Case Study 2: Subdomain Takeover Campaigns and Certificate Transparency Mining

Part A: Subdomain Takeover in the Wild

Background

Subdomain takeover has emerged as one of the most prevalent and impactful vulnerabilities discoverable through active reconnaissance. In 2022 and 2023, multiple security researchers and bug bounty hunters documented large-scale subdomain takeover campaigns affecting major organizations including Fortune 500 companies, government agencies, and technology firms.

This case study examines real-world subdomain takeover campaigns, the reconnaissance techniques used to discover them, and the security implications for organizations.

The Mechanics of Subdomain Takeover

A subdomain takeover occurs when three conditions are met simultaneously:

  1. A DNS record exists: The organization has created a CNAME, A, or NS record for a subdomain (e.g., blog.medsecure.com CNAME medsecure.github.io).
  2. The target resource is unclaimed: The third-party service account that the DNS record points to has been deleted, cancelled, or was never properly configured.
  3. The service allows registration: An attacker can register the same resource name on the third-party service (e.g., create a GitHub Pages site at medsecure.github.io).

Case: Government Agency Subdomain Takeovers (2023)

In early 2023, security researcher Zach Edwards documented over 50 subdomain takeover vulnerabilities affecting U.S. government agencies, including the Department of Defense, NASA, and multiple state government websites. The research was conducted entirely through active reconnaissance:

Discovery Method: 1. Certificate Transparency log mining revealed thousands of subdomains for .gov and .mil domains 2. DNS enumeration confirmed which subdomains had CNAME records pointing to third-party services 3. Automated checking identified services that returned error messages indicating unclaimed resources 4. Manual verification confirmed the takeover potential

Findings: - Multiple .gov subdomains with CNAME records to decommissioned Azure Web Apps - Several subdomains pointing to cancelled GitHub Pages deployments - Subdomains with CNAME records to expired Heroku applications - State government subdomains pointing to deleted AWS S3 buckets

Impact: If exploited, these takeovers would have allowed attackers to: - Serve malicious content on legitimate government domains - Harvest credentials through phishing pages on trusted .gov URLs - Set cookies scoped to the parent .gov domain - Bypass email authentication (SPF) by controlling a subdomain - Damage public trust in government web services

Case: Large-Scale Corporate Subdomain Takeover Study

A 2022 study by Detectify examined subdomain takeover prevalence across Fortune 500 companies:

Methodology: 1. Passive subdomain enumeration using CT logs and DNS aggregation services 2. Active DNS enumeration and brute forcing to discover additional subdomains 3. CNAME analysis to identify subdomains pointing to third-party services 4. Automated verification against known vulnerable service fingerprints 5. Manual confirmation of takeover potential

Key Findings: - Approximately 15% of Fortune 500 companies had at least one subdomain vulnerable to takeover - AWS services (S3, CloudFront, Elastic Beanstalk) accounted for the majority of vulnerable configurations - Average time from initial discovery to remediation (when reported through responsible disclosure) was 45 days - Many organizations were unaware they had DNS records pointing to decommissioned services

Exploitation Scenarios

Scenario 1: Credential Harvesting

An attacker discovers that login.medsecure.com has a CNAME pointing to a decommissioned Azure Web App. The attacker: 1. Creates a new Azure Web App with the same name 2. Deploys a pixel-perfect copy of MedSecure's actual login page 3. Captures credentials entered by employees and customers 4. Redirects victims to the real login page after capture (minimizing detection)

Because the URL is login.medsecure.com — a legitimate subdomain with a valid SSL certificate — traditional phishing indicators are absent. The URL looks legitimate, the certificate is valid, and the domain is correct.

