Suppose we have configured a site on GitHub pages and now we want to integrate the same content on different subdomain.

1. So first we’ll need a subdomain to fetch the content from our GitHub page.
2. Then we’ll have to redirect or access the content of the GitHub page from our subdomain.
3. This redirection or access of content is done by a type of DNS records called as CNAME.
4. A CNAME record is a type of DNS record used to map one domain name to another. It's often used for creating aliases or pointing one domain to another domain's canonical (main) name.

Now how does Subdomain Takeover works?

1. Suppose there was a subdomain aliased to a page from GitHub or any cloud provider.
2. And after some time when they don’t need the GitHub repo or the service hosted on any cloud provider, they’ll simply delete the repo and hence when we try to access the subdomain it’ll give us 404 Not Found! error.
3. Now, we as an attacker will host anything on the same link as aliased.
4. And thus we are now controlling the subdomain.

NOTE : cname = canonical name

• How to check any subdomains CNAME records?

Consider Reading POCs on HackerOne and Medium to get more idea.

Before Using CLI tools enumerate as many subdomains as possible who are giving 404 errors but are live!

SubDomain TakeOver Using CLI tools