SKILL: Subdomain Takeover — Detection & Exploitation Playbook
AI LOAD INSTRUCTION: Covers CNAME/NS/MX takeover, per-provider fingerprint matching, claim procedures, and defensive monitoring. Base models often confuse "CNAME exists" with "takeover possible" — the key is whether the resource behind the CNAME is unclaimed and claimable.
0. RELATED ROUTING
- ssrf-server-side-request-forgery when a subdomain takeover is used to bypass SSRF allowlists trusting
*.target.com - cors-cross-origin-misconfiguration when CORS trusts
*.target.com— takeover → full cross-origin read - xss-cross-site-scripting takeover gives you script execution under target origin (cookie theft, OAuth redirect abuse)
- http-host-header-attacks when Host routing leads to subdomain-scoped cache or auth issues
- web-cache-deception when a taken-over subdomain shares cache with the main domain
1. CORE CONCEPT
Subdomain takeover occurs when:
sub.target.comhas a DNS record (CNAME, NS, A) pointing to an external service- The external resource is no longer provisioned (deleted S3 bucket, removed Heroku app, etc.)
- The attacker can register/claim that exact resource name on the provider
- The attacker now controls content served under
sub.target.com
Impact: cookie theft (parent domain cookies), OAuth token interception, phishing under trusted domain, CORS bypass, CSP bypass via whitelisted subdomain.
2. DETECTION METHODOLOGY
2.1 CNAME Enumeration
1. Collect subdomains (amass, subfinder, assetfinder, crt.sh, SecurityTrails)
2. Resolve DNS for each:
dig CNAME sub.target.com +short
3. For each CNAME → check if the CNAME target returns NXDOMAIN or a provider error
4. Match error response against fingerprint table (Section 3)
2.2 Key Signals
| Signal | Meaning |
|---|---|
CNAME → xxx.s3.amazonaws.com + HTTP 404 "NoSuchBucket" | S3 bucket deleted, claimable |
CNAME → xxx.herokuapp.com + "No such app" | Heroku app deleted |
CNAME → xxx.github.io + 404 "There isn't a GitHub Pages site here" | GitHub Pages unclaimed |
| NXDOMAIN on the CNAME target domain itself | Target domain expired or never existed |
| CNAME → provider but HTTP 200 with default parking page | May or may not be claimable — verify |
2.3 Automated Tools
| Tool | Purpose |
|---|---|
subjack | Automated CNAME takeover checking |
nuclei -t takeovers/ | Nuclei takeover detection templates |
can-i-take-over-xyz (GitHub) | Reference for which services are vulnerable |
dnsreaper | Multi-provider takeover scanner |
subzy | Fast subdomain takeover verification |
3. SERVICE PROVIDER FINGERPRINT TABLE
| Provider | CNAME Pattern | Fingerprint (HTTP Response) | Claimable? |
|---|---|---|---|
| AWS S3 | *.s3.amazonaws.com / *.s3-website-*.amazonaws.com | NoSuchBucket (404) | Yes — create bucket with matching name |
| GitHub Pages | *.github.io | There isn't a GitHub Pages site here (404) | Yes — create repo + enable Pages |
| Heroku | *.herokuapp.com / *.herokudns.com | No such app | Yes — create app with matching name |
| Azure | *.azurewebsites.net / *.cloudapp.azure.com / *.trafficmanager.net | Various default pages, NXDOMAIN | Yes — register matching resource |
| Shopify | *.myshopify.com | Sorry, this shop is currently unavailable | Yes — create shop, add custom domain |
| Fastly | CNAME to Fastly edge | Fastly error: unknown domain | Yes — add domain to Fastly service |
| Pantheon | *.pantheonsite.io | 404 Site Not Found with Pantheon branding | Yes |
| Tumblr | *.tumblr.com (custom domain CNAME) | There's nothing here / Whatever you were looking for doesn't exist | Yes |
| WordPress.com | CNAME to *.wordpress.com | Do you want to register | Yes — claim domain in WP.com |
| Zendesk | *.zendesk.com | Help Center Closed / Zendesk branding on error | Yes — create matching subdomain |
| Unbounce | *.unbouncepages.com | The requested URL was not found | Yes |
| Ghost | *.ghost.io | 404 Not Found Ghost error | Yes |
| Surge.sh | *.surge.sh | project not found | Yes |
| Fly.io | CNAME to *.fly.dev | Fly.io default 404 | Yes |
4. TAKEOVER PROCEDURE — COMMON PROVIDERS
4.1 AWS S3
1. Confirm: curl -s http://sub.target.com → "NoSuchBucket"
2. Extract bucket name from CNAME (e.g., sub.target.com.s3.amazonaws.com → bucket = "sub.target.com")
3. aws s3 mb s3://sub.target.com --region <region>
4. Upload index.html proving control
5. Enable static website hosting
4.2 GitHub Pages
1. Confirm: curl -s https://sub.target.com → "There isn't a GitHub Pages site here"
2. Create GitHub repo (any name)
3. Add CNAME file containing "sub.target.com"
4. Enable GitHub Pages in repo settings
5. Wait for DNS propagation (GitHub verifies CNAME match)
4.3 Heroku
1. Confirm: curl -s http://sub.target.com → "No such app"
2. heroku create <app-name-from-cname>
3. heroku domains:add sub.target.com
4. Deploy proof-of-concept page
5. NS TAKEOVER — HIGH SEVERITY
NS takeover is far more dangerous than CNAME takeover: you control all DNS resolution for the zone.
