Subdomain Hijacking: Why DevOps Is Making Us More Vulnerable by Daniel Oates-Lee & Simon Gurney

excellent um thank you very much everybody for coming along uh I'm I'm going to talk about subdomain hijacking a little bit interesting because uh it leads on quite nicely from the following talk and one this morning about initial access uh and how we how the attackers can create credible um fishing links so I'll get rid of the the uh who am I first so my name's Daniel oatsley I'm one of the co-directors of punk security I'm a devsecops Enthusiast um I started off as a developer then moved into operations and they quickly found out I was pretty good at breaking stuff so they put me in security uh I love automating stuff and uh I'm just an out and out geek I like writing open source tools I like attending uh conferences and doing CTF stuff so whilst I'm a director I'm also extremely Technical and punk security is a Dev stocks consultancy but I'm going to be talking about DNS Reaper later on but we have also got uh three other open source tools if anybody's interested uh we've got a secret scanning Tool uh a file SM beagle which is a um SMB auditing tool and post Booth which generates um threat hunting logs for you to go and have a look at and last month we ran a uh a devsecop CTF anyway what I'm going to talk about today I'm going to talk about I'm going to cover off how DNS works very quickly and then we're going to talk about three different sub-domain attacks then why should we care about this and then how can you defend yourself so a quick introduction into um what uh how DNS Works basically DNS has 13 root servers most of them are stored in the US and these holds the TLD NS records so these are like the dot Co dot uks.com.ios whatever the tldr DNS name is down to those name servers where you would generally go and buy your um your your domain that you're interested in so in our demos today everything is going to be Punk security because obviously I own that and I can abuse it and that's where you'll go and buy it your DNS names underneath there you will then have a a name a DNS Zone where you'll store your DNS um records now this will either be hosted with something like GoDaddy or Azure or AWS Route 53 um and you'll normally sorry and this is where you'll hold things like your uh your A-Class records your Triple A's you see names your ns's pointing off to whatever web service you want so just quickly recap the the root server we have no access to we don't we can't configure that we can't do anything the tldrs that's where we register ourselves and we then configure the bottom bit down at the bottom so how does that look when you when you're connecting to the website well obviously if we wanted to connect through to our website we go to BT if you're using BT and it will go off it will then go through and say where's dot Co dot UK to the roots root servers it will then say this is where uhk lives you'll query who is punk security to the code.uk and it will return back an IP address to go through to Azure to our NS to our DNS zones to go and pull back www and then BT will return to you an IP address so what are subdomains well we've just quickly covered off um the the very first part of uh the DNS of uh the name DNS names so that is so the root domain would be Punk security.co.uk the bits that you can see in green these are the uh subdomains all the hosts um and these are the bits that that can be abused potentially so in our case we're going to look at docs.punksecurity.co.uk today for our first uh takeover attack so as we're moving into this Brave World of devops and Cloud we tend to like using more and more cloud services for hosting stuff but this can lead to misconfigurations or errors or Services being disconnected and how many people in this room can hold their hands up and say I have complete control of my my external DNS Zone I know exactly every single record that's in there and where it's pointing to and if I take down an external service I will get rid of that record no one okay that's good most of the rooms can't um so we're going to have a quick look at this so what is the sub domain takeover so in this case our development team have asked the support team to create a cname record for Doc stockpunksecurity.co.uk to point it off at GitHub so what GitHub will do is it it will it will basically when you go to docs.punk security.k it will redirect you through to pump security hyphen docs.github.io now I'm going to do a live demo hopefully if if all works well and we're going to have a quick look at what that looks like inside DNS so if we do a quick NS lookup on the cname docs.punksecurity.io we can see here that it's pointing off to docs hyphen Punk security Dot github.io if we go and have a look at that website at docs.punksecurity.com okay we can see that there isn't actually anything there at the moment now this would indicate to an attacker that that is not available like we haven't finished off the final part of the configuration unfortunately GitHub is rather poor validating that you own the domain that you say you own so if we go to and I'm currently logged in here as a a different user uh this has got nothing to do with Punk security uh at all it just happens to be an account that I've created as docs.punksecurity.com it's owned by somebody called General failure so if I go to the Repository and I go to my repository I can now add that domain to this uh to this repository to this repo to be able to host a malicious website posing as Punk security if I go down here go to pages and underneath the custom domain just type in Doc stop Punk security dot IO I think it was if I save that it will be checking the DNS to make sure it gets redirected through to this this address here it's just checking so that's the address there that it's planning there you go it says it's been successful if we go back and visit that page