Sub Domain Take Over - Simulate Environment

Sub Domain Take Over - Simulate Environment


These few days, I have done some studies on this topic "sub domain take over", and I found out that most of the blogs does not have end to end tutorial and this blog I would not be explaining the theory. But I will show a simple case study "sub-domain takeover".

I have created an environment and ready to show, how the subdomain takeover can be done.

Victim (subdomain.tehwinsam.xyz)
Let assume that you have found a subdomain through your own unique enumeration technique. We can use a tool call "dig" and to find the DNS information for subdomain.tehwinsam.xyz. The DNS information shows that subdomain.tehwinsam.xyz CNAME applebois.asuscomm.com 


Since, I bought the tehwinsam.xyz from namecheap.com. 
Therefore, from the dashboard of namecheap, the configuration of DNS should look like image below. 



Assuming, that the domain for applebois.asuscomm.com is no longer valid/use by anyone and available to register this domain. 
The attacker can proceed to register this domain (applebois.asuscomm.com) and "technically" can takeover the subdomain (subdomain.tehwinsam.xyz).

Let begin by checking on the victim website (subdomain.tehwinsam.xyz), We noticed that the subdomain is no longer in use. This definitely is a misconfiguration by the owner. Remember, once the subdomain is no longer use make sure remove the sub-domain from the DNS zone to prevent an attacker to take over the sub-domain.



Since, this is just a simulated environment. Previously we have seen that subdomain.tehwinsam.xyz CNAME applebois.asuscomm.com. 
This domain (asuscomm.com) is owned by Asus. People who are using Asus router allow us to register the subdomain by using asuscomm.com. The reason Asus come with this free domain is for DDNS purposes. 

DDNS is basically to link with registered domain, so when the user have successfully register the domain. Users can access to their router by calling the domain (xxx.asuscomm.com) instead of public ip. 

https://{publicIP}:80    {before enable DDNS}
https://201.23.xxx.xxx:80    {before enable DDNS}
https://applebois.asuscomm.com {after enable DDNS}
https://google.com {after enable DDNS}

We can start by checking on the "availability" of the subdomain (applebois.asuscomm.com) and seems like the domain "applebois.asuscomm.com" is not used by anyone. Hence, we can register and own it !!

We can register the "applebois.asuscomm.com" and once we have register this domain. We have full access and we can now take over the subdomain (subdomain.tehwinsam.xyz). 


After we apply the setting. This "applebois.asuscomm.com" is now owned by us(attacker) .


Next, we can now start to setup port forwarding / DMZ. Since we need to setup a web server to display on the subdomain.tehwinsam.xyz. I point the DMZ to my local machine (192.168.0.83 as my web server)

We can now turn on XAMPP (Web Server) and browse to the subdomain.tehwinsam.xyz


We have successfully bring the subdomain.tehwinsam.xyz back to online.



Let try to overwrite the content of dashboard by changing the content of index.html
 


Sub-Domain Take Over - Success




With the scenario below, can we take over this subdomain (takemeover.tehwinsam.xyz) ?
Yes or No ?

dig show that takemeover.tehwinsam.xyz CNAME appleboiswinsam.com


appleboiswinsam.com is available to purchase


Asus router allow you to configure with google domain 




The answer is YES. 

Because the DNS configuration shows that takemeover.tehwinsam.xyz CNAME appleboiswinsam.com and the appleboiswinsam.com is no longer use by anyone and we can purchase this domain via google domain and owned it. After we have purchase the domain, we can link the domain using our Asus router. 

Once we have successfully link the router with the domain, we can now do port forwarding / DMZ on the router and point it to the Web Machine Local IP Address (192.168.0.xx). 

Boot up the web server, browse takemeover.tehwinsam.xyz . 

Bomb ! Sub-Domain Take Over. 

Comments

Post a Comment

Popular posts from this blog

Remote Kernel Debugging (HEVD-Part 1)

Image
This post will setup the VMs for Debugger(Win10 x86) and Debuggee(Win7 x86) for the Kernel Debugging using HEVD (HackSysExtremeVulnerableDriver) as case study. The tools that we need for our installation  Host     1. Binary Ninja (personal/trial) Debugger VM     1. WinDBG Preview      2. HE VD 2.0 pdb Debuggee VM     1.  HEVD 2.0 sys     2. OSRLoader.exe     3. Python 2.7 ( python 3.0+ ) Install Window 10 VM (Debugger) I nstall Window 7 (Debuggee) Once the OS have successfully installed on both VM. Download and Install it. (Debugger) (Debuggee) ==================================Debugger VM================================== Add follow sympath for WinDbg on  Debugger VM Variable Name : _NT_SYMBOL_PATH Variable Value : SRV*C:\Symbols*https://msdl.microsoft.com/download/symbols Click ok and Shut Down the VM. Edit the .vmx file configuration.  serial0.present = "TRUE" serial0.fileType = "pipe" serial0.fileName = "\\.\pipe\com_1" serial0.pipe.endPoint = "
Read more