This chapter covers subdomain enumeration and takeover, a critical reconnaissance technique in the PT0-002 exam's Domain 2.0 (Recon/Enumeration). You'll learn how to discover subdomains using passive and active methods, identify vulnerable records, and execute subdomain takeovers. Approximately 5-8% of exam questions touch on subdomain enumeration or takeover, often in the context of DNS misconfigurations and cloud service exploitation. Mastery of these techniques is essential for both the exam and real-world penetration testing.
Jump to a section
Imagine a city with a commercial registry that tracks every business location. A company named 'Acme Corp' registers the address '123 Main St' and builds a thriving store. Over time, Acme moves to a larger location but forgets to update its registration. The address '123 Main St' remains in the registry, pointing to an empty storefront. A malicious actor notices this and quickly moves in, puts up a fake 'Acme Corp' sign, and starts collecting customer payments. The registry (DNS) still directs customers to that address, so they unknowingly do business with the imposter. The key mechanism: the registry entry persists after the legitimate occupant leaves, and no verification occurs when someone claims the address. Subdomain enumeration discovers these dangling DNS records; subdomain takeover exploits them by re-registering the abandoned service.
What is Subdomain Enumeration?
Subdomain enumeration is the process of systematically discovering subdomains associated with a target domain. Subdomains are prefixes to the main domain (e.g., api.example.com, mail.example.com). They often reveal additional attack surface—development servers, staging environments, internal tools, or cloud services. The PT0-002 exam tests both passive and active enumeration techniques, focusing on tools like dnsrecon, Sublist3r, Amass, and Dig.
Why Subdomain Takeover Exists
Subdomain takeover occurs when a DNS record (usually a CNAME or A record) points to an external service (e.g., a cloud platform like AWS S3, Azure, or GitHub Pages) that no longer exists or is no longer claimed by the domain owner. An attacker can then create a resource on that service with the same name as the target, effectively gaining control of the subdomain. The core mechanism: DNS delegation relies on the target service to verify ownership, but if the service allows anyone to claim a resource name, the attacker can claim it.
How Subdomain Enumeration Works Internally
#### Passive Enumeration
Passive enumeration collects subdomains without querying the target's DNS servers directly. Sources include:
- Certificate Transparency (CT) logs: Publicly logged SSL/TLS certificates include subject alternative names (SANs). Tools like crt.sh or Certspotter extract subdomains from these logs.
- Search engines: Google dorking (e.g., site:*.example.com) reveals indexed subdomains.
- DNS records: Publicly available DNS data from sources like SecurityTrails or Shodan.
- Social media: Company GitHub repos, job postings, or tech blogs may expose subdomains.
#### Active Enumeration
Active enumeration sends queries to DNS servers to discover subdomains. Techniques include:
- Brute-forcing: Using a wordlist of common subdomains (e.g., admin, dev, api) and checking if they resolve via DNS queries.
- DNS zone transfer: If misconfigured, an attacker can request a full zone transfer (AXFR) from a DNS server, revealing all subdomains. This is rare but tested.
- DNS resolution with wildcard detection: Many domains use wildcard DNS records (*.example.com) that resolve to the same IP. Attackers must first detect wildcards by querying random subdomains; if they all resolve, a wildcard is present. Then, techniques like dnsrecon -d example.com -t brt with wildcard filtering are used.
Key Components, Values, and Defaults
- DNS Record Types: - A: Maps a subdomain to an IPv4 address. - CNAME: Maps a subdomain to another domain name (canonical name). This is the most common record for takeover. - NS: Delegates a subdomain's DNS to another nameserver. - MX: Mail exchange record. - Common Services Vulnerable to Takeover:
- AWS S3 (bucket named subdomain.example.com)
- Azure Blob Storage (subdomain.blob.core.windows.net)
- GitHub Pages (subdomain.github.io)
- Heroku (subdomain.herokuapp.com)
- Shopify, Tumblr, etc.
- DNS Propagation: Changes to DNS records can take up to 48 hours to propagate globally, but TTL (Time to Live) values control caching. Attackers often target records with high TTLs (e.g., 86400 seconds = 24 hours) to ensure persistence.
- Verification Commands:
- dig subdomain.example.com – returns A record.
- dig CNAME subdomain.example.com – returns CNAME target.
- nslookup -type=CNAME subdomain.example.com – similar.
- host -t CNAME subdomain.example.com – quick check.
How Subdomain Takeover Works
Identify a dangling DNS record: A CNAME points to a service (e.g., app.example.com CNAME myapp.herokuapp.com). The Heroku app has been deleted.
Claim the service resource: The attacker creates a Heroku app with the name myapp (if the platform allows claiming unclaimed names). Some platforms require verification via DNS TXT record or file upload; if the target's DNS is still pointing, the attacker may be able to use that to prove ownership.
