Abusing Historical DNS Records for Fun & Profit

Oh my god, it is going everywhere. Let's go. Okay. Uh my name is Mustafa. I am coming from Turkey or we call it now Turkey, you know, cuz we are not birds. So uh actually Nick is good friend and he was asking me to come. So let's start with who am I? I am actually information security specialist for like 25 years. I am hacking uh web applications and many stuff. I am part-time bounty hunter with uh part-time I mean uh I really do it part-time like maximum 10 hours a month you know and I am background's hacker advisory board member with uh which is basically we are uh the communicating with the background itself for the

researchers you know so we actually help them to make the regulations I am also member of the circle of trust for the Sina which is similar stuff with the hacker advisory board member on the background and I am actually envoy for Turkey which is uh something like ambassador uh I earned one uh more than1 million uh US dollars in Monty's in like three years and I have three kids I call them devils so I am father of three devils you can find me on the Twitter with this handle NC Each you know it is my name so let's go uh what is DNS you know DNS is actually a heart of the internet it is

actually helping us to access the domain subdomains without the DNS we can't do this but this is the DNS is uh you know uh terminal uh how to say explanation you know it is translating the names of uh domains to connect on the network. So why it is important? You know, literally everything on the internet depends on the DNS. Without DNS, uh we can't uh communicate with the web servers. We need to My wife is calling, you know, she's always perfect in time. Okay. And you know without DNS we need to type all the numbers like [Music] 9.99.9 we will forget which uh number we are going to enter to access anything. So as the things going

into bigger for the organizations like Microsoft let's say or Starbucks maybe you must know from the uh disclosed reports it is so hard to handle DNS hygiene for them which is causing lots of problems or you know when they create lots of uh entries for changing the records for uh let's say they switch to the web application firewall like imper you know it is actually a pain in the ass for the deal but if they don't change the IP address of the server but just changing the record for the impera it's actually leading such a fun stuff so lack of DNS hygiene and uh DNS records history actually increasing attack surface for us for attackers you

know so see how it could be abused you know I actually give some insight on the previous slide. Uh subdomain hijacking in other words subdomain takeover. It is one of the popular uh issues recently like for like last 6 years or seven years actually it was abused uh for like maybe 20 years but it is just getting popular with the people getting the backp stuff you know and we can find the origin IP that is the what I was saying previously. Origin IP is actually the IP address of the server uh directly running but when the application is running behind the web application firewall you know uh we can't access the server directly so for bypassing the web

application firewall we can actually use the origin IP and totally ignore the web application firewall and uh we can actually use these uh records of the historical uh subdomains for the virtual host in enumeration. Uh if you know virtual host, it is actually how uh web services handling the which websites should be taken in the account on the uh user request them. So let's go to examples. You know subdomain hijacking. Subdomain hijacking or subdomain takeover is an issue that occurs when uh DNS hygiene is not properly done by the organizations. So it killed me abuse in many ways such as let's [Music] see many uh APS actually using this upcoming takeovers uh maybe you are not

aware they are using it for the scamming the people or fooling the employees of the organizations like making the valid looking web pages and they're also using this stuff to bypass the several stuff of uh you know uh popular antivirus softwares because that uh domains actually are trusted by them and it could be abused for such a vulnerability which is many of us uh favorite cross-ite scripting because it is running on the same domain of the our target. We can uh basically run the XSS codes on the subdomains. we can actually uh exploit cost misconfigurations. uh basically when uh APIs looking for the origins you know uh they trust for the subdomains of the their organization or the their

application we can basically abuse it for course misconfiguration or some of us using it for the SSRF you know for white list bypass we can use the actually hijacked subdomains because uh on these configurations they sometimes not allowing us to use uh any domain but if we use the subdomain we hijacked we can actually bypass their white white list so that way we can actually abuse SRSS issues and that is my favorite this is the sension takeover uh for abusing this you know we actually don't need any vulnerability than basic cookie misconfigurations or sension configur misconfigurations so while XSS and course misconfiguration stuff are common ways to abuse subdomain takeovers. Did you know if your target is setting the

