تشغيل أي مهارة في Manus بنقرة واحدة

ابدأ الآن

attack-subdomain-takeover

النجوم٦١٧

التفرعات١٠٢

آخر تحديث١ يونيو ٢٠٢٦ في ١٩:١٦

Subdomain takeover — CNAME detection, cloud service fingerprinting, dangling DNS exploitation

التثبيت

التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.

تشغيل في Manus

المصدر

CyberStrikeus

CyberStrikeus/CyberStrike

فتح مستودع GitHub عرض مستودعات المنشئ

تنزيل

تشغيل في Manus

المهن ذات الصلةSOC

استنادا إلى تصنيف SOC المهني

محللو أمن المعلوماتمهن الحاسوب والرياضيات·SOC 15-1212

SKILL.md

readonly

name	attack-subdomain-takeover
description	Subdomain takeover — CNAME detection, cloud service fingerprinting, dangling DNS exploitation
category	web-application
version	1.0
author	cyberstrike-official
tags	["subdomain-takeover","dns","cloud","web","attack"]
tech_stack	["aws","azure","gcp","web"]
cwe_ids	["CWE-284"]
chains_with	[]
prerequisites	[]
severity_boost	{}

Subdomain Takeover

Objective

Identify subdomains with dangling DNS records (CNAME pointing to unclaimed cloud resources) and claim them to serve attacker content.

Testing Methodology

Phase 1: Subdomain Enumeration

# Passive enumeration
subfinder -d TARGET.com -silent | tee subdomains.txt

# Certificate transparency
curl -s "https://crt.sh/?q=%25.TARGET.com&output=json" | jq -r '.[].name_value' | sort -u >> subdomains.txt

# DNS brute force
puredns bruteforce wordlist.txt TARGET.com -r resolvers.txt >> subdomains.txt

Phase 2: Automated Takeover Check

# Check all subdomains for takeover
attack_script subdomain_takeover subdomains.txt --json-output

Checks 20 cloud services:

GitHub Pages, Heroku, Shopify, Tumblr, WordPress
AWS S3, AWS Elastic Beanstalk, Azure Web Apps
Netlify, Vercel, Fastly, Fly.io
Bitbucket, Surge, Ghost, Pantheon
Zendesk, README.io, Cargo, Feedpress

Phase 3: Manual CNAME Verification

# Check CNAME records
dig +short CNAME subdomain.TARGET.com

# Verify the pointed service is unclaimed
curl -s https://subdomain.TARGET.com
# Look for: "There isn't a GitHub Pages site here"
# "No such app" (Heroku)
# "NoSuchBucket" (S3)

Phase 4: Cloud Storage Enumeration

# Check related cloud buckets
attack_script cloud_storage_enum TARGET --json-output

Phase 5: Claim & Verify

After confirming a dangling CNAME:

Create the resource on the target service (e.g., GitHub Pages repo, S3 bucket)
Serve a harmless proof page (e.g., cyberstrike-takeover-proof.html)
Verify it's accessible at subdomain.TARGET.com

What Constitutes a Finding

Finding	Severity
Subdomain takeover — attacker controls content	High (P2)
S3 bucket public write access	Critical (P1)
S3 bucket listing enabled	High (P2)
Dangling CNAME (service unreachable)	Medium (P3)
Cloud storage public read	Medium (P3)

Evidence Requirements

Subdomain with dangling CNAME record
Target cloud service identified
Service fingerprint (error message)
For takeover: proof of content hosting on subdomain
For buckets: listing output or write proof

Tools

attack_script subdomain_takeover — automated CNAME + fingerprint checker
attack_script cloud_storage_enum — S3/Azure/GCP enumeration
subfinder, puredns — subdomain enumeration

References

المزيد من هذا المستودع

نفس المستودع

ebpf-attacks

CyberStrikeus/CyberStrike

eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux

2026-06-23617

aws-postexploit

CyberStrikeus/CyberStrike

AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3

2026-06-22617

azure-postexploit

CyberStrikeus/CyberStrike

Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation

2026-06-22617

cicd-attacks

CyberStrikeus/CyberStrike

CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab

2026-06-22617

k8s-postexploit

CyberStrikeus/CyberStrike

Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence

2026-06-22617

macos-postexploit

CyberStrikeus/CyberStrike

macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools

2026-06-22617

name	attack-subdomain-takeover
description	Subdomain takeover — CNAME detection, cloud service fingerprinting, dangling DNS exploitation
category	web-application
version	1.0
author	cyberstrike-official
tags	["subdomain-takeover","dns","cloud","web","attack"]
tech_stack	["aws","azure","gcp","web"]
cwe_ids	["CWE-284"]
chains_with	[]
prerequisites	[]
severity_boost	{}

Subdomain Takeover

Objective

Identify subdomains with dangling DNS records (CNAME pointing to unclaimed cloud resources) and claim them to serve attacker content.

Testing Methodology

Phase 1: Subdomain Enumeration

# Passive enumeration
subfinder -d TARGET.com -silent | tee subdomains.txt

# Certificate transparency
curl -s "https://crt.sh/?q=%25.TARGET.com&output=json" | jq -r '.[].name_value' | sort -u >> subdomains.txt

# DNS brute force
puredns bruteforce wordlist.txt TARGET.com -r resolvers.txt >> subdomains.txt

Phase 2: Automated Takeover Check

# Check all subdomains for takeover
attack_script subdomain_takeover subdomains.txt --json-output

Checks 20 cloud services:

GitHub Pages, Heroku, Shopify, Tumblr, WordPress
AWS S3, AWS Elastic Beanstalk, Azure Web Apps
Netlify, Vercel, Fastly, Fly.io
Bitbucket, Surge, Ghost, Pantheon
Zendesk, README.io, Cargo, Feedpress

Phase 3: Manual CNAME Verification

# Check CNAME records
dig +short CNAME subdomain.TARGET.com

# Verify the pointed service is unclaimed
curl -s https://subdomain.TARGET.com
# Look for: "There isn't a GitHub Pages site here"
# "No such app" (Heroku)
# "NoSuchBucket" (S3)

Phase 4: Cloud Storage Enumeration

# Check related cloud buckets
attack_script cloud_storage_enum TARGET --json-output

Phase 5: Claim & Verify

After confirming a dangling CNAME:

Create the resource on the target service (e.g., GitHub Pages repo, S3 bucket)
Serve a harmless proof page (e.g., cyberstrike-takeover-proof.html)
Verify it's accessible at subdomain.TARGET.com

What Constitutes a Finding

Finding	Severity
Subdomain takeover — attacker controls content	High (P2)
S3 bucket public write access	Critical (P1)
S3 bucket listing enabled	High (P2)
Dangling CNAME (service unreachable)	Medium (P3)
Cloud storage public read	Medium (P3)

Evidence Requirements

Subdomain with dangling CNAME record
Target cloud service identified
Service fingerprint (error message)
For takeover: proof of content hosting on subdomain
For buckets: listing output or write proof

Tools

attack_script subdomain_takeover — automated CNAME + fingerprint checker
attack_script cloud_storage_enum — S3/Azure/GCP enumeration
subfinder, puredns — subdomain enumeration