clear that and reopen it okay ah come on a cursive Democrats worked just over there come on refresh nope oh dear we've just landed a page that is going to looks like it could be used for capturing somebody's uh on Microsoft 365 account so from something as simple as our support teams creating a DNS record and pointing it to an empty space up in GitHub an attacker's been able to be able to find that DNS takeover and go and launch a page now we've done this we've we've scanned for a DNS takeover attacks in the past and we've found pages that we were able to take over for uh Playstation and multiple other companies I think there was a couple of members in the audience who were telling me earlier that they've used DNS Reaper and have found other DNS takeovers as well so this is a this is a real Attack that is beginning to become more prevalent because we're using more cloud services rather than running our own web services so the second one the second type of takeover attack that I'm going to talk about is a name server so we've obviously got the main DNS Zone uh which is punk security.co.uk where we host our our hosts but what about if the development teams want to be able to control their own uh DNS records we might want to delegate to them um a a sub uh their own DNS zone so in this case we want to give them dev.punksecurity.com because they might want to be able to control their own uh web services for testing um and being able to stand up their own their own internet-based services so how that works is underneath the our Punk security.co.uk here we underneath the NS records we can point it to another Zone where they can then host their own records so in this case what we're going to look at is we're going to be looking at Route 53 and what we've done inside here is we've created a punk security.k DNS Zone and if this is playing correctly which is brilliant so what we're going to do inside is we're going to go and create dev.punksecurity.co.uk like a good administrator would do on the base of a ticket is then create giving it a name of description of developer which is great so he's now stood up that that uh that DNS Zone in Route 53 now in the punk security.co.uk main uh DNS Zone we need to go and add name server records so then when people go to punksecurity.co.uk and they want to get to the dev resources they know which zone to get to so we go inside here we create a new NS record and can anybody spot the mistake that the poor administrators just made he's just created developers.punksecurity.co.uk now you might think well that might not happen it does happen quite regularly so what will happen what happened there what happened there is rather than creating dev.punk it created the zone dev.punksecurity.com so the developers could go and create their own their own Name Records but then in the main Punk security he created an incorrect NS record uh which point which um left developers.punksecurity.co.uk on on Associated basically now how can we exploit this well luckily in AWS uh world you you're going to create your DNS Zone and it will randomly pick different name servers to go on so the first time you might register you know this the target is what we're trying to get to we're trying to get onto those those servers there the first set of targets though unfortunately we didn't get any the second time we run it uh it might get two of them and the third time we run it we might get a bit more you know we're quite happy because we've now got the first and the second so most requests are going to hit those two now that's actually pretty trivial we wrote a little python script to register the Zone then check the NS records where they're being the the zones being held if it's not being held on the right servers delete the resource and try again and you'd be surprised that you can probably run about a thousand registrations in less than about two or three minutes and you can probably hit the right name servers pretty quickly so now if an attacker can own a name server that's underneath your domain they can start creating credible phishing lists so what is the so what um well obviously they can start creating incredible fishing lists I mean um Uber had this against them uh a name server takeover and they the attacker took over sign it signup.uber.com and then we're able to send out phishing links using that to trick people to go and hand over their usernames and the passwords or click on a link and download um malicious things we can also start creating um email MX records as well so we can start hosting our own mail servers as one of the subdomains of the main domain service and lastly we can also start looking at um Loosely scoped cookies so this is like the third attack so what a Loosely scoped cookie basically is is the ability of being able to use a cookie from one of the parent pages in any of the sub domains so if we look here if we created a cookie on our main web page uh www.punksecurity.co.uk the attacker would be able if they took over one of the name servers or took uh took over one of um took over one of the uh C names like on GitHub they would be able to get a feed of the cookie from the main website so how does that look and why does that happen so if we see here um we have actually got a couple of cookies there already so we've got um ones mainly for calendly so if you look at calendly there uh if the Cookie doesn't start with a dot it means that it can be applied to any sub any sub domain or any um any website underneath so here's here goes for another demo let's see if I can try and get this one right so here we're going to use the we didn't really want to stand up a proper website so we just created a local one called example.com so we've got what we're going to do here is we're going to open up um a a developers page there is no cookies in here at the moment so what we're going to do is going to create a very quick