How to make a Subdomain Takeover Attack

Share this…

A team of information security experts tells us that sub-domain acquisition vulnerabilities happen whenever a subdomain points to a service (for example, GitHub pages, Heroku, etc.) that has been removed or removed. This may allow an attacker to configure a page in the service that was being used and direct his page to that subdomain. As an example, if was pointing to a GitHub page and the user decided to remove their GitHub page, an attacker could create a GitHub page, add a CNAME file that contains the subdomain.testing. com and claim the subdomain.testing. com.


A subdomain that points to a GitHub page is www. testing. com. If someone decides to remove https:// github. com/test0x01/testing and does not delete the DNS entry that points to this page, you can post content at www. testing. com.

Some hackers use sub-domain and brute force scraping tools such as Sublist3r to find the sub-domains of a target, say information security professionals. Then the DNS records will be verified and / or a screen capture script will be used to detect vulnerable subdomains. A subdomain that points to a GitHub page that returns a 404 can be an indicator that can be claimed on GitHub.

subdomain 1

Now we will talk about Sublist3r. It is important to know that Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. Information security researchers tell us that it also helps penetration verifiers and bug hunters collect sub-domains for the domain they point to. In addition, Sublist3r lists subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. On the other hand, it enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS.

Experts comment that subbrute was integrated with Sublist3r to increase the possibility of finding more subdomains using bruteforce with an improved word list.

Installation: git clone


subdomain 2

About the security impact; a subdomain control takeover could allow an attacker to publish content in the subdomain, information security experts said. In the case where a subdomain is a secondary domain of the base name of the service, the attacker can also read and set cookies in the base name: can set cookies for

We have a real case of a subdomain acquisition made by Frans Rosén on Researchers tell us that, Frans posted a page on a hidden route (login123) instead of posting content on the landing page. This is the best way to avoid damaging the image of the company.

It is important to remove the DNS entry in the subdomain that points to the deleted service to make sure no one can take over.

subdomain 3