1. DNS/hijacking/detectify

/Guide https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/


Hostile Subdomain Takeover using Heroku/Github/Desk + more October 21, 2014


1.1. slide

DNS hijacking using cloud providers – No verification needed

  1. DNS hijacking using cloud providers - no verification needed
  2. Frans Rosen Security Advisor @detectify ( twitter: @fransrosen ) HackerOne #5 @ hackerone.com/leaderboard/all-time Blog at labs.detectify.com Talked here last year! "The Secret life of a Bug Bounty Hunter"

  3. Rundown o Background o History o Tools & Techniques o Deeper levels of hijacking o Evolution o Mitigations o Monitoring

  4. Subdomain Takeover v1.0 campaign.site.com Campaign!
  5. Subdomain Takeover v1.0 campaign.site.com Campaign! Fake site!
  6. Ever seen one of these?
  7. First instance, 12th Oct '14 http://esevece.tumblr.com/post/99786512849/onavo-cname-records-pointing-to-heroku-but-no

  8. https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/ 9 days later, 21st Oct '14

  9. Response from services Heroku:
    • 臓�e're aware of this issue臓�‰GitHub:

    • 臓�y apologies for the delayed response. We are aware of this issue臓�‰Shopify: 臓� had already identified that this is a security issue臓�‰ 10. What have we seen?
  10. What have we seen? https://hackerone.com/reports/172137

  11. What have we seen?
  12. What have we seen? https://hackerone.com/reports/32825

  13. What have we seen?
  14. What have we seen? https://crt.sh/?q=%25.uber.com

  15. What have we seen? https://blog.rubidus.com/2017/02/03/deep-thoughts-on-subdomain-takeovers/

  16. What have we seen? https://labs.detectify.com/2016/10/05/the-story-of-ev-ssl-aws-and-trailing-dot-domains/

  17. What have we seen?
  18. What have we seen?
  19. What have we seen?
  20. Tools
  21. subbrute Not active dev. https://github.com/TheRook/subbrute

  22. Sublist3r https://github.com/aboul3la/Sublist3r Active dev! Took over subbrute! Fetching from multiple sources

  23. massdns https://github.com/blechschmidt/massdns Fast as hell! Needs lists to resolve

  24. altdns https://github.com/infosec-au/altdns Soo soo powerful if you have good mutations Combine with massdns == success Can resolve, but better for just creating the lists

  25. tko-subs https://github.com/anshumanbh/tko-subs Interesting idea, auto takeover when finding issues Might be a liiittle bit too aggressive

  26. We could look here?
  28. WRONG! Resolve and not resolve is what matters.
  29. Dead DNS records
  30. A dead record?
  31. A dead record?
  32. dig is your friend
  33. 9 year old bug
  34. https://thehackerblog.com/the-orphaned-internet-taking-over-120k-domains-via- a-dns-vulnerability-in-aws-google-cloud-rackspace-and-digital-ocean/index.html SERVFAIL/REFUSED

  35. Also works on subdomain delegations!
  36. NOERROR Resolves. All OK. DNS status codes
  37. DNS status codes NXDOMAIN Doesn臓�‡ exist. Could still have a DNS RR. Query NS to find out more.
  38. DNS status codes REFUSED NS does not like this domain.
  39. DNS status codes SERVFAIL Not even responding. Very interesting!
  40. The tools find what? SERVFAIL REFUSED NOERROR NXDOMAIN ????
  41. Subdomain delegation
  42. Subdomain delegation
  43. Subdomain delegation
  44. Brute add/delete R53 DNS
  45. We now control the domain!
  46. Orphaned EC2 IPs https://www.bishopfox.com/blog/2015/10/fishing-the-aws-ip-pool-for-dangling-domains/

  47. Orphaned EC2 IPs
  48. dev.on.site.com http://integrouschoice.com/

  49. dev.on.site.com
  50. dev.on.site.com
  51. Flow Brute * Collect NOERROR * Collect SERVFAIL / REFUSED +trace the NS * Collect NXDOMAIN if CNAME, +trace
  52. Flow Resolve * Check NOERROR for patterns * SERVFAIL/REFUSED, Check NS for patterns * NXDOMAIN, traverse up to apex, check: NXDOMAIN|SERVFAIL|REFUSED|no servers could be reached
  53. Flow Improve * Collect all subdomain names * Sort them by popularity * Sort www below all names with p>2

  54. Flow Analyze unknowns * Collect titles of all sites (or EyeWitness!) * Filter out common titles + name of company * Generate screenshots, create a image map https://github.com/ChrisTruncer/EyeWitness

  55. Flow Repeat * Do it every day * Push notification changes
  56. Jan 2017
  57. Jan 2017
  58. Jan 2017
  59. Jan 2017
  60. Jan 2017
  61. Jan 2017
  62. Jan 2017
  63. Monitoring is really preventing this. Psst, this is exactly what we do! Shameless plug
  64. The competition @avlidienbrunn @arneswinnen @TheBoredEng

  65. My takeovers since 2014-10
  66. detectify
  67. Email snooping!
  68. September 2016 http://blog.pentestnepal.tech/post/149985438982/reading-ubers-internal-emails-uber-bug-bounty

  69. 2 of the 3 in action
  70. MX-records Inbound mail. This is important.
  71. MX-records
  72. Conflict check + Validation
  73. Oh, add this!
  74. CNAME -> MX

  75. Whitelisted aliases for verification
  76. Back to this
  77. Tadaa!
  78. We now get postmaster!
  79. Response the day after
  80. Response the day after
  81. Response the day after
  82. On a final note https://twitter.com/realdonaldtrump/status/190093504939163648

  83. On a final note https://twitter.com/realdonaldtrump/status/190093504939163648

  84. On a final note
  85. On a final note
  86. On a final note
  87. Recap o Know your DNS Zone file
    • MX, CNAME, A, AAAA, ALIAS. Everything. o AUTOMATION, probably the only proper solution o will.i.am loves this
  88. Go hack yourself! Questions? Frans Rosen (@fransrosen) - www.detectify.com
    • Recommended

MoinQ: DNS/hijacking/解説記事/detectify (last edited 2023-09-16 05:01:10 by ToshinoriMaeno)