Subdomain takeover detection and exploitation playbook. Use when targets have dangling CNAME/NS/MX records pointing to deprovisioned cloud resources, expired third-party services, or unclaimed SaaS tenants that an attacker can register to serve content under the victim's domain.
AI LOAD INSTRUCTION: Covers CNAME/NS/MX takeover, per-provider fingerprint matching, claim procedures, and defensive monitoring. Base models often confuse "CNAME exists" with "takeover possible" — the key is whether the resource behind the CNAME is unclaimed and claimable.
*.target.com*.target.comSubdomain takeover occurs when:
sub.target.com has a DNS record (CNAME, NS, A) pointing to an external servicesub.target.comImpact: cookie theft (parent domain cookies), OAuth token interception, phishing under trusted domain, CORS bypass, CSP bypass via whitelisted subdomain.
1. Collect subdomains (amass, subfinder, assetfinder, crt.sh, SecurityTrails)
2. Resolve DNS for each:
dig CNAME sub.target.com +short
3. For each CNAME → check if the CNAME target returns NXDOMAIN or a provider error
4. Match error response against fingerprint table (Section 3)
| Signal | Meaning |
|---|---|
CNAME → xxx.s3.amazonaws.com + HTTP 404 "NoSuchBucket" | S3 bucket deleted, claimable |
CNAME → xxx.herokuapp.com + "No such app" | Heroku app deleted |
CNAME → xxx.github.io + 404 "There isn't a GitHub Pages site here" | GitHub Pages unclaimed |
| NXDOMAIN on the CNAME target domain itself | Target domain expired or never existed |
| CNAME → provider but HTTP 200 with default parking page | May or may not be claimable — verify |
| Tool | Purpose |
|---|---|
subjack | Automated CNAME takeover checking |
nuclei -t takeovers/ | Nuclei takeover detection templates |
can-i-take-over-xyz (GitHub) | Reference for which services are vulnerable |
dnsreaper | Multi-provider takeover scanner |
subzy | Fast subdomain takeover verification |
| Provider | CNAME Pattern | Fingerprint (HTTP Response) | Claimable? |
|---|---|---|---|
| AWS S3 | *.s3.amazonaws.com / *.s3-website-*.amazonaws.com | NoSuchBucket (404) | Yes — create bucket with matching name |
| GitHub Pages | *.github.io | There isn't a GitHub Pages site here (404) | Yes — create repo + enable Pages |
| Heroku | *.herokuapp.com / *.herokudns.com | No such app | Yes — create app with matching name |
| Azure | *.azurewebsites.net / *.cloudapp.azure.com / *.trafficmanager.net | Various default pages, NXDOMAIN | Yes — register matching resource |
| Shopify | *.myshopify.com | Sorry, this shop is currently unavailable | Yes — create shop, add custom domain |
| Fastly | CNAME to Fastly edge | Fastly error: unknown domain | Yes — add domain to Fastly service |
| Pantheon | *.pantheonsite.io | 404 Site Not Found with Pantheon branding | Yes |
| Tumblr | *.tumblr.com (custom domain CNAME) | There's nothing here / Whatever you were looking for doesn't exist | Yes |
| WordPress.com | CNAME to *.wordpress.com | Do you want to register | Yes — claim domain in WP.com |
| Zendesk | *.zendesk.com | Help Center Closed / Zendesk branding on error | Yes — create matching subdomain |
| Unbounce | *.unbouncepages.com | The requested URL was not found | Yes |
| Ghost | *.ghost.io | 404 Not Found Ghost error | Yes |
| Surge.sh | *.surge.sh | project not found | Yes |
| Fly.io | CNAME to *.fly.dev | Fly.io default 404 | Yes |
1. Confirm: curl -s http://sub.target.com → "NoSuchBucket"
2. Extract bucket name from CNAME (e.g., sub.target.com.s3.amazonaws.com → bucket = "sub.target.com")
3. aws s3 mb s3://sub.target.com --region <region>
4. Upload index.html proving control
5. Enable static website hosting
1. Confirm: curl -s https://sub.target.com → "There isn't a GitHub Pages site here"
2. Create GitHub repo (any name)
3. Add CNAME file containing "sub.target.com"
4. Enable GitHub Pages in repo settings
5. Wait for DNS propagation (GitHub verifies CNAME match)
1. Confirm: curl -s http://sub.target.com → "No such app"
2. heroku create <app-name-from-cname>
3. heroku domains:add sub.target.com
4. Deploy proof-of-concept page
NS takeover is far more dangerous than CNAME takeover: you control all DNS resolution for the zone.