cookies for the upper level any upper level than their current one you can uh actually take over the cook session cookies without using any excss or course issue that is what I am going to show you. As long as you can serve any content to victims, you know, you can uh actually take over the sessions and this is one of the safe looking web pages, right? Maybe you must know this target. I can't disclose but you can uh just guess from the you know exclamation mark on the end. It is one of the popular target for backpers and this is looking very safe right there is no excess on this page. they are just uh

seeing the image I sent to them. So basically this is the issue we finded with uh today's Neil if you know him uh with Eric it was a very good stuff but it was actually so hard to deal. Uh while we investigate in target we observed that subdomain we take over is not so easy to abuse you know because it was very long subdomain it had like very long uh words on it and it had like I think fourth or fifth level of the subdomain. So it is so hard to uh let the victims visit that kind of page cuz it is not you know easy trust. So we were looking for a potential ways and

then we observed that application is actually sending images to users from the third party called tenor. You know tenor it is actually allowing them to send images from there. But actually what was they doing wrong? They were not proxifying the address of the image. So they were uh allowing uh users to directly use the address of the image. So we tried this you know if you see here the part on the red box there is a tenor uh URL for the image file. So basically this is the request we intercepted and we tried to change the stuff you know. So we decided to change the uh location of the image. So I actually made some uh uh fun look in the

code. You can scan this QR if you want to get the sample exploit. This is actually a PHP script. Uh it is acting like a image but it is actually logging all request it is receiving. So this is actually basic image file but since this is uh accessed by the user and the cookies of the uh target is set to the upper level we are receiving all the cookies of the target. So with this we just hosted uh it on the here and it was the subdomain we took over you know I can disclose the rest of the part and we just uh sent the image like this and then uh once the user uh view our email

without any accesss again or any other stuff we were able to take over their session and they were we were able to actually take over their account we were able to access I actually uh got access the three address email address you and he was like, "Okay." But uh sad part is they supposed to pay $50,000 for this one, but we only got like 15,000. So they edit scammed us, you know. So the next uh type of stuff is origin IP. Uh that is what I was saying. It is actually one of the my favorites, you know, because with origin IP, we can uh actually bypass the web application 5V provider. like many of us is hating the

incapsula or akama you know this stuff is actually load balancing stuff and they are actually required in the uh original server to be accessed so if it is known to you uh or somehow it is leaked before you can actually ignore the web application firewall and directly contact the server so this is the target uh on the sneak I was testing like uh 2 years ago I think or a year ago uh we noticed that there is some uh stuff like site/file upload you know and when I uh tried to access uh it said no files found for upload and it was given the stack error so I continue to check the stuff you know and I tried to change the content

type of the form to multipart So I can try to upload that and it's actually giving the uh error directly and showing me it is uh requiring some extra stuff. Then uh I continue checking the target you know and the thing is uh with file uploads you know you should also try to long file names because if you exceed the operating systems allowed character limit you know you can force it to give an error like this file is not able to be copied or it's not uh able to open. As you can see the it is given now another error file name too long and it is actually disclosing the actual source of the target and it is uh actually

helped me to find out the missing part of this w you know but so far we are not using the original IP. So when I try to upload basic PHP script you know and our best friend in capsulo said no request unsuccessful. So it was not allowing me to proceed. Basically uh you can bypass this if you have bypass you know you can exploit this on the many websites. So uh I tried to check the historical reports I mean records of the subdomain and uh if you notice that they switch to the encapsula in 2022 but their previous IP was set on the 2020 and I tried this IP address here to see if it is actually still available to

be accessed and then we see it is actually accessible and we actually bypass the web application firewall. So we no more need to deal with encapsula and we can actually upload our file and this allowed actually it was uh showing us the uh file upload name because it is changing the file up name too and when we access the file as you can see we were able to exploit the issue and uh run comments on the server. So this way uh I was able to give lots of panty. This is one of the reports I am showing and after that I start checking target more cuz uh when I am hunting you know I am not making the report directly

