Question

Instead of manually hunting for subdomain takeovers, many hackers build a monitoring system to continuously scan for them. This is useful because sites update their DNS entries and remove pages from third-party sites all the time. You never know when a site is going to be taken down and when a new dangling CNAME will be introduced into your target’s assets. If these changes lead to a subdomain takeover, you can find it before others do by routinely scanning for takeovers.

许多黑客不再手动搜索子域劫持，而是建立一个监控系统来持续扫描。这非常有用，因为网站会不断更新其 DNS 条目，并从第三方网站中移除页面。你永远不知道网站何时会被关闭，何时会引入新的悬空 CNAME 到你的目标资产中。如果这些变化导致了子域劫持，你可以通过定期扫描寻找劫持，比其他人更早发现它。

To create a continuous monitoring system for subdomain takeovers, you’ll simply need to automate the process I described for finding them manually. In this section, I’ll introduce some automation strategies and leave the actual implementation up to you:

要创建一个持续的子域接管监控系统，您只需要自动化我手动搜索它们的过程。在本节中，我将介绍一些自动化策略，实际实现则由您来完成。

Compile a list of subdomains that belong to the target organization

编制属于目标组织的子域名列表。

Scan the target for new subdomains once in a while to monitor for new subdomains. Whenever you discover a new service, add it to this list of monitored subdomains.

定期扫描目标，以监测新的子域名。每当发现新的服务时，请将其添加到受监控的子域名列表中。

Scan for subdomains on the list with CNAME entries that point to pages hosted on a vulnerable third-party service

扫描列表上的子域名，这些子域名具有 CNAME 条目，指向托管在漏洞的第三方服务上的页面。

To do this, you’ll need to resolve the base DNS domain of the subdomain and determine if it’s hosted on a third-party provider based on keywords in the URL. For example, a subdomain that points to a URL that contains the string github.io is hosted on GitHub Pages. Also determine whether the third-party services you’ve found are vulnerable to takeovers. If the target’s sites are exclusively hosted on services that aren’t vulnerable to subdomain takeovers, you don’t have to scan them for potential takeovers.

为了实现这一点，您需要解析子域的基本 DNS 域，并根据 URL 中的关键字确定它是否托管在第三方提供商上。例如，指向包含字符串 github.io 的 URL 的子域将托管在 GitHub Pages 上。还要确定您找到的第三方服务是否容易被接管。如果目标站点仅托管在不易受子域接管攻击的服务上，您无需扫描它们以寻找潜在的接管攻击。

Determine the signature of an unregistered page for each external service

为每个外部服务确定未注册页面的签名。

Most services will have a custom 404 Not Found page that indicates the page isn’t registered. You can use these pages to detect a potential takeover. For example, a page that is hosted on GitHub pages is vulnerable if the string There isn't a GitHub Pages site here is returned in the HTTP response. Make a request to the third-party hosted subdomains and scan the response for these signature strings. If one of the signatures is detected, the page might be vulnerable to takeover.

大多数服务都将拥有定制的 404 页面，指示网页未注册。您可以使用这些页面来检测潜在的接管。例如，在 Github 页面上托管的页面如果返回 HTTP 响应中的字符串"There isn't a GitHub Pages site here"是容易受攻击的。请求第三方托管的子域并扫描响应以检查这些签名字符串。如果检测到其中一个签名，那么这个页面可能容易被接管。

One way of making this hunting process even more efficient is to let your automation solution run in the background, notifying you only after it finds a suspected takeover. You can set up a cron job to run the script you’ve created regularly. It can alert you only if the monitoring system detects something fishy:

让自动化解决方案在后台运行并在发现可疑接管后通知您，是进一步提高狩猎过程效率的一种方式。您可以设置 cron 作业定期运行创建的脚本。只有在监控系统检测到可疑情况时，它才会向您发出警报。

30 10 * * * cd /Users/vickie/scripts/security; ./subdomain_takeover.sh

After the script notifies you of a potential subdomain takeover, you can verify the vulnerability by registering the page on the external service.

脚本通知您可能存在子域劫持的情况后，您可以通过在外部服务上注册页面来验证漏洞。