target.com NS → ns1.expireddomain.com
↓
attacker registers expireddomain.com
↓
attacker now controls ALL DNS for target.com
(A records, MX records, TXT records — everything)
1. Enumerate NS records: dig NS target.com +short
2. Check each NS domain: whois ns1.example.com → is the domain expired or available?
3. Also check: dig A ns1.example.com → NXDOMAIN/SERVFAIL?
4. Subdelegated zones: check NS for sub.target.com specifically
When MX records point to deprovisioned mail services:
target.com MX → mail.deadservice.com (service discontinued)
If attacker can claim mail.deadservice.com or the mail tenant:
Expired Google Workspace / Microsoft 365 tenant → MX still points to Google/Microsoft → attacker creates new tenant and claims the domain.
If *.target.com has a wildcard CNAME to a claimable service:
anything.target.com can be taken overDetection: dig A random1234567.target.com — if it resolves, wildcard exists.
Subdomain discovered (sub.target.com)?
├── Resolve DNS records
│ ├── Has CNAME → external service?
│ │ ├── HTTP response matches known fingerprint? (Section 3)
│ │ │ ├── YES → Attempt claim on provider (Section 4)
│ │ │ │ ├── Claim successful → TAKEOVER CONFIRMED
│ │ │ │ └── Claim blocked (name reserved, region locked) → document, try variations
│ │ │ └── NO → Service active, no takeover
│ │ └── CNAME target NXDOMAIN?
│ │ ├── Target is a registrable domain? → Register it → full control
│ │ └── Target is a subdomain of active provider → check provider claim process
│ │
│ ├── Has NS records → external nameserver?
│ │ ├── NS domain expired/available? → Register → FULL ZONE TAKEOVER
│ │ └── NS domain active → no takeover
│ │
│ ├── Has MX → external mail service?
│ │ ├── Mail service deprovisioned/claimable? → Claim tenant → EMAIL INTERCEPTION
│ │ └── Active mail service → no takeover
│ │
│ └── Has A record → IP address?
│ ├── IP belongs to elastic cloud (AWS EIP, Azure, GCP)?
│ │ ├── IP unassigned? → Claim IP → serve content
│ │ └── IP assigned to another customer → no takeover
│ └── IP belongs to dedicated server → no takeover
│
└── Post-takeover impact assessment
├── Shared cookies with parent domain? → Session hijacking
├── CORS trusts *.target.com? → Cross-origin data theft
├── CSP whitelists *.target.com? → XSS via taken-over subdomain
├── OAuth redirect_uri allows sub.target.com? → Token theft
└── Can issue TLS cert for sub.target.com? → Full MITM
| Action | Priority |
|---|---|
| Remove DNS records when deprovisioning cloud resources | Critical |
| Monitor CNAME targets for NXDOMAIN responses | High |
| Use DNS monitoring tools (SecurityTrails, DNSHistory) | High |
| Claim/reserve resource names before deleting DNS records | High |
| Audit NS delegations — ensure NS domains are owned and renewed | Critical |
| Avoid wildcard CNAMEs to third-party services | Medium |
| Implement Certificate Transparency monitoring | Medium |
NoSuchBucket (404) is.sub.target.com CNAME → other.target.com CNAME → dead-service.com — the chain must be followed fully.include:sub.target.com and you take over sub.target.com, you can modify its SPF TXT record to authorize your mail server → send spoofed email as target.com.