Scenario 2: Session Hijacking via Cookie Injection

An attacker takes over old-blog.medsecure.com and deploys a page that sets cookies scoped to .medsecure.com. These cookies are then sent to every other subdomain, potentially: - Overwriting legitimate session cookies - Injecting XSS payloads via cookie values - Conducting session fixation attacks

Scenario 3: Email Authentication Bypass

If an attacker controls a subdomain, they can set up email sending from that subdomain. If the parent domain's SPF record includes the subdomain (e.g., include:_spf.medsecure.com), the attacker's emails may pass SPF validation, making phishing emails appear to come from a legitimate medsecure.com address.

Active Reconnaissance for Subdomain Takeover

The complete active reconnaissance workflow for subdomain takeover detection:

# Step 1: Discover subdomains (combine passive + active)
amass enum -d medsecure.com -active -brute -o subdomains.txt

# Step 2: Resolve subdomains and identify CNAME records
for sub in $(cat subdomains.txt); do
    cname=$(dig $sub CNAME +short)
    if [ ! -z "$cname" ]; then
        echo "$sub -> $cname" >> cname_records.txt
    fi
done

# Step 3: Check for known vulnerable services
subjack -w subdomains.txt -t 100 -ssl -o takeover_results.txt

# Step 4: Use nuclei for comprehensive takeover detection
nuclei -l subdomains.txt -t takeovers/ -o nuclei_takeover.txt

# Step 5: Manual verification of findings
# Visit each potential takeover URL and verify the error message

Part B: Certificate Transparency Mining as a Reconnaissance Technique

The Evolution of CT-Based Reconnaissance

Certificate Transparency (CT) was designed as a security mechanism to detect fraudulently issued SSL/TLS certificates. However, it has become one of the most powerful reconnaissance tools available to both attackers and defenders. This section examines how CT mining has evolved from a simple subdomain discovery technique into a sophisticated intelligence gathering methodology.

Real-Time CT Monitoring for Attack Surface Discovery

Security researchers and advanced threat actors alike use real-time CT log monitoring to discover new infrastructure as organizations deploy it. CertStream, an open-source tool, provides a real-time feed of newly issued certificates:

Case: Discovering Phishing Infrastructure

In 2023, researchers at Phish.Report and the Anti-Phishing Working Group used CT log monitoring to detect phishing campaigns within minutes of their creation. When attackers registered lookalike domains and obtained SSL certificates, the certificate issuance appeared in CT logs immediately — often before the phishing page was fully deployed.

The same technique works in reverse for penetration testing. By monitoring CT logs for a target organization, testers can discover: - New subdomains as they are created - Shadow IT deployments that bypass official IT processes - Development and staging environments being brought online - Third-party services being integrated (via domain verification certificates)

CT Mining Methodology

Basic CT mining (covered in Chapter 7) involves searching CT logs for certificates matching a target domain. Advanced CT mining adds several analytical layers:

Pattern Analysis:

By examining all certificates issued for an organization over time, you can identify: - Naming conventions (how the organization names its subdomains) - Deployment cadences (how frequently new services are created) - Certificate management practices (manual vs. automated renewal) - Infrastructure changes (migrations, new service deployments)

For example, if MedSecure's CT data shows:

2023-01: api-v1.medsecure.com
2023-03: api-v2.medsecure.com
2023-06: api-v3.medsecure.com (current)
2024-01: api-v4.medsecure.com (newly discovered!)

The pattern suggests that api-v4 is a new deployment, possibly in testing, and may be less hardened than the production api-v3.

Wildcard Certificate Analysis:

Wildcard certificates (e.g., *.internal.medsecure.com) reveal internal subdomain spaces that may not be directly enumerable through DNS brute forcing. When you discover a wildcard certificate, you know the organization operates services under that subdomain space and can target your brute forcing accordingly.

Certificate Authority Analysis:

An organization's choice of certificate authorities reveals information: - Let's Encrypt: Automated certificate management, often used for development/staging - DigiCert/Sectigo: Enterprise certificates, often for production systems - Internal CA: Self-signed or internal CA certificates indicate internal services that may be accessible from the internet

SAN (Subject Alternative Name) Correlation:

A single certificate often covers multiple domains through SANs. Analyzing SAN groupings reveals which services are related:

Certificate covering:
  - api.medsecure.com
  - portal.medsecure.com
  - ehr.medsecure.com

These three services are likely hosted on the same infrastructure and may share security controls (or weaknesses).

