DNS hijacking using
Transcript of DNS hijacking using
![Page 1: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/1.jpg)
![Page 2: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/2.jpg)
DNS hijacking using cloud providers – no verification needed
@fransrosen
![Page 3: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/3.jpg)
Security Advisor @detectify ( twitter: @fransrosen )HackerOne #5 all time @ hackerone.com/thanksBlog at labs.detectify.com"The Swedish Ninja"
Frans Rosén
![Page 4: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/4.jpg)
• Background• History• Tools & Techniques• Deeper levels of hijacking• Evolution• Mitigations• Monitoring
![Page 5: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/5.jpg)
campaign.site.com
Campaign!
Subdomain Takeover v1.0
![Page 6: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/6.jpg)
campaign.site.com
Campaign! Fake site!
Subdomain Takeover v1.0
![Page 7: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/7.jpg)
Ever seen one of these?
![Page 8: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/8.jpg)
http://esevece.tumblr.com/post/99786512849/onavo-cname-records-pointing-to-heroku-but-no
First instance, 12th Oct '14
![Page 9: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/9.jpg)
https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/
9 days later, 21st Oct '14
![Page 10: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/10.jpg)
Heroku: “We're aware of this issue”
GitHub: “My apologies for the delayed response.
We are aware of this issue”
Shopify: “I had already identified that this is
a security issue”
Response from services
![Page 11: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/11.jpg)
What have we seen?
![Page 12: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/12.jpg)
https://hackerone.com/reports/172137
What have we seen?
![Page 13: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/13.jpg)
What have we seen?
![Page 14: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/14.jpg)
https://hackerone.com/reports/32825
What have we seen?
![Page 15: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/15.jpg)
What have we seen?
![Page 16: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/16.jpg)
https://crt.sh/?q=%25.uber.com
What have we seen?
![Page 17: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/17.jpg)
https://blog.rubidus.com/2017/02/03/deep-thoughts-on-subdomain-takeovers/
What have we seen?
![Page 18: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/18.jpg)
What have we seen?
https://labs.detectify.com/2016/10/05/the-story-of-ev-ssl-aws-and-trailing-dot-domains/
![Page 19: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/19.jpg)
What have we seen?
![Page 20: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/20.jpg)
What have we seen?
![Page 21: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/21.jpg)
https://twitter.com/briankrebs/status/833558237244960768
What have we seen?
![Page 22: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/22.jpg)
Tools
![Page 23: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/23.jpg)
Not active dev.
https://github.com/TheRook/subbrute
subbrute
![Page 24: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/24.jpg)
https://github.com/aboul3la/Sublist3r
Active dev! Took over subbrute!Fetching from multiple sources
Sublist3r
![Page 25: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/25.jpg)
https://github.com/blechschmidt/massdns
Fast as hell!Needs good resolver lists
massdns
![Page 26: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/26.jpg)
https://github.com/infosec-au/altdns
Soo soo powerful if you have good mutationsCombine with massdns == successCan resolve, but better for just creating the lists
altdns
![Page 27: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/27.jpg)
https://github.com/anshumanbh/tko-subs
Interesting idea, auto takeover when finding issuesMight be a liiittle bit too aggressive
tko-subs
![Page 28: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/28.jpg)
We could look here?
![Page 29: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/29.jpg)
WRONG!
WRONG!
WRONG!
WRONG!
WRONG!WRONG!
WRONG!
![Page 30: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/30.jpg)
Resolve and not resolve is what matters.WRONG!
![Page 31: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/31.jpg)
Dead DNS records
![Page 32: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/32.jpg)
A dead record?
![Page 33: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/33.jpg)
A dead record?
![Page 34: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/34.jpg)
dig is your friend
![Page 35: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/35.jpg)
9 year old bug
![Page 36: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/36.jpg)
https://thehackerblog.com/the-orphaned-internet-taking-over-120k-domains-via-a-dns-vulnerability-in-aws-google-cloud-rackspace-and-digital-ocean/index.html
SERVFAIL/REFUSED
![Page 37: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/37.jpg)
Also works on subdomain delegations!
![Page 38: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/38.jpg)
NOERROR
Resolves. All OK.
DNS status codes
![Page 39: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/39.jpg)
NXDOMAIN
Doesn’t exist. Could still have a DNS RR.Query NS to find out more.