especially on sneak we have analytics on the sign you know and on analytics you can actually when you send some stuff you are actually showing others to yeah there's an issue so others can check uh what I do is I actually hoard all the vulnerabilities and let them go in one one time you know I make drafts and then sent them in like in same second and this is the amount of the banties I got from the origin IP disclosure uh it is uh around uh I think 40,000 or 45,000 on this target and all of them uh reported on same day and the next one is virtual enumeration you know it is uh one of the

my favorite too with virtual enumeration it is actually you know developers sometimes need to set multiple web servers or domains on the same server because they lack resources or they are not allowed to open another uh server. So they basically uh this is a common issue. I can say you that it is actually common issue for maybe like 30 years because they are leaving the configurations for a long time. You know even if the uh DNS record for the target is removed they are not uh removing the configuration. So we can actually abuse this too. So this is uh you know the information about the virtual health stuff. The most lovely stuff is uh many

targets are actually using lot balancers you know and the load balancers actually using virtual host too and sometimes like I said their DNS admin is removing the record but their uh developers still having the configuration for that virtual and it is actually leading many issues you know even though DNS record are remote they sometimes leave the configuration and we can abuse this. So basically there's a lot balancer called blue code. I'm not sure if you ever face it. It is uh one of the popular one and actually if you are exploiting SQL injection stuff with SQL map there's a special temper for it too. Blue coat it is a this is a load balancer you know

and blue code is actually uh load balancer but it is having full proxy capabilities you know it is directly sending your request to the target server so whatever header you have directly sent to the target it is not changing anything it is just assigning its own header x uh dash blue code to see which uh user is responsible for it and then that allows us to bypass uh waf because if you find the origin IP of the blue code or let's say target is directly running under blue code you can uh abuse the old or leftover configurations many banters actually not doing this but you should do it so as you can see uh I just sent a host value

as you know and uh if you check the uh error I got it is saying the DNS NS unresolved under s host name. It is saying your requested host sack could not be resolved by the DNS. So it is actually resolved in the DNS and connecting the target server. So basically even if the actual DNS server of the target or DNS configurations not haven the stuff uh the local settings of the blue code is having the virtual host assigned for each IP address which is actually internal IP addresses and it is trying to resolve and access the target. So basically what I did is uh check the uh historical records of the DNS uh or

subdomains of the target uh and I used the intruder you know and I just hide the every unnecessary stuff cuz I only need the valid ones you know and then there is a our victim you know see uh we got the 200 uh okay response and then I decided to see if it is a valid application. As you can see, we have some similar stuff, but they were not vulnerable vulnerable applications. So that's why I hide their names. So basically what I did is assign in the host name for subdomain on the BS configuration. So with that way I can directly access it from the browser. So I don't need to deal with Bite you know.

So when we access actually haven application as we can see and uh it is a haven account and password login page and there is a endpoint but actually this is very old application you can uh just uh feel uh get that feeling from the UI of the application you know so basically what I did is uh changing the endpoint to admin without any login and it was showing me contents of the target and you see it is a haven uh database search or applicant eligibility lookup stuff. These are the functionalities of the target. So this is actually one of the funny targets I exploited uh like last two or three months ago and I actually sent uh

one of the TV about uh how I exploited the remote code explo explo ex execution with uh using only single amperand instead of double amp%. it was the same target. Uh it had lots of uh issues because it is a old target. So when we went to the database search functionality of the application, you can see we can enter all the details. I just hide the unnecessary ones on the date time. Many actually hunters not doing this too. I put some SQL payloads directly without using any proxy. See you can see and I just uh use the search button and then we will see error you know this is SQL injection and it is directly given the database version of

