In the previous post we looked at finding DNS records and subdomains. With that information, it’s time for the next step: finding (potential) subdomain takeovers.
With a list of subdomains in hand, it’s easy to scan these domains for a subdomain takeover. Let’s look at one of the tools that can do that: dnsReaper.
dnsReaper
According to the GitHub repository:
“DNS Reaper is yet another sub-domain takeover tool, but with an emphasis on accuracy, speed and the number of signatures in our arsenal. We can scan around 50 subdomains per second, testing each one with over 50 takeover signatures. This means most organizations can scan their entire DNS estate in less than 10 seconds“.
So how do you use this tool?
dnsReaper Installation
- Download the latest dnsReaper release here: https://github.com/punk-security/dnsReaper
- Unzip the files
- Run this script in CMD to install: “pip install -r requirements.txt“
- Check if the installation was successful by running this script: “main.py –help“
Setting up a test scenario
To test this, a scenario was set up on this domain: vulnerable.cyberredcell.nl. This subdomain was of course removed after the test completed:
As you can see, the subdomain was created as a CNAME record, and pointed to a resource that didn’t exist in Azure. To make sure the DNS record was propagated correctly, I used whatsmydns.net. This website shows if your DNS record is reachable from around the globe:
Now the test can begin.
Running different scans with dnsReaper
You can run dnsReaper on a single domain, multiple domains, but also based on input from a text file. Let’s look at the different options:
- Running dnsReaper on a single domain: “main.py single –domain example.com“
- Running dnsReaper on multiple domains: “main.py file –filename target”
- For Windows users: “main.py file –filename C:\Users\[USERNAME]\Desktop\dnsReaper-MultiDomain.txt“
- Running dnsReaper with output to file: “main.py file –filename C:\Users\[USERNAME]\Desktop\SubdomainsList.txt –out-format=json > C:\Users\[USERNAME]\Desktop\ResultsOutput.json“
- See all results (-v = verbose, -vv for extra verbose): “main.py file –filename C:\Users\[USERNAME]\Desktop\Subdomains.txt -vv”
- If you use -vv, you will actually see things like “Match detected in CNAME ‘[RESOURCE NAME] for domain ‘[SUBDOMAIN]'”, so you know which resource is attached to a specific CNAME
By running dnsReaper against the vulnerable subdomain, you should see results like this:
Scanning hosting platforms you’re using
dnsReaper also supports scanning different hosting platforms. This means you can also use the tool as Blue Team to scan your own domains. It allows you to authenticate through dnsReaper, and collect the DNS information from providers like AWS, Azure, Cloudflare, DigitalOcean, GoDaddy and Google Cloud by default. You can also add your own provider if you’d like.
Scanning your Azure subscript for example will look something like this:
Script: “main.py azure –az-subscription-id xxxxx –az-tenant-id xxxxx –az-client-id xxxxx –az-client-secret xxxxx“
dnsReaper online
Punk Security also created an online version of dnsReaper. It works just like the downloadable tool, and it indeed found the vulnerable subdomain in this test:
Conclusion
Protecting your online assets doesn’t have to be expensive, and rely on the top-tier tools that will cost you a fortune. With open-source tools like this, you might be able to automate the check to run every day, week or month. As we’ve seen before dangling DNS records and subdomains are a danger to your organization. It might inflict damage to your users and your organization.
Making this part of the development process is one thing, but it only takes one mistake or somebody forgetting to follow the process. The phrase “trust, but verify” applies here, and why not automate that process with an open-source tool like dnsReaper? If it will save you from (reputation) damage, why not spend the time to look into this?
Disclaimer
This post is for informational purposes only, and we are not liable for any loss or damage resulting from its use.
Also: don’t be a skiddie, or an a-hole, and stay vigilant!
No responses yet