hunt-subdomain
Hunt-subdomain is a vulnerability assessment skill for identifying and exploiting subdomain takeover vulnerabilities, particularly those enabling account takeover chains through OAuth redirect URIs, email interception, and cookie-scope abuse. Use this skill when auditing DNS configurations for dangling CNAME records pointing to deprovisioned cloud services including Azure DevOps, Zendesk, Vercel, Fastly, and AWS S3, or when testing authentication endpoints and staging subdomains for unclaimed service re-attachment opportunities.
git clone --depth 1 https://github.com/elementalsouls/Claude-BugHunter /tmp/hunt-subdomain && cp -r /tmp/hunt-subdomain/skills/hunt-subdomain ~/.claude/skills/hunt-subdomainSKILL.md
## Crown Jewel Targets
Subdomain takeover is high-value because it allows an attacker to serve content from a **trusted, company-owned domain** — bypassing browser same-origin trust, phishing filters, and user skepticism simultaneously.
**Highest payout contexts:**
- Subdomains of major SaaS brands (Shopify, Snapchat, Mozilla, Yelp) where the trusted domain has user session context
- CDN-backed subdomains (Fastly, CloudFront) where CNAME points to unclaimed origins
- Third-party service integrations: UserVoice, WordPress.com, GitHub Pages, GitLab Pages, Heroku, Zendesk
- Preview/staging/dev subdomains (`new.`, `preview.`, `course.`, `delivery.`, `addons-preview.`) — abandoned after feature launches
- Subdomains used for OAuth redirect URIs or SSO endpoints — these pay highest
**Asset types that matter most:**
- CNAME records pointing to deprovisioned third-party services
- NS delegations to abandoned zones
- A records pointing to unallocated cloud IPs (less common)
- GitLab/GitHub Pages with unclaimed project namespaces
---
## Attack Surface Signals
**DNS signals:**
- `CNAME` pointing to `*.github.io`, `*.gitlab.io`, `*.fastly.net`, `*.herokudns.com`, `*.wordpress.com`, `*.uservoice.com`, `*.zendesk.com`, `*.s3.amazonaws.com`, `*.azurewebsites.net`, `*.netlify.app`
- NXDOMAIN or `SERVFAIL` on the CNAME target while the parent record still exists
- NS records delegating to registrars where the zone is no longer registered
**HTTP response signals:**
- `"There isn't a GitHub Pages site here"`
- `"NoSuchBucket"` (S3)
- `"The specified bucket does not exist"`
- `"No such app"` (Heroku)
- `"Sorry, this shop is currently unavailable"` (Shopify)
- `"This UserVoice subdomain is available"`
- `"Do you want to register"` (any domain parking page)
- HTTP 404 with provider-specific error templates
- Fastly: `"Fastly error: unknown domain"`
- `"404 Web Site not found"` (Azure App Service)
**Tech stack signals:**
- Response headers: `X-Served-By: cache-*` (Fastly), `X-GitHub-Request-Id`, `Server: Netlify`
- `CNAME` chain resolving to provider infrastructure but returning provider 404
- SSL cert issued to provider wildcard (`*.fastly.net`) rather than company domain
---
## Step-by-Step Hunting Methodology
1. **Enumerate all subdomains** for the target using passive + active sources:
- `subfinder -d target.com -all`
- `amass enum -passive -d target.com`
- `assetfinder --subs-only target.com`
- Certificate transparency: `crt.sh/?q=%.target.com`
2. **Resolve all subdomains** and flag those with:
- NXDOMAIN responses
- CNAME pointing to a third-party provider
```bash
cat subdomains.txt | dnsx -a -cname -o resolved.txt
```
3. **Cross-reference CNAMEs** against known vulnerable provider fingerprints using `nuclei` or `subjack`:
```bash
subjack -w subdomains.txt -t 100 -timeout 30 -ssl -c fingerprints.json
nuclei -l subdomains.txt -t takeovers/
```
4. **Manual verification** for each flagged subdomain:
- `dig CNAME subdomain.target.com` — confirm CNAME exists
- `dig A <cname-target>` — confirm NXDOMAIN or no resolution
- `curl -sk https://subdomain.target.com` — check for provider error string
5. **Confirm claimability** — attempt to register the resource:
- GitHub Pages: check if `<username>.github.io/<repo>` or org page is unclaimed
- GitLab Pages: check project namespace
- S3: attempt `aws s3api create-bucket --bucket <bucketname>`
- UserVoice/Zendesk/WordPress: visit registration URL
- Fastly: check if origin hostname is unregistered
6. **Claim the resource** (only enough to prove control — do NOT serve malicious content):
- Create a minimal index page with your HackerOne username and a timestamp
- Take screenshot showing your content served on `subdomain.target.com`
7. **Document the chain**: CNAME record → provider target → unclaimed resource → your content
8. **Assess impact escalation**:
- Does the subdomain appear in OAuth redirect allowlists?
