1
00:00:01,340 --> 00:00:02,190
Hello, everyone.

2
00:00:03,110 --> 00:00:12,740
And now, as we have completed the installation for Sublister, we are going to run this into our target

3
00:00:12,740 --> 00:00:13,150
domain.

4
00:00:13,430 --> 00:00:17,260
So let's see, my target domain is srsecure.xyz.

5
00:00:18,260 --> 00:00:20,180
Then you need to supply the hyphen.

6
00:00:20,180 --> 00:00:25,550
d flag, which stands for the domain name, and I will hit enter.

7
00:00:26,630 --> 00:00:31,880
As you can see it is enumerating the subdomains for the target that you have supplied.

8
00:00:32,180 --> 00:00:38,990
You can give any target that you want, it can be uber PayPal, Google, Facebook, anything, and

9
00:00:38,990 --> 00:00:47,480
it will start searching into Baidu, Yahoo, Google, bing ask net craft and different types of search

10
00:00:47,480 --> 00:00:49,380
engines or DNS crawlers.

11
00:00:49,940 --> 00:01:00,020
So basically how Sublister works is it tries to collect all the subdomains which are being stored by these

12
00:01:00,020 --> 00:01:04,400
different services like Baidu, Yahoo, Google, etc..

13
00:01:04,850 --> 00:01:12,170
In a couple of seconds, it is going to identify and give us the number of subdomains that are being

14
00:01:12,560 --> 00:01:15,210
made for srsecure.xyz

15
00:01:15,560 --> 00:01:19,300
And this way you will be able to identify all the subdomains.

16
00:01:20,480 --> 00:01:22,340
Now, as this tool is running.

17
00:01:22,370 --> 00:01:28,880
I have already run,one of the instance and here is the output, how it will look like.

18
00:01:29,300 --> 00:01:36,920
So let me just show you and you can see we have identified in total 56 subdomains for that specific

19
00:01:36,920 --> 00:01:37,430
target.

20
00:01:37,820 --> 00:01:43,650
And you can see the subdomains looks something like this, which is anil. srsecure.xyz

21
00:01:43,700 --> 00:01:47,900
Sounds like your apple. srsecure.xyz and beta. srsecure.xyz.

22
00:01:48,410 --> 00:01:53,300
And you can see there are a lot of subdomains which are being made over here.

23
00:01:54,640 --> 00:02:02,110
Now, let's try to see if we get the subdomain that I have created recently, which is shifaShopify

24
00:02:02,110 --> 00:02:07,790
srsecure and you can see over here, it has still not been populated.

25
00:02:08,260 --> 00:02:14,240
This is because the DNS crawler has not still called the new subdomain.

26
00:02:14,680 --> 00:02:22,590
This is usual and it may take some time for new subdomains to get crawled and appear in the search results.

27
00:02:23,110 --> 00:02:26,050
So we should give this some specific time.

28
00:02:26,050 --> 00:02:33,040
And in about 30 minutes, we will be able to see the results into the subdomain enumeration that we

29
00:02:33,040 --> 00:02:33,490
are doing.

30
00:02:35,110 --> 00:02:43,030
So this has completed again over here and we are not able to see the new subdomain because it has been

31
00:02:43,420 --> 00:02:50,750
just published by me five or 10 minutes ago and it would take some time to get populated into these

32
00:02:50,750 --> 00:02:51,400
scans.

33
00:02:52,810 --> 00:02:53,280
All right.

34
00:02:53,500 --> 00:02:59,650
So after you have identified the subdomains from these scans now, what is the next step that we are

35
00:02:59,650 --> 00:03:00,230
going to do?

36
00:03:00,820 --> 00:03:07,510
So let me just clear my screen and let me try to ping the subdomain that we have identified.

37
00:03:07,690 --> 00:03:15,190
So we have identified the subdomain, which is shifashopify.srsecure.xyz

38
00:03:15,580 --> 00:03:21,610
And we are going to ping this to check if this subdomain exists or does not exist.

39
00:03:22,210 --> 00:03:27,280
And you can see we are getting a reply from that specific subdomain.

40
00:03:28,450 --> 00:03:33,930
And you can notice over here the IP address from which we are getting the reply is this.

41
00:03:34,150 --> 00:03:38,390
So let's try to identify to whom this IP address belongs to.

42
00:03:38,860 --> 00:03:41,830
So I'm going to simply who is on this IP address?

43
00:03:42,220 --> 00:03:51,610
And we already know this IP address belongs to Shopify Operations which is Shopify organization now.

44
00:03:52,860 --> 00:04:01,740
What are the next steps that we should do so we are going to just open up a new tab and try to open

45
00:04:02,850 --> 00:04:05,940
the subdomain that we have just identified.

