How Recon helped me to to find a Facebook domain takeover

Sudhanshu Rajbhar
4 min readJul 17, 2019

Heyy Everyoneee,

Hope you all are doing good.In this writeup I am going to tell you how I was able to takeover a domain which was owned by Facebook.

Short Story

After my final exams got over,I setup some goals in which fb hof was one of them.Had to go through some N/As and informative reports.But finally I did it.

Here we Go ,

So if you go to you will find that their acquisitions ,partnerships are also inscope of their program.You can say that everything which they own is in scope excluding few domains only.So without wasting time I started collecting the domains which are owned by Facebook.

What’s the best way to find all the domains which are owned by a particular company ?

@0xpatrik has already written an article about it

Before you move ahead I recommend you to read his article.

Horizontal domain correlation:

Let’s start by checking the whois result of


Look at the Registrant email it’s you can use this email to find all the other sites which have the same registrant email as

For reverse WHOIS I found this site really helpful. Or else you can use but there the results are limited and also tools like domlink or amass can be used for horizontal domain correlation as mentioned by @0xpatrik in his article.

Just go to and in the search field,enter the email. (

We got around 2,756 unique domains which all have “” in their whois scan result.

Now just don’t get stop here, we can still get some more domains last time we used the Registrant email , now this time we will use the Registrant Name and let’s see the difference now. (Facebook, Inc)

Cool this time we get more domains than before around 3,441.

Now let’s remove the duplicate ones.Save all this in one file.Then

sort filename | uniq |tee outputFileName

So finally we have around 4k unique domains, which have either Facebook Inc or in their whois scan result.You can still get some more domains use something else this time other than registrant email or name which you found common in the already collected domains.

After I collected all the domains , I used filter-resolved tool by @tomnomnom, to resolve all the domains.

cat fb2.txt | ~/tools/filter-resolved |tee live-domains.txt

Then I used subfinder, to find all the subdomains of the domains which were in live-domains.txt file.

subfinder -dL live-domains.txt -o subdomains.txt

Repeating the same process again, use filter-resolved for resolving all the subdomains which we found using subfinder.

Moving towards the last step, I used webscreenshot for taking screenshots of the subdomains.

And while going through the screenshots I found this domain

Followed this article :

Then I uploaded something to verify the takeover was successful or not.And yeah!! here we go ,found my first subdomain takeover.

POC time:

July. 08— Initial Report
July 11— Report Triaged
July 12 — Fixed
July. 17— Bounty awarded $500

Thankyou for reading it till the end.I hope you enjoyed reading it.

Well one thing which I want to share is after the screenshot part was done, I didn’t bother to look at them as they were all looking same ,I was like there’s no point in going through them other hunters might have already looked at those domains, so I left it.Then after a 2–3days again I looked at it and you all know what happened next.

Guys believe in yourself don’t feel like you will not find anything just because others are also looking at the same thing so your chance is less of finding something there.

Sya Everyoneeeee