Subdomain Takeovers

so this is a quick talk on subdomain takeover attacks it's an attack vector for web-based attacks it doesn't get much coverage um it's really popular in the book space if you do public

very very high level what are so coming in this topic the um we have a quick talk about our sub domains and how that's the dns piece looks and then different ways that we can try and take over someone's mind

i've got quite a few demos they don't work i've recorded them here we [Music]

security we handle dev set ups um so we work with numerous clients helping them out with this desktops each client generally has unique challenges we've worked with a client who had a book value program we're helping to manage and they had repeats and they had this problem with the way they were deploying dns because there's a large number of developers and the way that development distributed throughout the organization that dns configuration is common and there's no tooling really to detect these conditions um dev set got enthusiastic i love automating security that's one of my passions really um i'm also a python developer so back end just talked we've just released it tomorrow deep love attacking

um obviously liver security and uh massive geek so i'm currently doing an electronics project for conference practices any electronics geeks and there's a robot building going on here you can come and find me after that okay so what are subdomains so if we look at the slide here we can see in the white we've got um the tld part of the domain it's the top level domain so in in the world of dns we have roots in servers and they will maintain who those tld.com.com.io who's responsible for looking after the name service the dns servers they're going to tell you where to find the bits in blue so in this case our website from security credit uk top level domain

uk nominees they have some name servers and we go and buy home security so that's the cost of that they've got to maintain those dns servers registry records list so i go and buy from security blacks have got lots of things on the web i've got mail servers web servers documentation page they want more domains of how to buy more domains or what we see commonly is so domestic like www website uh blog docs in this case so that's a top level overview subject matter those sub domains can point at an idler ultimately the idea of dns obviously is to turn a friendly name like www dot security into an idea so the computer can connect

and serve that page along that path though we don't have to return an ip address so we can return a cname record and say go and ask this like this knows the ip address in this case you can see doc stockholm security okay he's got a cname record saying go and ask this person instead to home security.github.io and this is a pattern we see more and more now so people are using sas services like netlify amplify github they host the content and you've seen it so service desks probably zendesk service now you're going to say right you go over there so in this case doc stopped on scooter okay c named after github in this case

no one's registered here and now we have the arrow condition so doc dot com security is present on my dns server it will resolve that cname but when you go to the cname because i haven't said it and this is more common expect we're going to do a demo now and get what pages take it so if we detect this area condition how do we serve our own ministry

here we go

um

so so for this demo rather than serve an accurate dns i'll just put him a post file

he's not lying shot to pray for the democrats first

okay awesome okay so i've rigged it by my host file so that's why i'm shortcuting um

[Music] the demo is so smart so if i ping this the ip that comes back here i know you can get your pages ip so we can you configure your pages custom demand two pay records two quad reports and uh one syllabus so you can use any of those and it'll get you to give up pages so ricky that bunch of bk is pointing at uh guild pages and if you browse that in the browser you get this so we in the background now it's gone it's got the ipad as we get pages it sent the traffic there it's got to get up and get it done page here so this is the air conditioner we want to

detect so in this case now as an attacker i should be able to get my own github pages sites i'll just create a few pages uh throughout these demos it's gone a bit lazy everything's home security organization but there's no ownership of this domain it's just started myself so um so i've gotta get pages in the pages config i can say what domain i want it to take over so in this case rookie.com

textbook okay so now it says your site is live at wiki the front security credit okay as far as github is concerned that's and every sas provider has a different sort of stance on this but as far as they're concerned that's a very secure mechanism because you have to put your dns at it as i can't point your dns for you but we've already seen that someone has pointed it and not repeating it so shortly just take a while for that again so hypothetically cool

oh

as you can see it's no longer a 4x4

so what we should see [Music]

and then eventually he observes it about hscs and that's because i'm serving enough so in that case that was a real situation you do see this you can look at one you see these takeovers someone's had that condition they've figured it in dns maybe they've had that register on a repo somewhere for their documentation and they don't use it

hopefully fairly self-explanatory this second attack i'm going to cover is one that i was only struggling

so when we talk about um those tlds i told you that they know you register the domain they will you will tell it i'm going to host my records on a name service how is this table there you can use um ruby 3 and address or digital ocean google dns go go daddy what have you so you will configure your dns records there and you will tell your registrar whether that's go daddy or nominee my dns servers are over here so when people go and look for www.computer.com it knows which dns server goes so that's what the registrars do you can do the same trick to delegate part of your domain and we see this more and more