- Does it share cookies with parent domain (`domain=.target.com`)?
- Is it referenced in the app's CSP?
- Can it receive authenticated API calls?
9. **Write report** before releasing the claim (some programs want to verify first)
---
## Payload & Detection Patterns
**Bulk CNAME extraction and NXDOMAIN detection:**
```bash
# Extract CNAMEs and check if target resolves
while read sub; do
cname=$(dig +short CNAME "$sub" | head -1)
if [ -n "$cname" ]; then
result=$(dig +short A "$cname")
if [ -z "$result" ]; then
echo "[POTENTIAL] $sub -> $cname (NXDOMAIN)"
fi
fi
done < subdomains.txt
```
**Nuclei takeover scan:**
```bash
nuclei -l subdomains.txt -t ~/nuclei-templates/http/takeovers/ -severity medium,high,critical
```
**subjack with SSL:**
```bash
subjack -w subdomains.txt -t 100 -timeout 30 -ssl -c $GOPATH/src/github.com/haccer/subjack/fingerprints.json -v
```
**Provider fingerprint grep patterns:**
```bash
curl -sk "https://$subdomain" | grep -iE \
"there isn't a github pages|no such bucket|no such app|this uservoice|fastly error: unknown domain|do you want to register|sorry, this shop|project not found|404 not found|unclaimed"
```
**Check if subdomain is in scope for cookies (shared parent domain):**
```bash
curl -Isk "https://target.com" | grep -i "set-cookie" | grep "domain=.target.com"
```
**Fastly-specific detection:**
```bash
curl -sI "https://subdomain.target.com" -H "Host: subdomain.target.com" | grep -i "fastly\|x-served-by\|x-cache"
curl -sk "https://subdomain.target.com" | grep -i "fastly error"
```
**S3 unclaimed bucket check:**
```bash
aws s3api head-bucket --bucket <extracted-bucket-name> 2>&1 | grep -i "NoSuchBucket\|403\|404"
```
**GitLab Pages specific:**
```bash
dig CNAME sub.target.com
# If pointing to *.gitlab.io — visit the gitlab.io URL directly
# 404 from gitlab.io project = claimable
```
---
## Common Root Causes
1. **Service offboarding without DNS cleanup** — Developer removes a Heroku app, UserVoiceRun autonomous hunt loop on a target — scope check → recon → rank surface → hunt → validate → report with configurable checkpoints. Usage: /autopilot target.com [--paranoid|--normal|--yolo]
Build an exploit chain — given bug A, finds B and C to combine for higher severity and payout. Knows common chain patterns: IDOR→ATO, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth. Usage: /chain
Active vulnerability hunting. Two-track dispatcher — asks Red Team vs WAPT, hands off to hunt-dispatch skill and sibling commands. Usage: /hunt target.com | /hunt *.target.com | /hunt targets.txt [--vuln-class X] [--source-code P] [--chrome]
On-demand intelligence fetch for a target — CVEs, disclosed reports, new features. Wraps learn.py + hunt memory context. Usage: /intel target.com
Inspect or rotate hunt-memory JSONL files (audit.jsonl, patterns.jsonl, journal.jsonl). Caps file size and keeps N rotated backups so memory does not grow unbounded.
Pick up a previous hunt on a target — shows hunt history, untested endpoints, and memory-informed suggestions. Usage: /pickup target.com
Run full recon pipeline on a target — subdomain enum (Chaos API + subfinder), live host discovery (dnsx + httpx), URL crawl (katana + waybackurls + gau), gf pattern classification, nuclei scan. Outputs to recon/<target>/ directory. Usage: /recon target.com
Log current finding or successful pattern to hunt memory. Auto-fills from /validate output if available. Usage: /remember