46
00:04:08,930 --> 00:04:16,580
And when I opened this particular subdomain, it looks something like this and the message says only

47
00:04:16,580 --> 00:04:24,380
one step left to finish setting up your new Web address, go to your domain settings, click connect

48
00:04:24,380 --> 00:04:27,890
existing domain and enter  shifashopify.

49
00:04:27,890 --> 00:04:29,880
srsecure.xyz

50
00:04:30,140 --> 00:04:30,650
Perfect.

51
00:04:31,250 --> 00:04:40,190
Now you have to remember, whenever you will be able to identify those particular subdomains which are

52
00:04:40,190 --> 00:04:42,020
vulnerable to subdomain take-over.

53
00:04:42,110 --> 00:04:49,340
For Shopify specifically, this is one of the fingerprint which you are going to see everywhere.

54
00:04:49,760 --> 00:04:54,440
By fingerprint, I mean you're going to see the same message everywhere.

55
00:04:54,740 --> 00:05:02,670
And remember our memories for Shopify, you will see the message, which is only one step left.

56
00:05:03,200 --> 00:05:11,450
This is important because there are so many fingerprints or patterns for different types of cloud providers.

57
00:05:11,960 --> 00:05:16,110
And this is the specific message for Shopify.

58
00:05:17,510 --> 00:05:18,020
All right.

59
00:05:18,290 --> 00:05:25,130
Now, as we have identified the vulnerable subdomain and we have seen, how does it look like when you

60
00:05:25,640 --> 00:05:32,330
stumble upon any subdomain, which is pointed to Shopify but is not being claimed now

61
00:05:32,330 --> 00:05:38,720
We are going to claim this as an attacker and we are going to own the whole subdomain through which

62
00:05:38,720 --> 00:05:45,980
any attacker can host any malicious content onto this sub domain and customers can get redirected to

63
00:05:45,980 --> 00:05:47,570
this sub domain and.

64
00:05:48,780 --> 00:05:56,010
The attacker may host some of the malicious content and steal sensitive information from the users or

65
00:05:56,010 --> 00:05:56,670
the customers.

66
00:05:57,620 --> 00:05:59,850
Now, how do we clean this subdomain?

67
00:06:00,110 --> 00:06:08,480
So first thing that you need to do is quickly sign up for Shopify so you will be redirected to the original

68
00:06:08,480 --> 00:06:10,070
Shopify dot com page.

69
00:06:10,460 --> 00:06:12,620
You just need to click here and get started.

70
00:06:13,160 --> 00:06:17,270
And Shopify offers you a 14 day trial.

71
00:06:17,630 --> 00:06:19,170
This is one of the best thing.

72
00:06:19,700 --> 00:06:26,660
This means that you do not need to pay anything for proving subdomain take-over vulnerabilities and

73
00:06:26,870 --> 00:06:29,810
you will be able to make a PoC free of cost.

74
00:06:30,140 --> 00:06:30,580
All right.

75
00:06:30,860 --> 00:06:33,410
So let's quickly given the email address.

76
00:06:33,740 --> 00:06:37,070
So let's use one of the e-mail address for this attack.

77
00:06:37,340 --> 00:06:42,410
I'm going to choose an e-mail address for this attack, which is, let's say.

78
00:06:46,590 --> 00:06:48,450
hacker.udemy

79
00:06:49,850 --> 00:06:50,300
One.

80
00:06:51,830 --> 00:06:59,990
@Gmail dot com and password, which was a password, let's say the store name we are going to

81
00:06:59,990 --> 00:07:02,330
give as Shifa.

82
00:07:04,090 --> 00:07:07,240
Shopify subdomain take-over.

83
00:07:08,730 --> 00:07:15,030
OK, so it is say store name can't contain the word Shopify, no issues, so let me just remove that and

84
00:07:16,320 --> 00:07:19,410
shifa subdomain take over and let me create a store.

85
00:07:23,890 --> 00:07:31,390
As you can see over here, it is creating the store and moving ahead with some of the steps, let's

86
00:07:31,390 --> 00:07:34,120
wait for this to complete and.

87
00:07:35,690 --> 00:07:40,130
Once we are inside this, we will be able to do the next quick steps.

88
00:07:41,060 --> 00:07:47,750
One thing that you can quickly notice over here is that we have got one of the domain like this, which

89
00:07:47,750 --> 00:07:52,760
is our store name, which is shifa Subdomain takeover my Shopify dot com.

90
00:07:53,540 --> 00:07:53,980
All right.

91
00:07:53,990 --> 00:07:55,790
So it will ask you some of the questions.

92
00:07:55,790 --> 00:07:57,770
We can just simply skip those.

93
00:07:58,040 --> 00:08:01,450
But you need to add the last step, which is an address.

94
00:08:01,550 --> 00:08:03,660
So let me just give some of the details.