commonly now with sort of devops movements and agile practices we want developers to be able to create their own dns records themselves they're already deploying networks and address and you know vms and websites they want to be able to create their own dns records you don't want to give them full control of dns uh so what we can do is say right if you want the okay so the developers now dev dot pump security what we can do is say what you're gonna set up your dns somewhere you want to go daddy cloudflare ub3 and we'll set an ns record saying anything.dev.com is over there now so then when someone goes to www.dev.com it finds the right place that the

developer wants but the developer has no control over anything does everyone get that yeah so we can delegate from name ns records what we find in some cases typically a digress is that if you left that dangling or you set that wrong it's pointing that aws in this case the demo we're going to show the ns record is pointing at a sas dns provider which you haven't configured it's the exact same exact as pages we configure the ns record ourselves ourselves and we can serve whatever we want that's the type so let's try that aws rupees free and server takeover attack advert on video okay it's all good okay so in this one slightly more

elaborate we have two adivest accounts i actually bothered to separate these out so you've got an attacker with no dns if anyone used oh well as it turns out five posted zones that i haven't cleaned up

is and we also have uh the victim in this case we've got the home security domain this isn't our actual dns cloud so you've got home security domain so in this case i want the developers to use test.com studio uk they don't give them permission support from security domain

or anything that might break this so what i'm going to do is we're going to create them their own one let's give it a credit so test dots

it doesn't care same sort of opinion is github these names tend to be set correctly that's their security check so there's no way that they check that that's i don't know and then what happens here is amazon have lots of name servers dotted all around the globe they've provisioned this zone that i can now control um this is the legitimate one on these four name servers so dotted around the globe there's four name servers owned by amazon and they now host my records as i add records here they get provisioned onto those servers so then that last step for the admin is to configure that delegations host exams back to our parent zone create record

we're going to create that ns record [Music]

so i create a test and i point it at the same ns servers and that completes the whole place but what we're actually going to do here and two things

okay so now we've got this text up on the studio and our parents look test your next fatigue okay so if we go to dns television and look at this container

so what we're going to do is this test.com security uk record isn't has been pushed to this amazon dns server so if we query that directly we should see that it exists there we can do that with a scope of authority records so we do need to get the i appear

so if i do a nx lookup for test uk against the amazon dns server this should yeah

but what we saw in the parents is test your duties right so if i do that clearly refuse to that domain that zone is not configured in address on those nail servers which means an attacker can keep provisioning zones in address until he gets his placement on that nav server at which point the flow is complete does that make sense so i've said you go over to these name servers and you will find test t dot com screwdriver and it's not true but as an attacker i can keep putting zones and loop to three until that happen chance ends up on that same server and we can see that so let's try and brute force

with my very very shocking partnership so what i'm going to do is these are the name servers

so these are the names the servers it should be uh feed there is script

boot test okay so the two t's that's the one we're trying to put on those nav servers and we want it to go onto these name servers and then every dot is so every time it does that and it doesn't get the right name server in the list it just deletes it moves off so you can see that up at the top so you can see that you know there's a bit brute force here it's not you know they haven't got a million nano servers and therefore this would be unachievable the other thing is this four name servers dns works with that closest name server quiet will be returned so you should take over one you might find in certain parts of

the world you've got an effective takeover if they've misconfigured it and put two correct ones and two long ones and you get the two bond ones in some parts of the world you've got to take over in some parts of the world

fingers crossed depends on how the dns resolver is going to work it's going to keep trying all of them it gets a hit so maybe one to look what we find though is you can keep creating zones in address so you might find okay one zone has got two one and another zone has got one on and then eventually you get all four split over three or four zones and wrists so you've got four

registered on that zone so we've got the first one of four and we've actually got 47 as well i think it does seem to allocate them in pairs quite a lot so you can see in that second line of the output highlighted we have ns one five seventy which we're after and we're after uh three seven eight so we've got two allocates now we've got two so hopefully this one's a bit longer if we get the other ones at that point now the flow's complete i'll start serving records so because this is a name server takeover anything.test.com security now i can serve so i can generate certificates i can do mail records anyway so from this vantage point of the ns

takeover was a lot more powerful as what we should do um if we switch over to the attacker's view of what's going on

see all the zones that i should have deleted before the demo didn't and then the test here at the bottom there is the zone so 01 or uh yeah so if i had those records i can do that um i was clever i could have a partnership that would put some malicious record on there so we've probably found that this number should be changing the mode every so often they like

