Your DNS, my DNS

In this humble article, we are going to talk about what is known as DNS Takeover, a technique used in Bug Bounty and similar to Subdomain Takeover, which allow us to take posession a domain’s DNS.

DISCLAIMER

All of the tests below are for educational and informational purposes only, so any malicious use of them is not our responsibility.

IDENTIFYING A DOMAIN

The first step will be to identify domains returning SERVFAIL status (in our case we will talk about the fictitious domain redacted.com.br) as shown below when using the dig tool:

A SERVFAIL response can indicate both that there is a problem reaching the domain’s DNS server or that it’s not configured correctly.

As we know that there is a problem in redacted.com.br with the DNS, we are going to check which ones have delegates redacted.com.br:

In this case in the whois output, we see that delegated DNS belongs to Amazon AWS. This feature, together with the previous one, indicate that it is possible to create a DNS zone in Amazon AWS account and we will be able to create registries in it.

CREATING THE DNS ZONE

But identifying the zone in which the DNS zone must be created is a complicated task simply because we do not know it. For this, there is a script at the URL https://github.com/shivsahni/NSBrute:

This script, after passing our Amazon AWS account ‘s keys and our domain redacted.com.br as parameters, will create DNS zones until it finds the correct one, as seen below:

DNS zone created !!! . Next step, we will connect to the Amazon AWS account and access the Route 53 option from menu:

Once inside, we access the Hosted Zones option:

As we can see, we have a new DNS zone entry (marked in red) for our domain redacted.com.br:

CREATING A DNS REGISTRY

It would only be necessary to create a new entry in the DNS. We can create a CNAME record to redirect a subdomain to another website or create a TXT record with a message to show that the DNS of the domain is ours.

CNAME REGISTRY

To create a CNAME registry, we will click on Create a recordset button to introduce the following data as example:

  • Subdomain’s name: thehackingfactory.redacted.com.br
  • Registry type: CNAME
  • Value: thehackingfactory.com

Reusing the dig tool, we observe that the domain’s status changed from SERVFAIL to NOERROR and CNAME record shows the entered value thehackingfactory.com:

It is important to know that redirection will be done if domain is owned by ourself. As example, if you set a domain in DigitalOcean as CNAME value, it won’t redirect.

TXT REGISTRY

To create a TXT registry, we will click on Create a recordset button to introduce the following data:

  • Subdomain’s name: thehackingfactory.redacted.com.br
  • Registry type: TXT
  • Value: Takeover by darkandroider

Reusing the dig tool, we observe that the TXT record shows the entered message Takeover by darkandroider:

I hope you liked it (thanks to Mr. Takeover).

“Don’t give up, great things take time.”

Deja una respuesta

Tu dirección de correo electrónico no será publicada.