메뉴
Subdomain takeover — CNAME detection, cloud service fingerprinting, dangling DNS exploitation
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
| name | attack-subdomain-takeover |
| description | Subdomain takeover — CNAME detection, cloud service fingerprinting, dangling DNS exploitation |
| category | web-application |
| version | 1.0 |
| author | cyberstrike-official |
| tags | ["subdomain-takeover","dns","cloud","web","attack"] |
| tech_stack | ["aws","azure","gcp","web"] |
| cwe_ids | ["CWE-284"] |
| chains_with | [] |
| prerequisites | [] |
| severity_boost | {} |
Identify subdomains with dangling DNS records (CNAME pointing to unclaimed cloud resources) and claim them to serve attacker content.
# Passive enumeration
subfinder -d TARGET.com -silent | tee subdomains.txt
# Certificate transparency
curl -s "https://crt.sh/?q=%25.TARGET.com&output=json" | jq -r '.[].name_value' | sort -u >> subdomains.txt
# DNS brute force
puredns bruteforce wordlist.txt TARGET.com -r resolvers.txt >> subdomains.txt
# Check all subdomains for takeover
attack_script subdomain_takeover subdomains.txt --json-output
Checks 20 cloud services:
# Check CNAME records
dig +short CNAME subdomain.TARGET.com
# Verify the pointed service is unclaimed
curl -s https://subdomain.TARGET.com
# Look for: "There isn't a GitHub Pages site here"
# "No such app" (Heroku)
# "NoSuchBucket" (S3)
# Check related cloud buckets
attack_script cloud_storage_enum TARGET --json-output
After confirming a dangling CNAME:
cyberstrike-takeover-proof.html)subdomain.TARGET.com| Finding | Severity |
|---|---|
| Subdomain takeover — attacker controls content | High (P2) |
| S3 bucket public write access | Critical (P1) |
| S3 bucket listing enabled | High (P2) |
| Dangling CNAME (service unreachable) | Medium (P3) |
| Cloud storage public read | Medium (P3) |
attack_script subdomain_takeover — automated CNAME + fingerprint checkerattack_script cloud_storage_enum — S3/Azure/GCP enumerationsubfinder, puredns — subdomain enumerationeBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools