DNS hijacking using cloud providers – No verification needed
15 likes14,308 views
The document discusses DNS hijacking, highlighting tools and techniques used for subdomain takeover and monitoring by Detectify. It outlines past incidents, various response from service providers, and emphasizes the importance of automation and proper DNS management. The presentation includes references to several tools and reports, illustrating the evolution and challenges in combating such security vulnerabilities.
DNS hijacking using cloud providers – No verification needed
- 1. detectify DNS hijacking using cloud providers – no verification needed
- 2. detectify Frans Rosén Security Advisor @detectify ( twitter: @fransrosen ) HackerOne #5 @ hackerone.com/leaderboard/all-time Blog at labs.detectify.com Talked here last year! "The Secret life of a Bug Bounty Hunter"
- 3. detectify Rundown • Background • History • Tools & Techniques • Deeper levels of hijacking • Evolution • Mitigations • Monitoring
- 6. detectify Ever seen one of these?
- 7. detectify First instance, 12th Oct '14 http://esevece.tumblr.com/post/99786512849/onavo-cname-records-pointing-to-heroku-but-no
- 8. detectify https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/ 9 days later, 21st Oct '14
- 9. detectify Response from services Heroku: “We're aware of this issue” GitHub: “My apologies for the delayed response. We are aware of this issue” Shopify: “I had already identified that this is a security issue”
- 10. detectify What have we seen?
- 11. detectify What have we seen? https://hackerone.com/reports/172137
- 12. detectify What have we seen?
- 13. detectify What have we seen? https://hackerone.com/reports/32825
- 14. detectify What have we seen?
- 15. detectify What have we seen? https://crt.sh/?q=%25.uber.com
- 16. detectify What have we seen? https://blog.rubidus.com/2017/02/03/deep-thoughts-on-subdomain-takeovers/
- 17. detectify What have we seen? https://labs.detectify.com/2016/10/05/the-story-of-ev-ssl-aws-and-trailing-dot-domains/
- 18. detectify What have we seen?
- 19. detectify What have we seen?
- 20. detectify What have we seen?
- 21. detectify Tools
- 23. detectify Sublist3r https://github.com/aboul3la/Sublist3r Active dev! Took over subbrute! Fetching from multiple sources
- 24. detectify massdns https://github.com/blechschmidt/massdns Fast as hell! Needs lists to resolve
- 25. detectify altdns https://github.com/infosec-au/altdns Soo soo powerful if you have good mutations Combine with massdns == success Can resolve, but better for just creating the lists
- 26. detectify tko-subs https://github.com/anshumanbh/tko-subs Interesting idea, auto takeover when finding issues Might be a liiittle bit too aggressive
- 27. detectify We could look here?
- 29. detectify WRONG! Resolve and not resolve is what matters.
- 33. detectify dig is your friend
- 34. detectify 9 year old bug
- 36. detectify Also works on subdomain delegations!
- 37. detectify NOERROR Resolves. All OK. DNS status codes
- 38. detectify DNS status codes NXDOMAIN Doesn’t exist. Could still have a DNS RR. Query NS to find out more.
- 39. detectify DNS status codes REFUSED NS does not like this domain.
- 40. detectify DNS status codes SERVFAIL Not even responding. Very interesting!
- 41. detectify The tools find what? SERVFAIL REFUSED NOERROR NXDOMAIN ????
- 45. detectify Brute add/delete R53 DNS
- 46. detectify We now control the domain!
- 52. detectify Flow Brute * Collect NOERROR * Collect SERVFAIL / REFUSED +trace the NS * Collect NXDOMAIN if CNAME, +trace
- 53. detectify Flow Resolve * Check NOERROR for patterns * SERVFAIL/REFUSED, Check NS for patterns * NXDOMAIN, traverse up to apex, check: NXDOMAIN|SERVFAIL|REFUSED|no servers could be reached
- 54. detectify Flow Improve * Collect all subdomain names * Sort them by popularity * Sort www below all names with p>2
- 55. detectify Flow Analyze unknowns * Collect titles of all sites (or EyeWitness!) * Filter out common titles + name of company * Generate screenshots, create a image map https://github.com/ChrisTruncer/EyeWitness
- 56. detectify Flow Repeat * Do it every day * Push notification changes
- 64. detectify Monitoring is really preventing this. Psst, this is exactly what we do! Shameless plug
- 65. detectify The competition @avlidienbrunn @arneswinnen @TheBoredEng
- 66. detectify My takeovers since 2014-10
- 67. detectify
- 70. detectify 2 of the 3 in action
- 71. detectify MX-records Inbound mail. This is important.
- 73. detectify Conflict check + Validation
- 76. detectify Whitelisted aliases for verification
- 78. detectify Tadaa!
- 79. detectify We now get postmaster!
- 80. detectify Response the day after
- 81. detectify Response the day after
- 82. detectify Response the day after
- 83. detectify On a final note https://twitter.com/realdonaldtrump/status/190093504939163648
- 84. detectify On a final note https://twitter.com/realdonaldtrump/status/190093504939163648
- 85. detectify On a final note
- 86. detectify On a final note
- 87. detectify On a final note
- 88. detectify Recap • Know your DNS Zone file MX, CNAME, A, AAAA, ALIAS. Everything. • AUTOMATION, probably the only proper solution • will.i.am loves this
- 89. detectify Go hack yourself! Questions? Frans Rosén (@fransrosen) – www.detectify.com