Detecting possibly affected domains

In order to find vulnerable domains, there is a process we can follow published by the researcher Patrick Hudak.

Patrick Hudak describes the first step as generating a list to define a scope. Usually, this scope is defined in the Bounty program – after that, we enumerate all of the possible domains.

Sub-domain enumeration can be performed using Amass. Amass is a tool created by the OWASP project to obtain sub-domain names from different sources. Amass uses the collected IP addresses to discover netblocks and ASNs.

To use Amass, you need to launch the searchers from the command line in the system, as shown in the following snippet:

$ amass -d bigshot.beet
$ amass -src -ip -brute -min-for-recursive 3 -d example.com
[Google] www.bigshot.bet
[VirusTotal] ns.bigshot.beet
...
13139 names discovered - archive: 171, cert: 2671, scrape: 6290, brute: 991, dns: 250, alt: 2766

After you have received a list of sub-domains from the enumeration, the next step is to monitor the sub-domains included in the list. The basic idea is to enter each sub-domain to visually determine whether it is available or not, but if you want, you can use the next snippet of code to monitor the domains with ease:

package subjack 
 
import ( 
   "log" 
   "sync" 
) 
 
type Options struct { 
   Domain   string 
   Wordlist string 
   Threads  int 
   Timeout  int 
   Output   string 
   Ssl      bool 
   All      bool 
   Verbose  bool 
   Config   string 
   Manual   bool 
} 
 
type Subdomain struct { 
   Url string 
} 
 
/* Start processing subjack from the defined options. */ 
func Process(o *Options) { 
   urls := make(chan *Subdomain, o.Threads*10) 
   list, err := open(o.Wordlist) 
   if err != nil { 
         log.Fatalln(err) 
   } 
 
   wg := new(sync.WaitGroup) 
 
   for i := 0; i < o.Threads; i++ { 
         wg.Add(1) 
         go func() { 
               for url := range urls { 
                     url.dns(o) 
               } 
 
               wg.Done() 
         }() 
   } 
 
   for i := 0; i < len(list); i++ { 
         urls <- &Subdomain{Url: list[i]} 
   } 
 
   close(urls) 
   wg.Wait()

Once you have detected a sub-domain takeover, you need to prepare a proof of concept to report it.

To confirm a takeover, you can use the following three tools:

  • Aquatone (https://github.com/michenriksen/aquatone): This is a tool for the visual inspection of websites across a list. It could help define an HTTP-based attack surface, not just for sub-domain takeovers but also for pen testing purposes.
  • SubOver (https://github.com/Ice3man543/SubOver): This is a tool totally focused on sub-domain takeovers that checks different sources for a domain's availability to confirm the takeover.
  • Subjack (https://github.com/haccer/subjack): This is a tool that scans a list of sub-domains to determine which one of them could be hijacked.

All of these tools are very fast, but they can provide false positives. We therefore recommend a manual confirmation when detecting a potential takeover. You can use the following verification based on your provider:

  • Amazon S3:
# {bucketname}.s3.amazonaws.com
^[a-z0-9.-]{0,63}.?s3.amazonaws.com$
    
# {bucketname}.s3-website(.|-){region}.amazonaws.com (+ possible China region)
^[a-z0-9.-]{3,63}.s3-website[.-](eu|ap|us|ca|sa|cn)-w{2,14}-d{1,2}.amazonaws.com(.cn)?$
    
# {bucketname}.s3(.|-){region}.amazonaws.com
^[a-z0-9.-]{3,63}.s3[.-](eu|ap|us|ca|sa)-w{2,14}-d{1,2}.amazonaws.com$
    
# {bucketname}.s3.dualstack.{region}.amazonaws.com
^[a-z0-9.-]{3,63}.s3.dualstack.(eu|ap|us|ca|sa)-w{2,14}-d{1,2}.amazonaws.com$
http -b GET http://{SOURCE DOMAIN NAME} | grep -E -q '<Code>NoSuchBucket</Code>|<li>Code: NoSuchBucket</li>' && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible"
  • GitHub pages:
^[a-z0-9.-]{0,70}.?github.io$
http -b GET http://{SOURCE DOMAIN NAME} | grep -F -q "<strong>There isn't a GitHub Pages site here.</strong>" && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible"
  • Heroku:
^[a-z0-9.-]{2,70}.herokudns.com$
http -b GET http://{SOURCE DOMAIN NAME} | grep -F -q "//www.herokucdn.com/error-pages/no-such-app.html" && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible"
  • Readme.io:
^[a-z0-9.-]{2,70}.readme.io$ http -b GET http://{SOURCE DOMAIN NAME} | grep -F -q "Project doesnt exist... yet!" && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible"
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.29.151