diff --git a/content/notes/finding-candidates-subdomain-takeovers/index.md b/content/notes/finding-candidates-subdomain-takeovers/index.md index 50897f0c..6f5d7792 100644 --- a/content/notes/finding-candidates-subdomain-takeovers/index.md +++ b/content/notes/finding-candidates-subdomain-takeovers/index.md @@ -1,7 +1,7 @@ --- title: "Finding Candidates for Subdomain Takeovers" date: 2019-04-03T11:19:48-04:00 -description: "A subdomain takeover occurs when a subdomain points to a shared hosting service that is abandoned by its owner, leaving the account available to claim for yourself." +description: "A subdomain takeover occurs when a subdomain points to a shared hosting account that is abandoned by its owner, leaving the endpoint available to claim for yourself." tags: - Pentesting - Infosec @@ -11,7 +11,7 @@ tags: draft: false --- -A **subdomain takeover** occurs when a subdomain (like *example*.jarv.is) points to a shared hosting service that is abandoned by its owner, leaving the account available to claim for yourself. +A **subdomain takeover** occurs when a subdomain (like *example*.jarv.is) points to a shared hosting account that is abandoned by its owner, leaving the endpoint available to claim for yourself. Not only are takeovers a fun way to dip your toes into [penetration testing](https://www.cloudflare.com/learning/security/glossary/what-is-penetration-testing/), but they can also be incredibly lucrative thanks to [bug bounty programs](https://en.wikipedia.org/wiki/Bug_bounty_program) on services like [HackerOne](https://hackerone.com/hacktivity?order_direction=DESC&order_field=popular&filter=type%3Aall&querystring=subdomain%20takeover) and [Bugcrowd](https://bugcrowd.com/programs), where corporations pay pentesters for their discoveries. @@ -33,6 +33,8 @@ The most common services eligible for takeovers of abandoned subdomains are the - Tumblr - [...and many more.](https://github.com/EdOverflow/can-i-take-over-xyz#all-entries) +--- + On [my GitHub profile](https://github.com/jakejarvis/), you'll find a Go-based tool named [`subtake`](https://github.com/jakejarvis/subtake) (based on [`subjack`](https://github.com/haccer/subjack)). This tool takes a list of [CNAME records](https://support.dnsimple.com/articles/cname-record/) to check and outputs potential takeover candidates pointing to these services. But how in the world do we get a list of every CNAME on the internet? @@ -71,10 +73,42 @@ grep -f grep.txt vulnerable.txt In my view, takeovers are a fantastic way to begin a side hustle in bug bounties, simply due to the fact that once you've taken over a subdomain, you don't need to worry about another hunter beating you to the punch and reporting it before you. -Since you have this luxury of time, it becomes ***extremely important*** that you let your adrenaline subside and follow [responsible disclosure](https://www.bugcrowd.com/resource/what-is-responsible-disclosure/) guidelines -- especially in the creation of a "proof of concept" file with your username at an obscure location, **not** at `index.html`. I won't go over the details of writing a report because [Patrik Hudak](https://twitter.com/0xpatrik) wrote another [great post about it here](https://0xpatrik.com/takeover-proofs/). +Since you have this luxury of time, it becomes ***extremely important*** that you let your adrenaline subside and follow [responsible disclosure](https://www.bugcrowd.com/resource/what-is-responsible-disclosure/) guidelines -- especially in the creation of a "proof of concept" file with your username at an obscure location, **not** at `index.html`. I won't go over the details of writing a report because [Patrik Hudak](https://twitter.com/0xpatrik) wrote another [great post about it here](https://0xpatrik.com/takeover-proofs/). This is an example of one of my own reports (company name censored because it has not been publicly disclosed) on [Bugcrowd](https://bugcrowd.com/programs): + + +> I have found three subdomains of ********.com vulnerable to takeovers via unclaimed endpoints at [Azure's Traffic Manager](https://azure.microsoft.com/en-us/services/traffic-manager/). I have claimed these endpoints and redirected them to a blank page to prevent a bad actor from doing so in the meantime, and hosted a POC file at obscure URLs. These are the following domains I discovered and the outdated endpoints on Azure to which they point: + +> xxxx.********.com --> aaa.trafficmanager.net + +> yyyy.********.com --> bbb.trafficmanager.net + +> zzzz.********.com --> ccc.trafficmanager.net + +> ...and the proof-of-concept files are at the following locations: + +> [http://xxxx.********.com/poc-d4ca9e8ceb.html](#) + +> [http://yyyy.********.com/poc-d4ca9e8ceb.html](#) + +> [http://zzzz.********.com/poc-d4ca9e8ceb.html](#) + +> I have not hosted any other file nor attempted any other vector of attack. You're probably familiar with takeovers like this by now, but through this vulnerability, it would be possible for an attacker to obtain cookies and other sensitive information from your users via phishing, cookie hijacking, or XSS. It is also possible to obtain SSL certificates for ********.com subdomains from CAs that only require domain validation such as [Let's Encrypt](https://letsencrypt.org/how-it-works/), but I have not attempted to do so. More info on possible attack vectors [can be found here](https://0xpatrik.com/subdomain-takeover/). + +> Please let me know when you've received this report and I'll delete the endpoints from my personal Azure account, so you can either reclaim them or remove the subdomains entirely from your DNS records. Thanks! + + +I removed the company's name because an important part of responsible *disclosure* is the *disclosure*, or lack thereof. Until the company explicitly gives permission to publicly disclose the vulnerability after patching it -- and there are built-in features on both HackerOne and Bugcrowd to request this -- it's **not okay** to talk about it publicly. + +The `poc-d4ca9e8ceb.html` proof-of-concept file contained this single, hidden line: + +``` + +``` + +No self-promotional links or redirects, no examples of XSS/cookie hijacking to be "helpful" (no matter how harmless), no funny business of any kind. --- -I have several more [improvements](https://github.com/jakejarvis/subtake#to-do) I want to make to `subtake` (integrating the `sonar.sh` script into the main program, an all-in-one automated Docker image, a self-updating list of services, etc.) but still feel free to [make a suggestion](https://github.com/jakejarvis/subtake/issues) and/or contribute to the repository in the meantime. +I have several more [improvements](https://github.com/jakejarvis/subtake#to-do) I want to make to `subtake` (like integrating the `sonar.sh` script into the main program, an all-in-one automated Docker image, a self-updating list of service fingerprints, etc.) but still feel free to [make a suggestion](https://github.com/jakejarvis/subtake/issues) and/or contribute to the repository in the meantime. Happy hunting, fellow penetrators! 😉 \ No newline at end of file