95
00:08:04,010 --> 00:08:06,380
So let's say I give them details as Rohit.

96
00:08:07,860 --> 00:08:09,420
Gautam address.

97
00:08:09,470 --> 00:08:10,500
Let me give us Mumbai.

98
00:08:11,810 --> 00:08:20,090
Let me give as Mumbai again over here, Mumbai country, India, state Maharastra, Pincode.

99
00:08:20,780 --> 00:08:26,620
Let me give this let me see if I can keep this blank and enter the store.

100
00:08:26,690 --> 00:08:28,540
OK, so it is asking for a phone number.

101
00:08:28,610 --> 00:08:29,810
So let me give.

102
00:08:33,230 --> 00:08:35,310
My phone number and enter the store.

103
00:08:36,320 --> 00:08:45,470
All right, so once you have given all the necessary details, we will be able to come on to our account.

104
00:08:45,470 --> 00:08:54,260
And now this is the page from where we can do the next quick steps to perform a successful subdomain

105
00:08:54,260 --> 00:08:54,820
take over.

106
00:08:55,370 --> 00:08:55,820
All right.

107
00:08:56,120 --> 00:09:02,690
So now over here, you can see we just need to click on this particular button, which is add domain.

108
00:09:03,080 --> 00:09:05,120
And remember, what was the subdomain?

109
00:09:05,120 --> 00:09:07,700
That was vulnerable it was Shifa.

110
00:09:09,500 --> 00:09:15,170
Shopify.srsecure.xyz

111
00:09:17,770 --> 00:09:20,020
Yes, this is the one which was vulnerable.

112
00:09:20,410 --> 00:09:27,220
Now I just need to click on Add Domain and over here, as you can see, this is my primary domain through

113
00:09:27,220 --> 00:09:28,920
which I have created account.

114
00:09:29,140 --> 00:09:34,020
I just simply need to click on Connect Existing Domain.

115
00:09:34,600 --> 00:09:37,090
And over here I can give the domain name.

116
00:09:37,600 --> 00:09:45,490
Remember, you can remove this extra https and slash and you can just hit on next.

117
00:09:46,390 --> 00:09:52,300
Once you hit on next, it is going to say you you need to connect your namecheap domain.

118
00:09:52,960 --> 00:10:00,710
This is because the srsecure main domain is provided by the service provider, which is name

119
00:10:00,740 --> 00:10:01,020
cheap.

120
00:10:01,510 --> 00:10:01,950
All right.

121
00:10:01,960 --> 00:10:03,520
So we don't need to do anything.

122
00:10:03,520 --> 00:10:06,010
We just need to click on Verify Connection.

123
00:10:06,910 --> 00:10:11,860
Once we have clicked on Verify Connection, it is going to take just a couple of seconds.

124
00:10:12,070 --> 00:10:19,870
And after that, we will be able to claim successfully the domain and once we have claimed it.

125
00:10:22,150 --> 00:10:30,760
As you can see over here, we have claimed it successfully and now we can find anything or upload anything

126
00:10:30,760 --> 00:10:32,730
onto this particular domain.

127
00:10:33,250 --> 00:10:37,600
As you can see, it says status connected, SSL pending.

128
00:10:37,600 --> 00:10:42,400
It will automatically even put SSL certificate free of cost over there.

129
00:10:43,180 --> 00:10:46,630
Now, let's verify what happens when we go over there.

130
00:10:46,960 --> 00:10:49,880
Are we able to see the same fingerprint or not?

131
00:10:50,200 --> 00:10:54,790
So let me just paste it over here and let's see what do we get?

132
00:10:55,030 --> 00:10:55,570
Perfect.

133
00:10:55,870 --> 00:11:00,370
As you can see over here, we are able to see shifa subdomain take over.

134
00:11:00,670 --> 00:11:07,570
The coming soon is because we have not created a website right now, but we are able to claim this particular

135
00:11:07,570 --> 00:11:15,070
page and I can host any application that I want over here, change to theme, change the content and

136
00:11:15,070 --> 00:11:22,300
put anything over here so you can see and notice the comparison between the fingerprints that get changed

137
00:11:22,570 --> 00:11:28,990
before it was something like this which says only one step left because this subdomain was vulnerable.

138
00:11:29,380 --> 00:11:37,390
Now, the attacker has successfully claimed this subdomain by creating a successful account on Shopify

139
00:11:37,660 --> 00:11:44,800
and claiming the particular subdomain, he can upload anything onto this particular subdomain which

140
00:11:44,950 --> 00:11:47,260
will be served to the users.

141
00:11:47,950 --> 00:11:54,010
So I hope you guys understood how you can successfully do Shopify subdomain take over.

142
00:11:54,520 --> 00:11:55,060
Thank you.