Subdomain takeover with A record
I friend of mine has had a subdomain takeover occur. I've taken a look at his DNS and he had some dangling entries, but they were A records, not CNAMEs. The subdomain was pointing to an IP address on AWS.
I've read up on subdomain takeovers and most are done against CNAMEs. I get that a stale A record still points to the original IP address and that this can get reassigned to someone else from the pool as time goes on. What I don't understand is how this threat actor managed to get the same IP. Surely it would be a heck of alot of trial and error.
Anyway, I built a Kali distro on my server and installed subfinder and subjack. Got a list of all the subdomains and fed these into subjack. However, all the results came back to say the subdomains were not vulnerable to takeover so I'm a bit stumped on how it was done.
First steps I will do will be to get them to remove any dangling entries in their DNS and also claim back the subdomain. I assume this will protect us in future.
Would love to know how they managed to get that same address assigned to them as they should be randomly assigned from the pool and you can't just specify an IP address when setting up an elastic IP.