How It Happens
target.com NS → ns1.expireddomain.com
↓
attacker registers expireddomain.com
↓
attacker now controls ALL DNS for target.com
(A records, MX records, TXT records — everything)
Detection
1. Enumerate NS records: dig NS target.com +short
2. Check each NS domain: whois ns1.example.com → is the domain expired or available?
3. Also check: dig A ns1.example.com → NXDOMAIN/SERVFAIL?
4. Subdelegated zones: check NS for sub.target.com specifically
Impact
- Full domain takeover (serve any content, intercept email, issue TLS certs via DNS-01)
- Issue DV certificates from any CA using DNS challenge
- Modify SPF/DKIM/DMARC → send authenticated email as target
6. MX TAKEOVER — EMAIL INTERCEPTION
When MX records point to deprovisioned mail services:
target.com MX → mail.deadservice.com (service discontinued)
If attacker can claim mail.deadservice.com or the mail tenant:
- Receive password reset emails
- Intercept sensitive communications
- Potentially reset accounts that use email-based auth
Common Scenario
Expired Google Workspace / Microsoft 365 tenant → MX still points to Google/Microsoft → attacker creates new tenant and claims the domain.
7. WILDCARD DNS RISKS
If *.target.com has a wildcard CNAME to a claimable service:
- Every undefined subdomain is vulnerable
anything.target.comcan be taken over- Massively increases attack surface
Detection: dig A random1234567.target.com — if it resolves, wildcard exists.
8. DETECTION & EXPLOITATION DECISION TREE
Subdomain discovered (sub.target.com)?
├── Resolve DNS records
│ ├── Has CNAME → external service?
│ │ ├── HTTP response matches known fingerprint? (Section 3)
│ │ │ ├── YES → Attempt claim on provider (Section 4)
│ │ │ │ ├── Claim successful → TAKEOVER CONFIRMED
│ │ │ │ └── Claim blocked (name reserved, region locked) → document, try variations
│ │ │ └── NO → Service active, no takeover
│ │ └── CNAME target NXDOMAIN?
│ │ ├── Target is a registrable domain? → Register it → full control
│ │ └── Target is a subdomain of active provider → check provider claim process
│ │
│ ├── Has NS records → external nameserver?
│ │ ├── NS domain expired/available? → Register → FULL ZONE TAKEOVER
│ │ └── NS domain active → no takeover
│ │
│ ├── Has MX → external mail service?
│ │ ├── Mail service deprovisioned/claimable? → Claim tenant → EMAIL INTERCEPTION
│ │ └── Active mail service → no takeover
│ │
│ └── Has A record → IP address?
│ ├── IP belongs to elastic cloud (AWS EIP, Azure, GCP)?
│ │ ├── IP unassigned? → Claim IP → serve content
│ │ └── IP assigned to another customer → no takeover
│ └── IP belongs to dedicated server → no takeover
│
└── Post-takeover impact assessment
├── Shared cookies with parent domain? → Session hijacking
├── CORS trusts *.target.com? → Cross-origin data theft
├── CSP whitelists *.target.com? → XSS via taken-over subdomain
├── OAuth redirect_uri allows sub.target.com? → Token theft
└── Can issue TLS cert for sub.target.com? → Full MITM
9. DEFENSE & REMEDIATION
| Action | Priority |
|---|---|
| Remove DNS records when deprovisioning cloud resources | Critical |
| Monitor CNAME targets for NXDOMAIN responses | High |
| Use DNS monitoring tools (SecurityTrails, DNSHistory) | High |
| Claim/reserve resource names before deleting DNS records | High |
| Audit NS delegations — ensure NS domains are owned and renewed | Critical |
| Avoid wildcard CNAMEs to third-party services | Medium |
| Implement Certificate Transparency monitoring | Medium |
10. TRICK NOTES — WHAT AI MODELS MISS
- CNAME ≠ takeover: A CNAME to S3 that returns 403 (bucket exists, private) is NOT vulnerable. Only
NoSuchBucket(404) is. - Region matters for S3: Bucket names are global, but website endpoints are regional. Try matching the region from the CNAME.
- GitHub Pages verification: GitHub added domain verification — org-verified domains cannot be claimed by others. Check if target uses this.
- Edge cases: Some providers (e.g., Cloudfront) require specific distribution configuration, not just domain claiming.
- Second-order takeover:
sub.target.com CNAME → other.target.com CNAME → dead-service.com— the chain must be followed fully. - SPF subdomain takeover: If SPF includes
include:sub.target.comand you take oversub.target.com, you can modify its SPF TXT record to authorize your mail server → send spoofed email astarget.com.