In this second part there will be a demonstration of a subdomain takeover in action, using the example from the previous post. Firstly, we need to create the server instance that will be utilised throughout this example:

 

 

From here we link to this server instance with the subdomain that will be used. For this, in the DNS provider panel we create a CNAME record. Also, set the custom domain with the service provider control panel:

 

 

Check that the update has occurred by running NS Lookup via command line:

 

Type the alias name into a web browser:

 

As you can see, everything has now updated, and the subdomain is pointed to the server instance name. Now, if an attacker discovered this subdomain and observed it was pointing to this server instance, (as shown above) and they attempted to re-create this subdomain – at that moment the attempted subdomain takeover wouldn’t work. However, if the company removes this server instance and omits to remove the CNAME record, there would be an issue. 

 

So, in demonstrating the removal of the server instance, this would be the result:

 

Now, we re-create this server instance with the same host name and at the same time re-create the custom domain on the different account:

 

Once both have been created, we now re-visit the company’s subdomain, and we will be presented with same message as below; however, this instance would be controlled by the attacker:

 

This concludes the demonstration of subdomain takeover.

Join us in a partnership founded in research, education and execution

Our success is built on protecting our clients’ success. We have a distinguished track record of supporting our clients in building secure by design environments. Our consultants have successfully ushered in new security practices in leading pharmaceutical, energy and retail institutions. Bramfitt has over 50 specialists around the world and we are committed to forging long-term relationships with our clients, providing them with genuine insight and practical advice, and supporting them as they navigate the everchanging security landscape.

Let us be your partner for the next phase of your security journey.

EMEA Headquarters
Tower 42, 25 Old Broad Street London, EC2N 1HN
+44 (0) 208 187 4234
AMER Headquarters
45 Rockefeller Plaza, 20th Floor New York, NY 10111
+1 (800) 468-6046
APAC Headquarters
96 Wanneroo Rd, Yokine WA 6060, Australia
Social
iasme consortium
iasme consortium
cyber essentials
cyber essentials plus
iot security assured
pentest
ukas iso 9001ukas iso 27001
Back to top
Get in touch