Host malicious content: The attacker deploys a phishing page, malware download, or defacement. The subdomain now serves attacker-controlled content.
Configuration and Verification Commands for Penetration Testing
- Passive Enumeration with Sublist3r:
sublist3r -d example.com- Active Enumeration with dnsrecon (brute-force):
dnsrecon -d example.com -t brt -D /usr/share/wordlists/subdomains.txt- Zone Transfer Attempt:
dig axfr @ns1.example.com example.com- Checking for Takeover with Subjack:
subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -sslSubjack checks if the subdomain's CNAME target is unclaimed. - Using Amass for Comprehensive Enumeration:
amass enum -d example.comInteraction with Related Technologies
CDNs: Content Delivery Networks like Cloudflare may mask origin IPs but often have their own subdomain takeover vectors (e.g., Cloudflare Workers).
Cloud Providers: AWS Route53, Azure DNS, and Google Cloud DNS are common targets. Misconfigured cloud resources (S3 buckets, storage accounts) are prime takeover candidates.
SSL/TLS: Certificate Transparency logs are a rich source for passive enumeration. Attackers monitor CT logs continuously.
Automation: CI/CD pipelines often create temporary subdomains that are left dangling when projects are removed.
Exam Focus: Specific Numbers and Values
Default TTL: 3600 seconds (1 hour) is common; exam may ask about TTL impact on takeover.
DNS Record Types: CNAME is the most commonly tested for takeover.
Tool Commands: Know dig, nslookup, host, dnsrecon, sublist3r, amass.
Ports: DNS uses UDP/53 (queries) and TCP/53 (zone transfers).
Wildcard Detection: Send a random subdomain query; if it resolves, wildcard exists.
Trap Patterns (Common Wrong Answers)
Confusing CNAME and A records: A CNAME points to a domain, not an IP. An A record points to an IP. Takeover typically involves CNAME because the target is a service name, not an IP.
Assuming zone transfer always works: Zone transfers are disabled by default on modern DNS servers. The exam expects you to know it's a misconfiguration.
Thinking takeover requires DNS poisoning: Takeover does not modify DNS records; it exploits existing records that point to unclaimed resources.
Believing wildcard records prevent enumeration: Wildcards complicate brute-forcing but can be bypassed using techniques like dnsrecon -t brt with wildcard filtering.
Step-by-Step Process for Subdomain Enumeration and Takeover
Passive Enumeration: Collect subdomains from CT logs, search engines, and public databases. Use tools like crt.sh or Sublist3r.
Active Enumeration: Brute-force subdomains with a wordlist, attempt zone transfer, and resolve found subdomains to IPs. Use dnsrecon or Amass.
Identify Dangling Records: Check if the resolved IP or CNAME target is unclaimed. Use subjack or nuclei with takeover templates.
Verify Takeover Feasibility: Confirm the service allows claiming the resource (e.g., AWS S3 bucket creation). Some services require DNS verification; if the target's DNS still points, you may pass verification.
Exploit: Create the resource and host malicious content. Document findings for report.
Summary of Key Takeaway Mechanisms
Subdomain enumeration discovers attack surface; takeover exploits misconfigured DNS records.
Passive enumeration leaves no traces; active enumeration may trigger alerts.
Always check for wildcard DNS before brute-forcing.
CNAME records to cloud services are the most common takeover vector.
Real-World Implications
In 2020, a researcher found that thousands of subdomains belonging to Fortune 500 companies were vulnerable to takeover. Attackers have used subdomain takeover to host phishing pages that trick users into entering credentials, distribute malware, and deface websites. The impact can range from reputational damage to full account compromise if the subdomain is used for authentication or cookie scope.
Conclusion
Subdomain enumeration and takeover are essential skills for any penetration tester. The PT0-002 exam tests your ability to identify vulnerable DNS configurations and exploit them. Practice with the tools and techniques described, and always validate findings in a controlled environment.
Passive Subdomain Enumeration
Start by gathering subdomains without directly querying the target's DNS servers. Use Certificate Transparency logs (crt.sh), search engines (Google dork: `site:*.example.com`), and public APIs (SecurityTrails). Tools like Sublist3r automate this. The output is a list of potential subdomains. This step is stealthy but may miss subdomains not publicly indexed.
Active Subdomain Enumeration
Perform DNS queries to discover subdomains. Brute-force using a wordlist (e.g., `dnsrecon -d example.com -t brt -D wordlist.txt`). First, detect wildcard DNS by querying a random subdomain like `asdfghjkl.example.com`. If it resolves, a wildcard exists; tools like `dnsrecon` can filter wildcards. Also attempt a zone transfer (`dig axfr @ns1.example.com example.com`) – rarely successful but tested.