Case: Using CT to Detect Shadow IT

A penetration testing team was conducting reconnaissance against a large financial institution. Through CT log monitoring over a two-week period, they discovered:

  1. A new certificate issued for innovation-lab.client.com — a subdomain not in any official documentation
  2. The certificate was issued by Let's Encrypt (suggesting automated deployment, not enterprise IT)
  3. The subdomain resolved to a personal AWS account (different from the organization's official AWS infrastructure)
  4. The application was a prototype with default credentials and no security hardening

This "shadow IT" deployment was created by an innovation team outside the official IT procurement process. It contained test data from production databases and was accessible from the internet without any security controls. The CT log monitoring revealed this exposure before any attacker could discover it through other means.

Defensive Uses of CT Mining

Organizations should monitor their own CT logs for:

  1. Unauthorized certificate issuance: A certificate issued for your domain by an unexpected CA could indicate compromise of your domain or DNS
  2. Shadow IT discovery: Certificates issued for unexpected subdomains reveal unauthorized deployments
  3. Certificate lifecycle management: Tracking certificate expiration to prevent outages
  4. Phishing detection: Certificates issued for lookalike domains (medsecure-login.com, med-secure.com) may indicate phishing campaigns targeting your organization
# Monitor for certificates matching your domain
certstream --full | grep "medsecure"

# Set up alerts for new certificates
# (using a script or monitoring tool)

The Arms Race: CT and Privacy

Some organizations are concerned that CT logs reveal too much about their infrastructure. Efforts to balance transparency with operational security include:

  • Redacted certificates: Some CAs offer certificates where the specific hostname is redacted in CT logs
  • Private CAs: Using internal CAs that do not submit to public CT logs (at the cost of not being trusted by public browsers)
  • Wildcard certificates: Using wildcards to hide specific subdomain names while still revealing the domain space

These privacy measures create tension with CT's original security goal and are an active area of discussion in the security community.

Discussion Questions

  1. An organization discovers it has 15 subdomains with CNAME records pointing to decommissioned third-party services. What is the most efficient remediation strategy? Should they simply delete the DNS records, or are additional steps required?

  2. Bug bounty programs typically pay $500-$5,000 for subdomain takeover findings. Discuss whether this payout accurately reflects the risk. What factors should determine the severity rating of a subdomain takeover?

  3. Certificate Transparency logs create a searchable record of every certificate issued for your domain. Discuss the trade-off between the security benefits of CT (detecting fraudulent certificates) and the reconnaissance value it provides to attackers.

  4. You discover through CT log monitoring that a competitor has obtained a certificate for a domain very similar to your client's domain (e.g., medsecure-portal.com vs. your client's medsecure.com). What actions should you recommend?

  5. Some organizations use wildcard certificates specifically to prevent subdomain enumeration through CT logs. What are the security implications of wildcard certificates, and does the privacy benefit outweigh the security risks?

Key Takeaways

  • Subdomain takeover is a prevalent vulnerability affecting organizations of all sizes, discoverable through systematic active reconnaissance combining DNS enumeration, CNAME analysis, and service fingerprinting.
  • The impact of subdomain takeover extends beyond content serving to credential harvesting, session hijacking, and email authentication bypass on the parent domain.
  • Certificate Transparency mining has evolved from a simple subdomain discovery technique into a sophisticated intelligence gathering methodology that reveals infrastructure patterns, deployment practices, and shadow IT.
  • Both attackers and defenders benefit from CT monitoring — organizations should monitor their own CT logs proactively rather than leaving this intelligence to adversaries.
  • The combination of subdomain takeover checking and CT mining forms a powerful active reconnaissance workflow that frequently reveals high-impact findings during penetration tests.