A subdomain takeover can occur when a malicious actor gains control over a subdomain of a target. For example, northgreensecurity.com is the full domain for our website. A subdomain would be something on the lines of mail.northgreensecurity.com, or, learning.northgreensecurity.com. The part of the domain name to take note of, is the very start, we used mail and learning in our examples of a subdomain.

Subdomain takeover is possible due to the use of a DNS record known as CNAME. Canonical Name (CNAME) is a DNS record that allows for your domain to have an alias of sorts, like, mail or learning. When the record is not updated correctly and left to point to a host that may not be registered or exists anymore, you may have the option to spin up a server with the same IP address to receive all of the traffic from that subdomain.

We can use tools like Subfinder form projectdiscovery.io to automate the task of identifying CNAME records to missing host IPs. See below for an example of using subfinder: