Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DNS hijacking using cloud providers – No verification needed

7,862 views

Published on

This is my talk from OWASP Appsec EU and also Security Fest 2017.

A few years ago, Frans and his team posted an article on Detectify Labs regarding domain hijacking using services like AWS, Heroku and GitHub. These issues still remains and are still affecting a lot of companies. Jonathan Claudius from Mozilla even calls “Subdomain takeover” “the new XSS”. Since then, many tools have popped up to spot these sorts of vulnerabilities. Frans will go through both the currently disclosed and the non-disclosed ways to take control over domains and will share the specific techniques involved.

Published in: Technology

DNS hijacking using cloud providers – No verification needed

  1. 1. detectify DNS hijacking using cloud providers – no verification needed
  2. 2. detectify Frans Rosén Security Advisor @detectify ( twitter: @fransrosen ) HackerOne #5 @ hackerone.com/leaderboard/all-time Blog at labs.detectify.com Talked here last year! "The Secret life of a Bug Bounty Hunter"
  3. 3. detectify Rundown • Background • History • Tools & Techniques • Deeper levels of hijacking • Evolution • Mitigations • Monitoring
  4. 4. detectify Subdomain Takeover v1.0 campaign.site.com Campaign!
  5. 5. detectify Subdomain Takeover v1.0 campaign.site.com Campaign! Fake site!
  6. 6. detectify Ever seen one of these?
  7. 7. detectify First instance, 12th Oct '14 http://esevece.tumblr.com/post/99786512849/onavo-cname-records-pointing-to-heroku-but-no
  8. 8. detectify https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/ 9 days later, 21st Oct '14
  9. 9. detectify Response from services Heroku: 
 “We're aware of this issue” GitHub: 
 “My apologies for the delayed response. We are aware of this issue” Shopify: 
 “I had already identified that this is a security issue”
  10. 10. detectify What have we seen?
  11. 11. detectify What have we seen? https://hackerone.com/reports/172137
  12. 12. detectify What have we seen?
  13. 13. detectify What have we seen? https://hackerone.com/reports/32825
  14. 14. detectify What have we seen?
  15. 15. detectify What have we seen? https://crt.sh/?q=%25.uber.com
  16. 16. detectify What have we seen? https://blog.rubidus.com/2017/02/03/deep-thoughts-on-subdomain-takeovers/
  17. 17. detectify What have we seen? https://labs.detectify.com/2016/10/05/the-story-of-ev-ssl-aws-and-trailing-dot-domains/
  18. 18. detectify What have we seen?
  19. 19. detectify What have we seen?
  20. 20. detectify What have we seen?
  21. 21. detectify Tools
  22. 22. detectify subbrute Not active dev. https://github.com/TheRook/subbrute
  23. 23. detectify Sublist3r https://github.com/aboul3la/Sublist3r Active dev! Took over subbrute! Fetching from multiple sources
  24. 24. detectify massdns https://github.com/blechschmidt/massdns Fast as hell! Needs lists to resolve
  25. 25. detectify altdns https://github.com/infosec-au/altdns Soo soo powerful if you have good mutations Combine with massdns == success Can resolve, but better for just creating the lists
  26. 26. detectify tko-subs https://github.com/anshumanbh/tko-subs Interesting idea, auto takeover when finding issues Might be a liiittle bit too aggressive
  27. 27. detectify We could look here?
  28. 28. detectify WRONG! WRONG! WRONG! WRONG! WRONG! WRONG! WRONG!WRONG!
  29. 29. detectify WRONG! Resolve and not resolve is what matters.
  30. 30. detectify Dead DNS records
  31. 31. detectify A dead record?
  32. 32. detectify A dead record?
  33. 33. detectify dig is your friend
  34. 34. detectify 9 year old bug