cookie called authentic authentication cookie which you know may well exist in other apps and we're going to give it a secret value and what we're going to do here is we're going to be really important it's really important that we're going to make sure that this is a Loosely scoped cookie because what we'd like to show you is what would happen if an attacker stood up a website after taking over that name server and we're able to stand up their own web service so for instance uh if like in the Uber case they might go to uber.co.uk the user might log in and be already authenticated and then when they click on the sign up phishing link it'll open up inside their browser and their authentication cookie will be passed down to you so in this case we're going to go to subdomain.example.org and there you go you can see that we've just taken the cookie and we've also got the secret there as well and that is basically uh the third example of why you don't want to have these sub domain takeovers so how can we defend ourselves well we can carry out periodic reviews we can do DNS hygiene um and uh you know we've got a million and one other things to be doing that we're probably not doing as well as we could be so dns's DNS hygiene is typically not going to be uh very productive you could sign up to a book Bounty program but they tend to charge you quite a lot for finding a subdomain takeover you could extend the you could extend your your pen tests and ask your pen testers to check your DNS DNS records for subdomain takeovers but you know you're probably already running out of time with most of your pen tests anyway um and exporting more more requirements with on top of the pen test is going to properly dilute it uh or you could use uh IAC or does anybody sorry does anybody use info um infrastructure as code for controlling their DNS records at the moment maybe two or three people I do it all the time I find it much easier because then I can put it under git control or you can use our free open source tool called DNS Reaper and so DNS repair you it's a python it's a little python script so but we've also built it as a Docker container so you can run it as a Docker service you give it access to the domain that you want to have checked so it can either log into Azure or AWS or Route 53 sorry Route 53 or bind server or you can feed it a flat file with this domains that you want to have it check it will then go through and it'll check all of those domains and all of the A-Class the C names the NS records and use some signatures so rather than telling you oh we thinking I might be susceptible we've gone off and we've written 60 signatures which actually check that the site then means that it is more susceptible and then we give you the results either on the screen in an ICS CSV file or a Json file so the use cases are you can use this for checking your own infrastructure so go home check your own public DNS zones make sure that you're not susceptible you can also sign up to book Bounty programs and go make yourself some dollars yourselves and a few people have done that already and you can also use it for preventing bad deployments so if you're doing infrastructure as code deployments and controlling your DNS in IAC you could maybe run DNS Reaper afterwards just to make sure that what you've created hasn't been susceptible so I'm gonna just quickly show you here where you can go get it so you can go get it from our GitHub as it's MIT licensing so knock yourselves out and we do do a lot of security scanning on these um and do nightly builds against all of our stuff because we are a devsecops company so we will do those kind of things feel free to go and check out the actions we have documented it extensively so like for accessing Route 53 we don't want you to go and create an account that's going to give you access to everything with inside your Route 53 so what we've done is uh on this particular instance is we've told you um a really nice little I am policy there of exactly what permissions DNS DNS Reaper would need for your group 53 access and as I say it's really nicely documented and has all really good hacking tools we've got the best uh ASCII art as well um if you try and if you run it in the docker service it'll tell you that you haven't passed through some parameters and it'll tell you what parameters you can use you can see here that you we cover cloudflare AWS um you can either scan a single domain you can from a flat file log it into Azure digitalocean or bind and when you see the results um it will cut it will spit them out as you can see them here on the screen so you can see here that we've given this a confidence of potential but then you can see underneath that there is a second finding which is confidence has confirmed and that's because we've gone and we've it's checked it using that signature to make sure that it is actually susceptible to for a DNS takeover and I think I'm just a little bit ahead of time but um I can either do a live demo of DNS Reaper or if anybody's got any questions I can take some questions did I see it no I didn't know is it oh well that's nice yeah did they write a tool though to fix it no they did all right no we so this came off the back of us working so all of our tools tend to come off the back of something that we've been helping a client with and this happened to be hey this happened to be an insurance company that was paying out uh 200 for every single domain um sub domain takeover attack vulnerable finding in a thank you in a book Bounty program that they'd signed up to and so we said well that just seems ridiculous let us help you reduce that down to zero and we had a look at what they were doing and uh wrote a simple python script with some signatures so it's good to see that somebody else had thought the same thing but no we hadn't seen that were the questions all right thank you very much foreign