[Music]

that's exactly

so this one i haven't got a demo for it's a bit of a honorable mention um unresolvable.js includes you see this on the um public platforms if you aren't looking for banking by the way um a lot of uh programs don't come with these clothes you don't see

and then you can see what these people are doing and it's just almost like you believe in edge look about your focus and particularly public ones there's that many researchers in such a contested space um that they're really able to fight to for now and have to find this so some of the reports approaches so you should occasionally see these and this attack this attack is also really common on wordpress plugins and there's the gist of it is you this is a bunch of website you can see that there's a widget somewhere it's doing something and we fetch it so it's not hosted by us this is really common you might have a wordpress plugin that has

rotated cat names or something and that is using some javascript from a developer the plugins have been maintained for six years developers domain just expired five years ago that gis is just broken to really affect you you can't start rotating anymore but no one's really complained and then an attacker sees that raises the domain swaps and it helps redirect you to

so what these are actual domains that are taking

yeah you always think most of the times that you see these takeovers it's really obscure so developers got a branch of the website and it's really create your own people if actually i've got to send that an efficient link i think it's weird anyway but these ones obviously created signup.uber.com um if you've got a link to the g1 you know we tell users how to like check the links and hover over and all that sort of stuff and all these are pretty pretty darn good if these were if these were ns takeovers um

and then people can reply to it so it's quite a bit of danger there if someone abusing your plans

forward and then the biggest danger if you haven't got the correct mitigations in place is something called loosely scoped cookies so a website will have cookies never got a demo of this we'll have cookies for all sorts of things so your preferences if you want dark mode tracking lots of traffic cookies everywhere also if you log in your session ids normally stores the cookies you have to log in every page you just keep sending cookie and the beauty about cookies is they get sent by the browser automatically all the time with every request so we haven't got to write any code we can just do that so if we imagine in this scenario you've got

uh four domains here from the security once this is the same www from earlier before it came to docs to test the docs one's been taken over if i've got cookies on pump security that coded uk that are loosely scoped so they are accessible by subdomains we send efficiently to docs i will get the cookies from this video okay without having to do anything literally as soon as the person opens that link and we can see that so this is a bunch of studio okay um we haven't got any logic static website but you can see these are our cookies uh you can view them in the developer console of chrome and all the cookies are loosely scraped

they start with dots which means they're losing scopes there's no dots they will only get sent to that exact domain so there is a dot domain this is quite common um i think i'll just pick a random website and show it in my demo um people are getting better now you probably won't see this on facebook and stuff it's more like someone's got a website it's got maybe a back-end api it's convenient that when you log in they loosely scope it and then every time you do an api this definitely gets sent there are that is not how you should do it you know you can use tokens and all sorts of api communication which is what

you should do but sometimes it's convenient not to so this is what we're after so that was if i was to get a sub domain from security i would see these cookies um and if the calendar of like that might take over those okay so let's just show you down um

so example.org is convenient because there's now hsts and i wanted something screw that okay but it kept on upgrading it and there's an ssl paint so you just use this one so there's no cookies in this website because it's just like a thing i'm going to add one so here's my cookie uh secret you see the domain there i don't know if you can see that uh there's no doubt to start it's the defaults when you create the cookies it will only be accessible example.org so i as an attacker have taken over subdomain.example.org choose this python script when it runs it dumps out the headers so you can see that there's no no cookies being sent

if i change the scope of this cookie to be loosely scoped and revisit the subdomain as my magic we have the cookies there's no no attack to make right i can just just do this and this is quite useful because if you have a really weird way rather than quality sense from the link you can send a link to a different site you just have images or from the sub domain that web progress will come in and you'll get the headers so you can't extract javascript into that environment but you will get their headers and you can still interesting vectors for getting those cookies now so that's what they called lucy's scope so domains and hopefully that's pretty

obvious as to why if you've got sub domain takeover and someone is using lucy

scopes okay we are near the end now so how do we defend against this uh periodic audits so the and i've seen this both internal and public facing public facing dns maybe it's a bit more attention i'd say it's pretty darn common that people just don't ever go back and look no one does a periodic review of your dns there are all those records that we don't need anymore it's just not done you go and set something to enable a service and that service is decommissioned dns cleanup just doesn't appear to be a thing um these same attacks can be used on internal dns which is right for this sort of you know it's even worse it's

