Sub Domain Take Over - Simulate Environment
Sub Domain Take Over - Simulate Environment
I have created an environment and ready to show, how the subdomain takeover can be done.
Victim (subdomain.tehwinsam.xyz)
Let assume that you have found a subdomain through your own unique enumeration technique. We can use a tool call "dig" and to find the DNS information for subdomain.tehwinsam.xyz. The DNS information shows that subdomain.tehwinsam.xyz CNAME applebois.asuscomm.com
Since, I bought the tehwinsam.xyz from namecheap.com.
Therefore, from the dashboard of namecheap, the configuration of DNS should look like image below.
Assuming, that the domain for applebois.asuscomm.com is no longer valid/use by anyone and available to register this domain.
The attacker can proceed to register this domain (applebois.asuscomm.com) and "technically" can takeover the subdomain (subdomain.tehwinsam.xyz).
Let begin by checking on the victim website (subdomain.tehwinsam.xyz), We noticed that the subdomain is no longer in use. This definitely is a misconfiguration by the owner. Remember, once the subdomain is no longer use make sure remove the sub-domain from the DNS zone to prevent an attacker to take over the sub-domain.
Since, this is just a simulated environment. Previously we have seen that subdomain.tehwinsam.xyz CNAME applebois.asuscomm.com.
This domain (asuscomm.com) is owned by Asus. People who are using Asus router allow us to register the subdomain by using asuscomm.com. The reason Asus come with this free domain is for DDNS purposes.
DDNS is basically to link with registered domain, so when the user have successfully register the domain. Users can access to their router by calling the domain (xxx.asuscomm.com) instead of public ip.
https://{publicIP}:80 {before enable DDNS}
https://201.23.xxx.xxx:80 {before enable DDNS}
https://applebois.asuscomm.com {after enable DDNS}
https://google.com {after enable DDNS}
We can start by checking on the "availability" of the subdomain (applebois.asuscomm.com) and seems like the domain "applebois.asuscomm.com" is not used by anyone. Hence, we can register and own it !!
We can register the "applebois.asuscomm.com" and once we have register this domain. We have full access and we can now take over the subdomain (subdomain.tehwinsam.xyz).
After we apply the setting. This "applebois.asuscomm.com" is now owned by us(attacker) .
Next, we can now start to setup port forwarding / DMZ. Since we need to setup a web server to display on the subdomain.tehwinsam.xyz. I point the DMZ to my local machine (192.168.0.83 as my web server)
We can now turn on XAMPP (Web Server) and browse to the subdomain.tehwinsam.xyz
We have successfully bring the subdomain.tehwinsam.xyz back to online.
Let try to overwrite the content of dashboard by changing the content of index.html
Sub-Domain Take Over - Success
With the scenario below, can we take over this subdomain (takemeover.tehwinsam.xyz) ?
Yes or No ?
 |
| dig show that takemeover.tehwinsam.xyz CNAME appleboiswinsam.com |
 |
| appleboiswinsam.com is available to purchase |
 |
| Asus router allow you to configure with google domain |
The answer is YES.
Because the DNS configuration shows that takemeover.tehwinsam.xyz CNAME appleboiswinsam.com and the appleboiswinsam.com is no longer use by anyone and we can purchase this domain via google domain and owned it. After we have purchase the domain, we can link the domain using our Asus router.
Once we have successfully link the router with the domain, we can now do port forwarding / DMZ on the router and point it to the Web Machine Local IP Address (192.168.0.xx).
Boot up the web server, browse takemeover.tehwinsam.xyz .
Bomb ! Sub-Domain Take Over.
Comments
Post a Comment