deadservice.com

or the mail tenant:

Receive password reset emails
Intercept sensitive communications
Potentially reset accounts that use email-based auth

当MX记录指向已注销的邮件服务时：

target.com MX → mail.deadservice.com（服务已停用）

如果攻击者可认领

mail.deadservice.com

或邮件租户：

接收密码重置邮件
拦截敏感通信
可重置依赖邮箱认证的账户

Common Scenario

常见场景

Expired Google Workspace / Microsoft 365 tenant → MX still points to Google/Microsoft → attacker creates new tenant and claims the domain.

到期的Google Workspace / Microsoft 365租户 → MX记录仍指向Google/Microsoft → 攻击者创建新租户并认领域名。

7. WILDCARD DNS RISKS

7. 通配符DNS风险

*.target.com

has a wildcard CNAME to a claimable service:

Every undefined subdomain is vulnerable
```
anything.target.com
```
can be taken over
Massively increases attack surface

Detection:

dig A random1234567.target.com

— if it resolves, wildcard exists.

如果

*.target.com

有指向可认领服务的通配符CNAME：

所有未定义的子域名都存在漏洞
```
任意字符.target.com
```
都可被接管
攻击面被大幅扩大

检测方法：

dig A random1234567.target.com

—— 如果能解析，说明存在通配符记录。

8. DETECTION & EXPLOITATION DECISION TREE

8. 检测与利用决策树

Subdomain discovered (sub.target.com)?
├── Resolve DNS records
│   ├── Has CNAME → external service?
│   │   ├── HTTP response matches known fingerprint? (Section 3)
│   │   │   ├── YES → Attempt claim on provider (Section 4)
│   │   │   │   ├── Claim successful → TAKEOVER CONFIRMED
│   │   │   │   └── Claim blocked (name reserved, region locked) → document, try variations
│   │   │   └── NO → Service active, no takeover
│   │   └── CNAME target NXDOMAIN?
│   │       ├── Target is a registrable domain? → Register it → full control
│   │       └── Target is a subdomain of active provider → check provider claim process
│   │
│   ├── Has NS records → external nameserver?
│   │   ├── NS domain expired/available? → Register → FULL ZONE TAKEOVER
│   │   └── NS domain active → no takeover
│   │
│   ├── Has MX → external mail service?
│   │   ├── Mail service deprovisioned/claimable? → Claim tenant → EMAIL INTERCEPTION
│   │   └── Active mail service → no takeover
│   │
│   └── Has A record → IP address?
│       ├── IP belongs to elastic cloud (AWS EIP, Azure, GCP)?
│       │   ├── IP unassigned? → Claim IP → serve content
│       │   └── IP assigned to another customer → no takeover
│       └── IP belongs to dedicated server → no takeover
│
└── Post-takeover impact assessment
    ├── Shared cookies with parent domain? → Session hijacking
    ├── CORS trusts *.target.com? → Cross-origin data theft
    ├── CSP whitelists *.target.com? → XSS via taken-over subdomain
    ├── OAuth redirect_uri allows sub.target.com? → Token theft
    └── Can issue TLS cert for sub.target.com? → Full MITM

