BSidesNCL (Newcastle) 2022 - Subdomain Takeovers by Simon Gurney

so this is a quick talk on subdomain takeover attacks it's an attack vector for web-based attacks it doesn't get much coverage um it's really popular in the book space if you do public very very high level what are so coming in this topic the um we have a quick talk about our sub domains and how that's the dns piece looks and then different ways that we can try and take over someone's mind i've got quite a few demos they don't work i've recorded them here we [Music] security we handle dev set ups um so we work with numerous clients helping them out with this desktops each client generally has unique challenges we've worked with a client who had a book value program we're helping to manage and they had repeats and they had this problem with the way they were deploying dns because there's a large number of developers and the way that development distributed throughout the organization that dns configuration is common and there's no tooling really to detect these conditions um dev set got enthusiastic i love automating security that's one of my passions really um i'm also a python developer so back end just talked we've just released it tomorrow deep love attacking um obviously liver security and uh massive geek so i'm currently doing an electronics project for conference practices any electronics geeks and there's a robot building going on here you can come and find me after that okay so what are subdomains so if we look at the slide here we can see in the white we've got um the tld part of the domain it's the top level domain so in in the world of dns we have roots in servers and they will maintain who those tld.com.com.io who's responsible for looking after the name service the dns servers they're going to tell you where to find the bits in blue so in this case our website from security credit uk top level domain uk nominees they have some name servers and we go and buy home security so that's the cost of that they've got to maintain those dns servers registry records list so i go and buy from security blacks have got lots of things on the web i've got mail servers web servers documentation page they want more domains of how to buy more domains or what we see commonly is so domestic like www website uh blog docs in this case so that's a top level overview subject matter those sub domains can point at an idler ultimately the idea of dns obviously is to turn a friendly name like www dot security into an idea so the computer can connect and serve that page along that path though we don't have to return an ip address so we can return a cname record and say go and ask this like this knows the ip address in this case you can see doc stockholm security okay he's got a cname record saying go and ask this person instead to home security.github.io and this is a pattern we see more and more now so people are using sas services like netlify amplify github they host the content and you've seen it so service desks probably zendesk service now you're going to say right you go over there so in this case doc stopped on scooter okay c named after github in this case no one's registered here and now we have the arrow condition so doc dot com security is present on my dns server it will resolve that cname but when you go to the cname because i haven't said it and this is more common expect we're going to do a demo now and get what pages take it so if we detect this area condition how do we serve our own ministry here we go um so so for this demo rather than serve an accurate dns i'll just put him a post file he's not lying shot to pray for the democrats first okay awesome okay so i've rigged it by my host file so that's why i'm shortcuting um [Music] the demo is so smart so if i ping this the ip that comes back here i know you can get your pages ip so we can you configure your pages custom demand two pay records two quad reports and uh one syllabus so you can use any of those and it'll get you to give up pages so ricky that bunch of bk is pointing at uh guild pages and if you browse that in the browser you get this so we in the background now it's gone it's got the ipad as we get pages it sent the traffic there it's got to get up and get it done page here so this is the air conditioner we want to detect so in this case now as an attacker i should be able to get my own github pages sites i'll just create a few pages uh throughout these demos it's gone a bit lazy everything's home security organization but there's no ownership of this domain it's just started myself so um so i've gotta get pages in the pages config i can say what domain i want it to take over so in this case rookie.com textbook okay so now it says your site is live at wiki the front security credit okay as far as github is concerned that's and every sas provider has a different sort of stance on this but as far as they're concerned that's a very secure mechanism because you have to put your dns at it as i can't point your dns for you but we've already seen that someone has pointed it and not repeating it so shortly just take a while for that again so hypothetically cool oh as you can see it's no longer a 4x4 so what we should see [Music] and then eventually he observes it about hscs and that's because i'm serving enough so in that case that was a real situation you do see this you can look at one you see these takeovers someone's had that condition they've figured it in dns maybe they've had that register on a repo somewhere for their documentation and they don't use it hopefully fairly self-explanatory this second attack i'm going to cover is one that i was only struggling so when we talk about um those tlds i told you that they know you register the domain they will you will tell it i'm going to host my records on a name service how is this table there you can use um ruby 3 and address or digital ocean google dns go go daddy what have you so you will configure your dns records there and you will tell your registrar whether that's go daddy or nominee my dns servers are over here so when people go and look for www.computer.com it knows which dns server goes so that's what the registrars do you can do the same trick to delegate part of your domain and we see this more and more commonly now with sort of devops movements and agile practices we want developers to be able to create their own dns records themselves they're already deploying networks and address and you know vms and websites they want to be able to create their own dns records you don't want to give them full control of dns uh so what we can do is say right if you want the okay so the developers