Subdomain takeover and prevention using Knockpy

Subdomain takeover and phishing attack

What is a subdomain?

A subdomain is basically your second website with its own unique name. There is no new domain created instead, you use your existing domain name but points the www to another name.

example: beta.facebook.com, help.yourdomain.com, help2.yourdomain.com

What is a phishing attack?

Phishing is a form of social engineering attack that attempts to steal sensitive information. They do so by sending emails or creating web pages that are designed to collect information about individuals.

How do the hackers takeover subdomains?

There are a lot of ways the hackers take control over one’s subdomain. Given below is a basic example.

Scenario

  • Consider you use a service as “assert” in your website assert.mysite.com
  • The service is hosted in bitbucket in the URL myassert-example.bitbucket.com
  • Bitbucket has stopped this service and you are still using it
  • Now hacker can claim the service
  • Now, when you visit myassert-example.bitbucket.com you are actually visiting the hackers site
  • Hackers now can post a defacement or put an HTML Form and asks users to login (Perform phishing attack)

Prevention
Attackers generally can claim subdomains with the external services. In this case, you cannot trace back on the attack and it affects a lot. We can find it out with the tools available(Like Knockpy) or go through all of your DNS entries and remove the ones which are active and unused or the ones pointing to the external services which are not in use anymore.

What is Knockpy
Knockpy is a python tool designed to bruteforce and find the list of Subdomains for a particular Domain. It internally uses a wordlist file which comes with the tool to bruteforce. But, we can also have our own wordlist to bruteforce the domain.

Prerequisites
Python 2.7.6 or later

Git Link
kali>
https://github.com/guelfoweb/knock

Installing Knockpy
Note: I am using Kali linux
kali> git clone https://github.com/guelfoweb/knock

Run Knockpy
kali> python knockpy.py [Domain name] or [IP]

Run Knockpy with different wordlist
kali>python knockpy.py [Domain name]or[IP] wordlist.txt

Knock results

From the above image, you can see that there is a domain which points to heroku services.

atlas.insertcart.com >>> atlas.insertcart.com.herokudns.com

You should visit the subdomain to check whether it is vulnerable or not. your subdomain is vulnerable if you find errors like ‘No such app’.