the point that active directory supports scavenging and use age records uh because it's just following years ago but these same vectors difficult to discover internal stuff obviously you know but same vectors apply so we need to start doing better dns hygiene really education pieces public programs so i i'm going to talk a minute we've got a tool to find these things we ran it over um public revenue web resources for the project discovery because they have all the public book bank programs they have brute force using their tools the sub domains and they release it these days so we downloaded all of those most of them we um run it through it's a good maybe

like 70

because there's so many people looking in this space on board back programs so one of the best mechanisms really to keep book dna at cops you're probably going to pay 300 dollars for every detention extended pen testing scope so i've been contesting years and courses i've got on books i've read run books never really care for dns it's just you know we've seen this in other things so one of the things that we push punk security is constantly doing this smb servers as well there's certain things now that's paul's insist had been land that just don't fall into pen test we like to find cds for overflows and then the fact that the file server is fully accessible your dns

is for a nonsense and then in korean at the bottom there is the tory road dns reaper which i'm going to give a quick demo of uh so what is dns reaper it is a python based tools and a docker image where you can do that you give it a list of domains and if you will check them you have 61 signatures two disabled by default it will check lots of signatures exactly like we did one we saw today does it go to the github when i go there do i see the github this isn't registered 60 of those includes the aws one if i resolve this is it not resolvable on the name servers provided if yes

i have a match so you give it domains that will run those signatures oil fix them so you can point it at advs 53 which we'll see the demo cloudflare distribution if you've got installed dns server you allow zoom transfer we'll pull the record and scan them

okay so yeah 60 signatures we also patent match the web response um it's all open source on github so if anyone wants to add signatures or go for it uh and then you could watch the screen so you can use it in the pen test we dump csv and json so you can use it for automation suites and build automatically that sort of stuff um and because we're devastated it's all failure so if you deploy 253 run this straight after if it detects it takeovers pipeline and flag so use cases for its periodic audience we'd like to see people doing something to audit dns and you know we wrote this because whereas they were open to just

scan for bounties to get money so we did find three bug boundaries but they're all on programs that don't pay any money unfortunately so you didn't get any dollars and then prevent bad deployments listen i just talked about deploy 253 scan the scan the thing straight away and say oh no that was cool i mean an idea would you deploy the zombies update the registrar and then you can block it before it ever goes live but at this stage if you were deploying and scanning straight away you'd have like a vulnerability in 30 seconds um okay got one more demo to get through um about two minutes demo i don't know

uh

so you can run dns reaper by docker

and it helps dispel

okay so cool security so that's what you get when you run it by default so you can see that we've got a list of providers here this is the mechanisms you've got to provide demand you can give it a file for the domain you get a single demand the command line and test it um that's all by using uh dns lookups all we've got providers so zone transfer cloudflare address is your bind and digitalocean so if you're using like godaddy you can generally exploit your domain and that should be used by the api but by the ui you can export it to a buying zone bar you export that you can scan it so you can find a way of

bringing that up to give you some automation right so we're going to go for the address one and please switch over to about

we go to dns research and drop into the docs here for the aws one we have finally documented out what you need to do to get address money so if we run this with help we have some information here so for address we provide the database access key id and the key secret these are optional for this provider it's not usual for the option that's because if you run this like a lambda or containers part of the pipeline you can just assign it as usual just use that but in the case of the command line you need to give your keys so we need to go and create these keys to go when it's what the plan is yeah

we will go to the attacker one delete this zone so the victim is practicing in the background so the the it's back to the area condition the test t is not on the name service is present so if we switch back to the victim and just create a user lead

is

all right use it

let's see where it is [Music]

um

dns so hopefully we put the exact policy knees up on guild she's get zones listed earns the levels so we added

okay so that account now has got the privileges it needs so uh we should have to dock over and push through the dns report and we use the address provider and provide those collections

excellent so connected to abs downloading that got three records in total across the two zones and we've got two detections for the same domain and that's because if you see we've got um two confidences they've got potential and confirmed this is in the adjacency filter so we do a generic this zone is not on that name server so if you're using google dns or something that we don't support yet you will still get a signature for it um because it's not really a specific signature um but we can see that the zones listed on the name server chances are when you see these it's because internal name servers or something that you know the victims are already controlling there's

no attack vector there but hopefully it's satisfied with the other teams before you but uh he writes into this actually it's second future um and the other directions and then we've got the confirmed one here i digress so this it's confirmed we've looked through the apple one reports a new found report to say that this service is attackable by nx takeover so in this case it's the same domain but for this signature we've seen the pattern that it's added best dealers the confirmation

and you can see that i did that click to abs did that 160 signatures it's not good and that's it we've been understood