Scribd
Upload
144 views3 pages

Day-10 Subdomain Takeover Live Reco

Subdomain Takeover Live Reconsainse

Uploaded by

ysnkhan95
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
144 views3 pages

Day-10 Subdomain Takeover Live Reco

Subdomain Takeover Live Reconsainse

Uploaded by

ysnkhan95
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

Day-10 Subdomain Takeover Live Recon - Bug Bounty Free Course [Hindi]

IN simple jo bhi subdomain cloud se connected hokay host horhi hai


like:
google cloud, GitHub, azure, unbounce, netlify, amazon,

like: help.defrnoix.com = Reach to GitHub Service


(redirection) + service showcase/result

CNAME - canonical name - map one domain to another without showing ip address

URDU: jo bhi subdomain kisi cloud base service pe host horhi hai like GitHub or phr
baad mia uska use khatam hogya lekin connection ab bhi cloud se hai tu 404 error
ayega or usay hacker takeover karskta hai remove kardetee hai lekin CNAME ab bhi
unse he associated hoti hai

The hacker will try to takeover the subdomain by creating the same subdomain at
that cloud service provider and uploading a simple index.html file whatever the
cloudservice was used in past like amazon azure googlecloud or GitHub

1 - Important GitHub repo for account takeover (Can i takeover xyz) we can check
the service cloud host in xyz GitHub repo to verify if that cloud is vulnerable or
not

2 - Kisi bhi subdomain ka cname check karne ke lea kali terminal open karen
dig subdmain.com

3 - mentioning the list of all vulnerable host which we can take over

Hi, I wanted to share a list of CNAMEs (or rather just substrings), seen for sub-
domains from public BBPs/VDPs on various platforms that might indicate a takeover-
able sub-domain. I created the list a few months ago (it might be dated) and never
found time to utilize it further so I'm sharing it publicly as it might be helpful
to extend what this repository covers:

.herokudns.com, .herokuapp.com, herokussl.com


.azurewebsites.net, .cloudapp.net, .azure-
api.net, .trafficmanager.net, .azureedge.net, .cloudapp.azure.com
.cloudfront.net, .s3.amazonaws.com, .awsptr.com, .elasticbeanstalk.com,
.uservoice.com
unbouncepages.com
ghs.google.com, ghs.googlehosted.com, .ghs-ssl.googlehosted.com
.github.io, www.gitbooks.io
sendgrid.net
.feedpress.me
.fastly.net
.webflow.io, proxy.webflow.com
.helpscoutdocs.com
.readmessl.com
.desk.com
.zendesk.com
.mktoweb.com
.wordpress.com, .wpengine.com
.cloudflare.net
.netlify.com
.bydiscourse.com
.netdna-cdn.com
.pageserve.co
.pantheonsite.io
.arlo.co
.apigee.net
.pmail5.com
.cm-hosting.com
ext-cust.squarespace.com, ext.squarespace.com, www.squarespace6.com
.locationinsight.com
.helpsite.io
saas.moonami.com
custom.bnc.lt
.qualtrics.com
.dotcmscloud.net, .dotcmscloud.com
.knowledgeowl.com
.atlashost.eu
headwayapp.co
domain.pixieset.com
cname.bitly.com
.awmdm.com
.meteor.com
.postaffiliatepro.com, na.iso.postaffiliatepro.com
.copiny.com
.kxcdn.com
phs.getpostman.com
.appdirect.com
.streamshark.io
The ones below need an approved registration, a demo or similar stuff so it's hard
to tell if they are takeover-able or not:

.ethosce.com
.custhelp.com
.onelink-translations.com
.mashery.com
.edgesuite.net
.akadns.net
.edgekey.net
akamaiedge.net
.edgekey-staging.net
.lldns.net
.edgecastcdn.net
centercode.com
.jivesoftware.com
.cvent.com
.covisint.com
.digitalrivercontent.net
.akahost.net
.connectedcommunity.org
.lithium.com
.sl.smartling.com
pfsweb.com
.bsd.net
.vovici.net
.extole.com
.ent-sessionm.com
.eloqua.com
.inscname.net
insnw.net
.2o7.net
.wnmh.net
.footprint.net
.llnwd.net
.cust.socrata.net
.scrool.se
.phenompeople.com
.investis.com
.skilljar.com
.imomentous.com
.cleverbridge.com
.insnw.net
sailthru.com
static.captora.com
.q4web.com
.omtrdc.net
.devzing.com
.pphosted.com
.securepromotion.com
.getbynder.com
.certain.com
.certainaws.com
.eds.com
.bluetie.com
.relayware.com
.yodlee.com
.mrooms.net
ssl.cdntwrk.com
secure.gooddata.com
.deltacdn.net
.happyfox.com
.proformaprostores.com
.yext-cdn.com
.edgecastdns.net
.ecdns.net
Have fun.

4 - other command dig subdomain.com CNAME


5 - nslookup subdomain.com
6 - finding subdomain (subzy) associated with can i takeover xyz (subzy run --
targets teslafinal.txt --timeout 30 ) do check manually as well after getting the
result

7 - subjack to check vulnerability for subdomain takeover


8 - anew tool to combine 2 files cat example.txt imple.txt | anew > finalist.txt
9 - Best tool Nuclei for subdomain takeover and other things

You might also like