DNS status codes
![Page 40: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/40.jpg)
REFUSED
NS does not like this domain.
DNS status codes
![Page 41: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/41.jpg)
SERVFAIL
Not even responding. Very interesting!
DNS status codes
![Page 42: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/42.jpg)
SERVFAIL
REFUSED
NOERRORNXDOMAIN
????The tools find what?
![Page 43: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/43.jpg)
Subdomain delegation
![Page 44: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/44.jpg)
Subdomain delegation
![Page 45: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/45.jpg)
Subdomain delegation
![Page 46: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/46.jpg)
Brute add/delete R53 DNS RR
![Page 47: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/47.jpg)
We now control the domain!
![Page 48: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/48.jpg)
Orphaned EC2 IPs
https://www.bishopfox.com/blog/2015/10/fishing-the-aws-ip-pool-for-dangling-domains/
![Page 49: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/49.jpg)
Orphaned EC2 IPs
![Page 50: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/50.jpg)
dev.on.site.com
http://integrouschoice.com/
![Page 51: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/51.jpg)
dev.on.site.com
![Page 52: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/52.jpg)
dev.on.site.com
![Page 53: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/53.jpg)
Brute* Collect NOERROR* Collect SERVFAIL / REFUSED +trace the NS* Collect NXDOMAIN if CNAME, +trace
Flow
![Page 54: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/54.jpg)
Resolve* Check NOERROR for patterns* SERVFAIL/REFUSED, Check NS for patterns* NXDOMAIN, traverse up to apex, check:
NXDOMAIN|SERVFAIL|REFUSED|no servers could be reached
Flow
![Page 55: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/55.jpg)
Improve* Collect all subdomain names* Sort them by popularity* Sort www below all names with p>2
Flow
![Page 56: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/56.jpg)
Analyze unknowns* Collect titles of all sites* Filter out common titles + name of company* Generate screenshots, create a image map
Flow
![Page 57: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/57.jpg)
Repeat* Do it every day* Push notification changes
Flow
![Page 58: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/58.jpg)
Jan 2017
![Page 59: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/59.jpg)
Jan 2017
![Page 60: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/60.jpg)
Jan 2017
![Page 61: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/61.jpg)
Jan 2017
![Page 62: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/62.jpg)
Jan 2017
![Page 63: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/63.jpg)
Last week
![Page 64: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/64.jpg)
Last week
![Page 65: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/65.jpg)
The competition
@avlidienbrunn @arneswinnen @TheBoredEng
![Page 66: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/66.jpg)
Takeovers since 2014-10
![Page 67: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/67.jpg)
![Page 68: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/68.jpg)
Email snooping
![Page 69: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/69.jpg)
http://blog.pentestnepal.tech/post/149985438982/reading-ubers-internal-emails-uber-bug-bounty
September 2016
![Page 70: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/70.jpg)
2 of 3 in action
![Page 71: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/71.jpg)
Inbound mail. This is important.
MX-records
![Page 72: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/72.jpg)
MX-records
![Page 73: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/73.jpg)
Conflict check + Validation
![Page 74: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/74.jpg)
Oh, add this!
![Page 75: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/75.jpg)
CNAME -> MX
![Page 76: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/76.jpg)
Whitelisted aliases for verification
![Page 77: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/77.jpg)
Back to this
![Page 78: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/78.jpg)
Tadaa!
![Page 79: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/79.jpg)
We now get postmaster@
![Page 80: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/80.jpg)
Response the day after
![Page 81: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/81.jpg)
Response the day after
![Page 82: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/82.jpg)
Response the day after
![Page 83: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/83.jpg)
https://twitter.com/realdonaldtrump/status/190093504939163648
On a final note
![Page 84: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/84.jpg)
https://twitter.com/realdonaldtrump/status/190093504939163648
On a final note
![Page 85: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/85.jpg)
On a final note
![Page 86: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/86.jpg)
On a final note
![Page 87: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/87.jpg)
On a final note
![Page 88: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/88.jpg)
• Know your DNS Zone file MX, CNAME, A, AAAA, ALIAS. Everything.
• AUTOMATION, probably the only proper solution
• will.i.am loves this
Recap
![Page 89: DNS hijacking using](https://reader030.fdocuments.us/reader030/viewer/2022020702/61f9a5265c9b6463d90c960a/html5/thumbnails/89.jpg)
Thanks!
Frans Rosén (@fransrosen)