Mastering subjack$: Your Ultimate Guide to Subdomain Takeover

Course #612: Mastering subjack$

# Course #612: Mastering subjack$ ## Section 5: Using subjack$ for Subdomain Takeover ### Installation and Configuration on Kali Linux To get started with using subjack$, we first need to install the tool on your Kali Linux system. Subjack is designed to help identify subdomain takeover vulnerabilities by checking whether a subdomain is pointing to a service that has been decommissioned or is otherwise available for takeover. #### Step 1: Install Golang Subjack is a Go-based tool, so the first thing we need to do is install Go (Golang) if it is not already installed on your Kali Linux machine. You can install Go using the following commands: #### Step 2: Set Up Go Workspace By default, Go expects a workspace directory. We will set this up by creating a directory in your home folder: To ensure these changes persist, add the above export lines to your `~/.bashrc` file: #### Step 3: Install subjack$ Now that Go is set up, you can install subjack$ by cloning its GitHub repository and building it. Run the following commands: The built binary will be placed in `~/go/bin`. You can verify the installation by running: This should display the help options for subjack$, confirming that it was installed correctly. ### Step-by-Step Usage and Real-World Use Cases Now that we have subjack$ set up on our Kali Linux system, let’s delve into how to use it effectively. #### Basic Usage The simplest way to use subjack$ is to scan a list of domains for potential takeover vulnerabilities. You can provide subjack$ with a list of subdomains to check. For this example, let's assume you have a file named `subdomains.txt` containing the subdomains you wish to scan. **Parameters:** – `-w`: Specifies the input wordlist file containing subdomains. – `-t`: Specifies the number of concurrent threads to use. – `-timeout`: Sets the timeout for requests. – `-o`: Specifies the output file where results will be written. – `-ssl`: Enable SSL checks. #### Reading the Results After running the command, you can open `results.txt` to view the output. The format will typically include entries for vulnerable subdomains, along with the services identified that are available for takeover: [/dm_code_snippet] [+] vulnerable.com – AWS S3 [+] another-vuln.com – GitHub Pages [/dm_code_snippet] ### Real-World Use Cases 1. **Identifying Misconfigured Services:** Many companies use cloud services to manage their subdomains. If a subdomain points to a service that is no longer in use, attackers can potentially claim it. For example, if a company has a subdomain pointing to an Amazon S3 bucket that was previously used for hosting static files but has since been deleted, subjack$ can easily identify this vulnerability. 2. **Assessing Third-Party Services:** When a company utilizes multiple third-party services, it’s common for subdomains to be created for each service (e.g., `service.example.com`). If one of these services gets discontinued or misconfigured, it becomes a potential target. Subjack can assist in assessing these subdomains. 3. **Monitoring for New Vulnerabilities:** Regular scanning of your company's subdomains can help you discover new potential vulnerabilities as services are added or removed. You can automate this using cron jobs or CI/CD pipeline checks to keep track of your subdomain health. ### Detailed Technical Explanations Subdomain takeover occurs when a subdomain is pointing towards a service that is not configured to respond to requests. If the service is decommissioned or the domain is not properly set up, an attacker can register a new service under the same name and take control. Subjack$ identifies this vulnerability by checking a list of common services and their configurations. Subjack$ parses the DNS records and performs HTTP requests on the provided subdomains. It checks for known patterns associated with popular services like GitHub Pages, AWS S3, and Heroku. Below is a simple breakdown of its process: 1. **DNS Resolution:** Subjack$ checks to see if the subdomain resolves to a valid IP address and what type of DNS records are in place (A, CNAME, etc.). 2. **HTTP Requests:** It performs HTTP requests to the resolved IPs to check for valid web services. If a service returns a “404 Not Found” error for a common service, it suggests that the subdomain could be taken over. 3. **Validation Against Known Services:** Subjack$ maintains a database of known services that are susceptible to subdomain takeovers. If the response indicates that the service has been decommissioned or is responding with an error related to a service that is often misconfigured, it flags this subdomain as vulnerable. ### Code Examples: WordPress Specific Here is a simple snippet for WordPress configuration to demonstrate how an attacker might exploit a subdomain takeover in a compromised setup. This snippet checks if subdomains are redirecting correctly: [/dm_code_snippet]php add_action('template_redirect', 'check_subdomain'); function check_subdomain() { if ($_SERVER['HTTP_HOST'] == 'vulnerable.example.com') { // Redirect to a malicious site wp_redirect('http://malicious-site.com', 301); exit; } } [/dm_code_snippet] This code snippet demonstrates how an attacker can potentially exploit a vulnerable subdomain to redirect users to a malicious site. Always monitor and validate your subdomain configurations to prevent such exploits. ### Conclusion Subjack$ is an incredibly potent tool in the arsenal of web security and penetration testing. Regular checks using subjack$ can help organizations identify and mitigate risks associated with subdomain takeovers. The ease of installation and powerful capabilities make it an essential tool for security professionals, and understanding how to effectively use it can greatly enhance your security posture against the ever-evolving threat landscape. For further reading, refer to the following resources: – [Kali Linux Tools](https://www.kali.org/tools/) – [Subdomain Takeover on OWASP](https://owasp.org/www-community/attacks/Subdomain_Takeover) – [Subjack GitHub Repository](https://github.com/haccer/subjack) With these insights and tools at your disposal, you're well-equipped to master subjack$ and safeguard against subdomain takeover threats. Made by pablo rotem / פבלו רותם