the target but if you check something this is actually second order uh SQL injection you know just a second okay if you check the endpoint again this is the uh endpoint we sent the payload and then the result coming from the another endpoint. So this was actually second order SQL injection. So basically you sent input on the one endpoint and then another endpoint is processing your input. This is what we call second order SQL injection. So if you let this uh issue exploited by SQL map it would be failing you know because SQL map will not uh able to detect this cuz it was actually uh like third or fourth page on the result. So that is why I always say

try to understand the application try to see how it is handling stuff instead of using automated stuff. So all of these tests are actually done as manual. I am not using any automation and let's see and this is the amount of the bounties I got that program as you can see I got $10,000 for SQL injection which is actually uh so hard to get on the sack with the new changes we are able to get this and that target uh I was able to get 30,000 one month and another 34,000 uh in next month so total 60,000 on this target in uh like two months and I am being honest with you. I just spent like total 5 hours on this

target. So the conclusion is lack of DNS hygiene causing lots of issues to organizations especially the ones with having lots of uh assets like Starbucks. I said that is why you were seeing that I got getting lots of subdomain hijacking reports before or we can abuse the because of the DNS for the increasing attack surfaces you know uh like I said again many hunters is doing the stuff wrongly because they just trusting the current data and they just fit the stuff on the nucle I I mean nucle is good tool you know but stop uh believe in what mle given to you just uh improve your mental testing and uh believe in yourself cuz I

I can tell you there is a ora you know he's one of the best hunters and I am telling you he's not doing something different than me and I am not doing something different than him and same for Eric you know today's n you you must know he's like number one on the many platforms he's one of the lovely guys you know one of the people I love to collaborate but he's not doing something else today trust me like till last year he was not using even nuclear he was using the simple stuff he made like 10 years ago with from visual basic you know he was using visual basic scripts so stop uh thinking over complicated but

uh go back to basics if you know the basics you can exploit stuff easily uh in uh like 3 months ago I gave another speak on the Turkey it was about uh reading the manuals you know I told them this too just read the manuals because if you read the manual you will actually start to understand how is your target is handling stuff. Same for the DNS. DNS is nothing uh black magic you know. So as long as you trust your feelings and you have the knowledge you will succeed. None of the top hunters uh doing something different than uh you. But many of the beginning hunters or hunters who are thinking they are not being

successful, they are just doing over complicated stuff. The thing I can tell you, stop believing the what you see on the Twitter. Stop using everyone's payloads. Just start increasing your knowledge because copy pasting stuff will not let you success. So anyway, this is the my talk. I hope you liked it. If you have any question, I am open. Thank you for having me uh on the this lovely country of Baharat or India, you know. I love you guys. Thank you so much. So if you have any question, just go feel free. Yeah, go on.

[Music]

So basically the DNS hygiene is the issue right like once they move to the WF they forgot to change their own IP address. Yeah. So if they change the IP address would that fix it? Uh it depends again if if they change the IP address to something like third party provider like Akamay or Incatsula uh they might be actually connecting the original IP. if it is not uh providing them to server that is why we are checking the if origin IP is available I am not sure if uh yeah let's see wait a second you're going to see that

Yeah, here if you see uh the target changed their IP address on the 2022 but the original IP uh the last record was 2020 and that uh server was actually still accessible. The what encapsul is doing uh this IP address handling your request and send them back to here. So we basically ignoring the web application firewall and directly making contact. So that way we can uh get over of the web application f and uh we can use our trellis freely. I think this is a mistake everyone who works in deploying a website does. So let's say like when I deploy a website my own website I create it on a server I attach a domain to it but then later on I

realize I need Cloudflare or some VF. Yeah, I use Cloudflare. I just give my IP and route it through. You must if you are changing your server to something else. I mean uh if you are applying the web application firewall, you must uh get rid of the old IP address or just uh you must change the configuration. This is another misconfiguration actually. You should uh only accept connections from the provider. Most of the uh organizations are not doing this. This is why we are able to exploit the origin IP stuff. Yeah. Thank you. No problem. Any other question? Feel free guys. I I can try to reply or answer. Okay, no questions, I think. Thank you for having me again and I hope

you have a good day. Thank you.