0

The definition of domain hijacking is: "to gain (temporarily) control a domain" which could be either through:

  1. Stealing the legal and/or technical ownership of a domain (for example by transferring the domain to another registrar);
  2. Gaining control of the registered name servers and pointing the domain to another endpoint;

What are known domain hijacking methods?

For example to claim an expired administrative email address and request a domain transfer at the domain registrar. Or, to use phishing techniques.

I suppose the Extensible Provisioning Protocol (EPP) is somehow related to protection against this?

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
  • 3
    Sometimes people forget to keep their nameservers up-to-date and are able to register the nameserver and able to take over domains that way. https://thehackerblog.com/respect-my-authority-hijacking-broken-nameservers-to-compromise-your-target/ – Ryan Kelso Mar 13 '17 at 19:51
  • @RyanKelso what if the primary namesever is a valid registered domain and the secondary nameserver is a free domain to register. You won't be able to misuse this unless the first nameserver went offline, right? – Bob Ortiz Mar 14 '17 at 18:00
  • That is correct as far as my understanding, this attack for domain takeover is only possible if you're able to register the authoritative name server for the domain, as shown in an article by the same gentleman https://thehackerblog.com/the-international-incident-gaining-control-of-a-int-domain-name-with-dns-trickery/ the primary name server for a .int domain fails, which makes the secondary authoritative, and the second one's domain & subdomain are unregistered, allowing for takeover. – Ryan Kelso Mar 14 '17 at 18:39
  • FYI, hacking instructions are discouraged on this site. But interesting info about the name servers. The takeaway is to monitor your domain registrations, and lock them if your provider allows that. – SDsolar Mar 19 '17 at 21:57
  • @SDsolar I'm not interested in particular hacking instructions. I'm trying to identify the possible risks in the area of domain hijacking and to choose proper security measures to mitigate those risks. – Bob Ortiz Mar 19 '17 at 22:04
  • 1
    very interesting read about subdomain takeover - is exploited very often nowadays: https://labs.detectify.com/tag/hostile-subdomain-takeover/ – slashcrypto Apr 13 '17 at 08:43
  • The wiki for "domain hijacking" lists this link: http://aplegal.com/blog/slamming-door-domain-name-hijacking/ – schroeder Apr 24 '17 at 06:16
  • The wiki itself describes a method. There are tutorials on how to do various attacks. I'm not sure what you are asking. It looks like you haven't done any research, and it looks like you want a list. – schroeder Apr 24 '17 at 06:18
  • @schroeder I actually did do some research but can't seem to find many different ways of hijacking domains other than some traditional ones. I would expect there would be more methods to do so. If you are aware of any other than described already, please provide us with some examples. – Bob Ortiz Jul 07 '17 at 08:58
  • I already have. It appears you want a list, which is not a good fit for StackExchange. – schroeder Jul 07 '17 at 10:00

1 Answers1

1

Here are a few ways to hijack a domain.

  • Use DNS cache poisoning to redirect users to your server.
  • Register the domain the moment the registration gets expired (domain sniping).
  • You can of course just hack the server or the hosting provider if you find a vulnerability.

There are also indirect methods of hijacking a domain, such as:

  • Phishing with unicode characters that are similar to the original (scary stuff):

https://www.xudongz.com/blog/2017/idn-phishing/

  • Typesquatting: register a domain one typo away from the actual domain.
  • Bitsquatting, where you register a domain with 1 bit difference of the actual domain. When non-error-correcting RAM flips a bit, users might end up on your page.
Beurtschipper
  • 693
  • 4
  • 10