now dev dot pump security what we can do is say what you're gonna set up your dns somewhere you want to go daddy cloudflare ub3 and we'll set an ns record saying anything.dev.com is over there now so then when someone goes to www.dev.com it finds the right place that the developer wants but the developer has no control over anything does everyone get that yeah so we can delegate from name ns records what we find in some cases typically a digress is that if you left that dangling or you set that wrong it's pointing that aws in this case the demo we're going to show the ns record is pointing at a sas dns provider which you haven't configured it's the exact same exact as pages we configure the ns record ourselves ourselves and we can serve whatever we want that's the type so let's try that aws rupees free and server takeover attack advert on video okay it's all good okay so in this one slightly more elaborate we have two adivest accounts i actually bothered to separate these out so you've got an attacker with no dns if anyone used oh well as it turns out five posted zones that i haven't cleaned up is and we also have uh the victim in this case we've got the home security domain this isn't our actual dns cloud so you've got home security domain so in this case i want the developers to use test.com studio uk they don't give them permission support from security domain or anything that might break this so what i'm going to do is we're going to create them their own one let's give it a credit so test dots it doesn't care same sort of opinion is github these names tend to be set correctly that's their security check so there's no way that they check that that's i don't know and then what happens here is amazon have lots of name servers dotted all around the globe they've provisioned this zone that i can now control um this is the legitimate one on these four name servers so dotted around the globe there's four name servers owned by amazon and they now host my records as i add records here they get provisioned onto those servers so then that last step for the admin is to configure that delegations host exams back to our parent zone create record we're going to create that ns record [Music] so i create a test and i point it at the same ns servers and that completes the whole place but what we're actually going to do here and two things okay so now we've got this text up on the studio and our parents look test your next fatigue okay so if we go to dns television and look at this container so what we're going to do is this test.com security uk record isn't has been pushed to this amazon dns server so if we query that directly we should see that it exists there we can do that with a scope of authority records so we do need to get the i appear so if i do a nx lookup for test uk against the amazon dns server this should yeah but what we saw in the parents is test your duties right so if i do that clearly refuse to that domain that zone is not configured in address on those nail servers which means an attacker can keep provisioning zones in address until he gets his placement on that nav server at which point the flow is complete does that make sense so i've said you go over to these name servers and you will find test t dot com screwdriver and it's not true but as an attacker i can keep putting zones and loop to three until that happen chance ends up on that same server and we can see that so let's try and brute force with my very very shocking partnership so what i'm going to do is these are the name servers so these are the names the servers it should be uh feed there is script boot test okay so the two t's that's the one we're trying to put on those nav servers and we want it to go onto these name servers and then every dot is so every time it does that and it doesn't get the right name server in the list it just deletes it moves off so you can see that up at the top so you can see that you know there's a bit brute force here it's not you know they haven't got a million nano servers and therefore this would be unachievable the other thing is this four name servers dns works with that closest name server quiet will be returned so you should take over one you might find in certain parts of the world you've got an effective takeover if they've misconfigured it and put two correct ones and two long ones and you get the two bond ones in some parts of the world you've got to take over in some parts of the world fingers crossed depends on how the dns resolver is going to work it's going to keep trying all of them it gets a hit so maybe one to look what we find though is you can keep creating zones in address so you might find okay one zone has got two one and another zone has got one on and then eventually you get all four split over three or four zones and wrists so you've got four registered on that zone so we've got the first one of four and we've actually got 47 as well i think it does seem to allocate them in pairs quite a lot so you can see in that second line of the output highlighted we have ns one five seventy which we're after and we're after uh three seven eight so we've got two allocates now we've got two so hopefully this one's a bit longer if we get the other ones at that point now the flow's complete i'll start serving records so because this is a name server takeover anything.test.com security now i can serve so i can generate certificates i can do mail records anyway so from this vantage point of the ns takeover was a lot more powerful as what we should do um if we switch over to the attacker's view of what's going on see all the zones that i should have deleted before the demo didn't and then the test here at the bottom there is the zone so 01 or uh yeah so if i had those records i can do that um i was clever i could have a partnership that would put some malicious record on there so we've probably found that this number should be changing the mode every so often they like [Music] that's exactly so this one i haven't got a demo for it's a bit of a honorable mention um unresolvable.js includes you see this on the um public platforms if you aren't looking for banking by the way um a lot of uh programs don't come with these clothes you don't see and then you can see what these people are doing and it's just almost like you believe in edge look about your focus and particularly public ones there's that many researchers in such a contested space um that they're really able to fight to for now and have to find this so some of the reports approaches so you should occasionally see these and this attack this attack is also really common on wordpress plugins and there's