发现子域名（sub.target.com）?
├── 解析DNS记录
│   ├── 存在指向外部服务的CNAME？
│   │   ├── HTTP响应匹配已知指纹？（第3节）
│   │   │   ├── 是 → 尝试在服务商处认领（第4节）
│   │   │   │   ├── 认领成功 → 确认接管
│   │   │   │   └── 认领被阻止（名称保留、区域锁定）→ 记录，尝试变体
│   │   │   └── 否 → 服务正常，无法接管
│   │   └── CNAME目标返回NXDOMAIN？
│   │       ├── 目标是可注册域名？ → 注册 → 完全控制
│   │       └── 目标是活跃服务商的子域名 → 检查服务商认领流程
│   │
│   ├── 存在指向外部域名服务器的NS记录？
│   │   ├── NS域名到期/可注册？ → 注册 → 完整区域接管
│   │   └── NS域名活跃 → 无法接管
│   │
│   ├── 存在指向外部邮件服务的MX记录？
│   │   ├── 邮件服务已注销/可认领？ → 认领租户 → 邮件拦截
│   │   └── 邮件服务活跃 → 无法接管
│   │
│   └── 存在指向IP地址的A记录？
│       ├── IP属于弹性云服务（AWS EIP、Azure、GCP）？
│       │   ├── IP未分配？ → 认领IP → 提供内容
│       │   └── IP已分配给其他客户 → 无法接管
│       └── IP属于专用服务器 → 无法接管
│
└── 接管后影响评估
    ├── 与父域共享Cookie？ → 会话劫持
    ├── CORS信任*.target.com？ → 跨域数据窃取
    ├── CSP白名单包含*.target.com？ → 通过被接管子域名实现XSS
    ├── OAuth redirect_uri允许sub.target.com？ → 令牌窃取
    └── 可为sub.target.com颁发TLS证书？ → 完整中间人攻击

9. DEFENSE & REMEDIATION

9. 防御与修复方案

Action	Priority
Remove DNS records when deprovisioning cloud resources	Critical
Monitor CNAME targets for NXDOMAIN responses	High
Use DNS monitoring tools (SecurityTrails, DNSHistory)	High
Claim/reserve resource names before deleting DNS records	High
Audit NS delegations — ensure NS domains are owned and renewed	Critical
Avoid wildcard CNAMEs to third-party services	Medium
Implement Certificate Transparency monitoring	Medium

措施	优先级
释放云资源时同步删除对应DNS记录	严重
监控CNAME目标是否返回NXDOMAIN响应	高
使用DNS监控工具（SecurityTrails、DNSHistory）	高
删除DNS记录前先认领/预留资源名称	高
审计NS委派——确保NS域名归己方所有且按时续费	严重
避免使用指向第三方服务的通配符CNAME	中
部署证书透明度监控	中

10. TRICK NOTES — WHAT AI MODELS MISS

10. 技巧说明——AI模型容易遗漏的点

CNAME ≠ takeover: A CNAME to S3 that returns 403 (bucket exists, private) is NOT vulnerable. Only
```
NoSuchBucket
```
(404) is.
Region matters for S3: Bucket names are global, but website endpoints are regional. Try matching the region from the CNAME.
GitHub Pages verification: GitHub added domain verification — org-verified domains cannot be claimed by others. Check if target uses this.
Edge cases: Some providers (e.g., Cloudfront) require specific distribution configuration, not just domain claiming.

Second-order takeover:

sub.target.com CNAME → other.target.com CNAME → dead-service.com

— the chain must be followed fully.

SPF subdomain takeover: If SPF includes
```
include:sub.target.com
```
and you take over
```
sub.target.com
```
, you can modify its SPF TXT record to authorize your mail server → send spoofed email as
```
target.com
```
.

有CNAME≠可接管：指向S3的CNAME返回403（存储桶存在、私有）时不存在漏洞，只有返回
```
NoSuchBucket
```
（404）时才可能被接管。
S3的区域要求：存储桶名称是全局唯一的，但网站端点是区域专属的，尝试匹配CNAME对应的区域。
GitHub Pages验证：GitHub已新增域名验证功能，组织验证过的域名无法被其他人认领，需检查目标是否启用该功能。
边缘场景：部分服务商（如Cloudfront）需要特定的分发配置，仅认领域名不够。

二阶接管：

sub.target.com CNAME → other.target.com CNAME → dead-service.com

—— 需要完整追溯整个解析链。

SPF子域名接管：如果SPF包含
```
include:sub.target.com
```
，你接管
```
sub.target.com
```
后可修改其SPF TXT记录授权你的邮件服务器 → 可伪造
```
target.com
```
名义发送邮件。