  35. 35. detectify https://thehackerblog.com/the-orphaned-internet-taking-over-120k-domains-via- a-dns-vulnerability-in-aws-google-cloud-rackspace-and-digital-ocean/index.html SERVFAIL/REFUSED
  36. 36. detectify Also works on subdomain delegations!
  37. 37. detectify NOERROR Resolves. All OK. DNS status codes
  38. 38. detectify DNS status codes NXDOMAIN Doesn’t exist. Could still have a DNS RR. Query NS to find out more.
  39. 39. detectify DNS status codes REFUSED NS does not like this domain.
  40. 40. detectify DNS status codes SERVFAIL Not even responding. Very interesting!
  41. 41. detectify The tools find what? SERVFAIL REFUSED NOERROR NXDOMAIN ????
  42. 42. detectify Subdomain delegation
  43. 43. detectify Subdomain delegation
  44. 44. detectify Subdomain delegation
  45. 45. detectify Brute add/delete R53 DNS
  46. 46. detectify We now control the domain!
  47. 47. detectify Orphaned EC2 IPs https://www.bishopfox.com/blog/2015/10/fishing-the-aws-ip-pool-for-dangling-domains/
  48. 48. detectify Orphaned EC2 IPs
  49. 49. detectify dev.on.site.com http://integrouschoice.com/
  50. 50. detectify dev.on.site.com
  51. 51. detectify dev.on.site.com
  52. 52. detectify Flow Brute * Collect NOERROR * Collect SERVFAIL / REFUSED +trace the NS * Collect NXDOMAIN if CNAME, +trace
  53. 53. detectify Flow Resolve * Check NOERROR for patterns * SERVFAIL/REFUSED, Check NS for patterns * NXDOMAIN, traverse up to apex, check: NXDOMAIN|SERVFAIL|REFUSED|no servers could be reached
  54. 54. detectify Flow Improve * Collect all subdomain names * Sort them by popularity * Sort www below all names with p>2
  55. 55. detectify Flow Analyze unknowns * Collect titles of all sites (or EyeWitness!) * Filter out common titles + name of company * Generate screenshots, create a image map https://github.com/ChrisTruncer/EyeWitness
  56. 56. detectify Flow Repeat * Do it every day * Push notification changes
  57. 57. detectify Jan 2017
  58. 58. detectify Jan 2017
  59. 59. detectify Jan 2017
  60. 60. detectify Jan 2017
  61. 61. detectify Jan 2017
  62. 62. detectify Jan 2017
  63. 63. detectify Jan 2017
  64. 64. detectify Monitoring is really preventing this. Psst, this is exactly what we do! Shameless plug
  65. 65. detectify The competition @avlidienbrunn @arneswinnen @TheBoredEng
  66. 66. detectify My takeovers since 2014-10
  67. 67. detectify
  68. 68. detectify Email snooping!
  69. 69. detectify September 2016 http://blog.pentestnepal.tech/post/149985438982/reading-ubers-internal-emails-uber-bug-bounty
  70. 70. detectify 2 of the 3 in action
  71. 71. detectify MX-records Inbound mail. This is important.
  72. 72. detectify MX-records
  73. 73. detectify Conflict check + Validation
  74. 74. detectify Oh, add this!
  75. 75. detectify CNAME -> MX
  76. 76. detectify Whitelisted aliases for verification
  77. 77. detectify Back to this
  78. 78. detectify Tadaa!
  79. 79. detectify We now get postmaster!
  80. 80. detectify Response the day after
  81. 81. detectify Response the day after
  82. 82. detectify Response the day after
  83. 83. detectify On a final note https://twitter.com/realdonaldtrump/status/190093504939163648
  84. 84. detectify On a final note https://twitter.com/realdonaldtrump/status/190093504939163648
  85. 85. detectify On a final note
  86. 86. detectify On a final note
  87. 87. detectify On a final note
  88. 88. detectify Recap • Know your DNS Zone file
 MX, CNAME, A, AAAA, ALIAS. Everything.
 • AUTOMATION, probably the only proper solution • will.i.am loves this
  89. 89. detectify Go hack yourself! Questions? Frans Rosén (@fransrosen) – www.detectify.com

×