the gist of it is you this is a bunch of website you can see that there's a widget somewhere it's doing something and we fetch it so it's not hosted by us this is really common you might have a wordpress plugin that has rotated cat names or something and that is using some javascript from a developer the plugins have been maintained for six years developers domain just expired five years ago that gis is just broken to really affect you you can't start rotating anymore but no one's really complained and then an attacker sees that raises the domain swaps and it helps redirect you to so what these are actual domains that are taking yeah you always think most of the times that you see these takeovers it's really obscure so developers got a branch of the website and it's really create your own people if actually i've got to send that an efficient link i think it's weird anyway but these ones obviously created signup.uber.com um if you've got a link to the g1 you know we tell users how to like check the links and hover over and all that sort of stuff and all these are pretty pretty darn good if these were if these were ns takeovers um and then people can reply to it so it's quite a bit of danger there if someone abusing your plans forward and then the biggest danger if you haven't got the correct mitigations in place is something called loosely scoped cookies so a website will have cookies never got a demo of this we'll have cookies for all sorts of things so your preferences if you want dark mode tracking lots of traffic cookies everywhere also if you log in your session ids normally stores the cookies you have to log in every page you just keep sending cookie and the beauty about cookies is they get sent by the browser automatically all the time with every request so we haven't got to write any code we can just do that so if we imagine in this scenario you've got uh four domains here from the security once this is the same www from earlier before it came to docs to test the docs one's been taken over if i've got cookies on pump security that coded uk that are loosely scoped so they are accessible by subdomains we send efficiently to docs i will get the cookies from this video okay without having to do anything literally as soon as the person opens that link and we can see that so this is a bunch of studio okay um we haven't got any logic static website but you can see these are our cookies uh you can view them in the developer console of chrome and all the cookies are loosely scraped they start with dots which means they're losing scopes there's no dots they will only get sent to that exact domain so there is a dot domain this is quite common um i think i'll just pick a random website and show it in my demo um people are getting better now you probably won't see this on facebook and stuff it's more like someone's got a website it's got maybe a back-end api it's convenient that when you log in they loosely scope it and then every time you do an api this definitely gets sent there are that is not how you should do it you know you can use tokens and all sorts of api communication which is what you should do but sometimes it's convenient not to so this is what we're after so that was if i was to get a sub domain from security i would see these cookies um and if the calendar of like that might take over those okay so let's just show you down um so example.org is convenient because there's now hsts and i wanted something screw that okay but it kept on upgrading it and there's an ssl paint so you just use this one so there's no cookies in this website because it's just like a thing i'm going to add one so here's my cookie uh secret you see the domain there i don't know if you can see that uh there's no doubt to start it's the defaults when you create the cookies it will only be accessible example.org so i as an attacker have taken over subdomain.example.org choose this python script when it runs it dumps out the headers so you can see that there's no no cookies being sent if i change the scope of this cookie to be loosely scoped and revisit the subdomain as my magic we have the cookies there's no no attack to make right i can just just do this and this is quite useful because if you have a really weird way rather than quality sense from the link you can send a link to a different site you just have images or from the sub domain that web progress will come in and you'll get the headers so you can't extract javascript into that environment but you will get their headers and you can still interesting vectors for getting those cookies now so that's what they called lucy's scope so domains and hopefully that's pretty obvious as to why if you've got sub domain takeover and someone is using lucy scopes okay we are near the end now so how do we defend against this uh periodic audits so the and i've seen this both internal and public facing public facing dns maybe it's a bit more attention i'd say it's pretty darn common that people just don't ever go back and look no one does a periodic review of your dns there are all those records that we don't need anymore it's just not done you go and set something to enable a service and that service is decommissioned dns cleanup just doesn't appear to be a thing um these same attacks can be used on internal dns which is right for this sort of you know it's even worse it's the point that active directory supports scavenging and use age records uh because it's just following years ago but these same vectors difficult to discover internal stuff obviously you know but same vectors apply so we need to start doing better dns hygiene really education pieces public programs so i i'm going to talk a minute we've got a tool to find these things we ran it over um public revenue web resources for the project discovery because they have all the public book bank programs they have brute force using their tools the sub domains and they release it these days so we downloaded all of those most of them we um run it through it's a good maybe like 70 because there's so many people looking in this space on board back programs so one of the best mechanisms really to keep book dna at cops you're probably going to pay 300 dollars for every detention extended pen testing scope so i've been contesting years and courses i've got on books i've read run books never really care for dns it's just you know we've seen this in other things so one of the things that we push punk security is constantly doing this smb servers as well there's certain things now that's paul's insist had been land that just don't fall into pen test we like to find cds for overflows and then the fa