Resolve and Categorize Subdomains
Resolve each discovered subdomain to its IP or CNAME using `dig` or `nslookup`. For each subdomain, record the record type (A, CNAME, MX, etc.). Note: CNAME records pointing to external services (e.g., `myapp.herokuapp.com`) are high-value for takeover. Also note IP addresses for potential reverse DNS or service fingerprinting.
Identify Dangling DNS Records
For each CNAME record, check if the target domain or service is still claimed. Tools like Subjack (`subjack -w subdomains.txt -t 100 -ssl`) automate this by checking if the CNAME target resolves or returns an error. For AWS S3, a bucket that returns `NoSuchBucket` is vulnerable. For Heroku, an app that returns `There's nothing here, yet` is unclaimed.
Exploit the Takeover
Claim the resource on the cloud platform. For AWS S3, create a bucket with the same name as the subdomain (e.g., `subdomain.example.com`). For Heroku, create an app with the name from the CNAME target. Some platforms require DNS verification; since the target's DNS still points, attackers can often pass verification by hosting a file with a verification token. Once claimed, deploy malicious content (e.g., phishing page).
Enterprise Scenario 1: Startup with AWS S3
A startup hosts static assets on AWS S3 under assets.startup.com CNAME assets.startup.com.s3-website-us-east-1.amazonaws.com. The startup later migrates to a CDN and deletes the S3 bucket but forgets to remove the CNAME record. An attacker discovers the dangling record using Subjack, creates a bucket named assets.startup.com in the same region, and hosts a malicious JavaScript file that exfiltrates cookies from the main site. The startup's customers unknowingly execute the script.
Enterprise Scenario 2: Large Corporation with Multiple Cloud Services
A Fortune 500 company uses GitHub Pages for a developer blog: blog.corp.com CNAME corp.github.io. The developer team moves the blog to a CMS and deletes the GitHub Pages repository but leaves the CNAME. An attacker claims the corp organization on GitHub Pages (if available) and deploys a phishing page mimicking the corporate login page. Employees visiting blog.corp.com are tricked into entering credentials.
Enterprise Scenario 3: E-commerce Platform with Heroku
An e-commerce company uses Heroku for a staging environment: staging.store.com CNAME staging-store.herokuapp.com. After the project ends, the Heroku app is deleted but the DNS record remains. An attacker creates a Heroku app with the same name and hosts a fake product page that steals credit card information. The company's internal QA team still uses the staging URL and falls victim.
Common Mistakes in Production
Not maintaining a DNS inventory: Companies often lose track of DNS records pointing to external services.
Using wildcard CNAMEs: *.example.com CNAME example.com can mask takeover opportunities but also cause issues.
Not monitoring CT logs: Attackers monitor CT logs for new subdomains; defenders should too.
Scale and Performance Considerations
Enumeration at scale: Tools like Amass can handle thousands of domains but require significant bandwidth and time.
Rate limiting: DNS servers may rate-limit queries; use throttling (-t flag) to avoid detection.
False positives: Wildcard DNS can cause false positives in brute-forcing; always verify with a random subdomain.
PT0-002 Objective Coverage
This topic directly aligns with Domain 2.1: "Given a scenario, conduct passive and active reconnaissance." Subdomain enumeration is a key reconnaissance technique. The exam expects you to know:
Tools: dnsrecon, Sublist3r, Amass, dig, nslookup, host.
Techniques: passive (CT logs, search engines) vs active (brute-force, zone transfer).
Takeover: CNAME records to cloud services, verification steps.
Common Wrong Answers and Why
"Zone transfer is the most effective enumeration technique" – Wrong because zone transfers are almost always disabled; brute-forcing is more common.
"Subdomain takeover requires modifying DNS records" – Wrong; takeover exploits existing records pointing to unclaimed resources.
"Wildcard DNS makes enumeration impossible" – Wrong; tools can filter wildcards by comparing responses to a random subdomain.
"A records are most vulnerable to takeover" – Wrong; CNAME records are the primary vector because they point to external service names.
Specific Exam Values and Terms
Default TTL: Often 3600 seconds (1 hour).
DNS ports: UDP/53 (queries), TCP/53 (zone transfers).
Common CNAME targets: *.s3.amazonaws.com, *.azureedge.net, *.github.io, *.herokuapp.com.
Tool flags: dnsrecon -t brt, sublist3r -d, amass enum -d.
Edge Cases the Exam Tests
Subdomain takeover via NS records: If an NS record points to a nameserver that is no longer controlled by the target, an attacker can set up their own DNS server and control all subdomains under that delegation. This is rare but tested.
Takeover via MX records: An MX record pointing to a defunct mail server could allow an attacker to set up a mail server and intercept emails.
Takeover via SRV records: Similar to MX, but for service discovery.
How to Eliminate Wrong Answers
If a question asks about the most common takeover vector, choose CNAME records (not A or NS).
If a question asks about stealthy enumeration, choose passive (CT logs) over active (brute-force).
If a question mentions wildcard DNS, the correct answer involves detecting the wildcard first.
Subdomain enumeration is a key reconnaissance technique tested in PT0-002 Domain 2.1.
Passive enumeration uses Certificate Transparency logs, search engines, and public databases.
Active enumeration includes brute-forcing, zone transfers, and wildcard detection.
Subdomain takeover exploits CNAME records pointing to unclaimed cloud services.
Common vulnerable services: AWS S3, Azure Blob, GitHub Pages, Heroku.
Always detect wildcard DNS before brute-forcing by querying a random subdomain.
Tools: sublister, dnsrecon, amass, subjack, dig, nslookup, host.
Zone transfers (AXFR) are rarely enabled; do not rely on them.
Takeover does not require DNS record modification; it claims the external resource.
TTL values affect how long DNS changes take to propagate; high TTLs help attackers persist.
NS record takeover is possible but less common; allows full DNS control for the subdomain.
Always validate takeover feasibility by checking if the service allows claiming the resource.
These come up on the exam all the time. Here's how to tell them apart.
Passive Enumeration
Uses public sources like CT logs and search engines.
No direct queries to target DNS servers.
Stealthy; does not alert the target.
May miss subdomains not publicly indexed.
Tools: Sublist3r, crt.sh, Google dorking.
Active Enumeration
Sends DNS queries to target nameservers.
Can trigger logging or alerts.
More comprehensive; discovers internal subdomains.
Requires wordlists and may be rate-limited.
Tools: dnsrecon, Amass, dig brute-force.
Mistake
Subdomain takeover requires DNS poisoning or hijacking.
Correct
Takeover exploits existing DNS records that point to unclaimed external services. The attacker does not modify DNS; they claim the service resource.
Mistake
Active enumeration is always better than passive enumeration.
Correct
Passive enumeration is stealthy and doesn't alert the target. Active enumeration may trigger intrusion detection systems. The best approach combines both.
Mistake
Wildcard DNS records completely prevent subdomain enumeration.
Correct
Wildcards can be detected by querying a random subdomain. Tools like dnsrecon can filter wildcard responses by comparing IPs.
Mistake
Zone transfer is a reliable enumeration technique.
Correct
Zone transfers are disabled by default on modern DNS servers. It's a misconfiguration if it works. The exam expects you to know it's rare.
Mistake
Only CNAME records are vulnerable to takeover.
Correct
While CNAME is most common, NS, MX, and even A records can be vulnerable if they point to a service that allows claiming (e.g., an IP that is a cloud load balancer).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Subdomain enumeration is the process of discovering subdomains of a target domain. It helps identify additional attack surface such as development servers, APIs, or cloud resources. Techniques include passive (using Certificate Transparency logs, search engines) and active (DNS brute-forcing, zone transfers). The PT0-002 exam expects you to know tools like Sublist3r, dnsrecon, and Amass.
Subdomain takeover occurs when a DNS record (usually a CNAME) points to an external service that is no longer claimed by the domain owner. The attacker creates a resource on that service with the same name, gaining control of the subdomain. For example, if `app.example.com CNAME myapp.herokuapp.com` and the Heroku app is deleted, the attacker can create a new Heroku app named `myapp` and host malicious content.
Common tools include Sublist3r (passive), Amass (passive and active), dnsrecon (active), and dig (manual queries). For takeover detection, use Subjack or Nuclei with takeover templates. The PT0-002 exam tests knowledge of these tools and their command-line options.
A wildcard DNS record (`*.example.com`) resolves any non-existent subdomain to the same IP. This complicates brute-force enumeration because every query returns a response. To detect a wildcard, query a random subdomain (e.g., `asdfghjkl.example.com`). If it resolves, a wildcard exists. Tools like dnsrecon can filter wildcard responses by comparing IPs.
Yes, but it's less common. If an A record points to an IP that is a cloud load balancer or a service that allows claiming the IP (e.g., an AWS Elastic IP that is released), an attacker could claim that IP and host content. However, most takeovers involve CNAME records because they point to service names that can be re-registered.
A zone transfer (AXFR) is a DNS mechanism that replicates DNS records from a primary to a secondary DNS server. If misconfigured, anyone can request a full copy of all DNS records for a domain, revealing all subdomains. The PT0-002 exam tests that zone transfers are rarely enabled and that you should attempt it but not rely on it.
Use tools like Subjack or Nuclei. For each subdomain, check if the CNAME target is unclaimed. For AWS S3, a bucket that returns `NoSuchBucket` is vulnerable. For GitHub Pages, a 404 page with 'There isn't a GitHub Pages site here' indicates vulnerability. Manual verification with `curl` or browser can confirm.
You've just covered Subdomain Enumeration and Takeover — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?