子域名接管
What Is Sub domain Takeover: When an attacker is able to gain control of a company’s subdomain hosted on a cloud service such as AWS, github etc. because of the DNS entries pointing to that service is not being removed. This allows attacker to set up a phishing page on that sub-domain or serve malicious content.
什么是子域接管:当攻击者由于未删除指向该服务的DNS条目而能够控制托管在诸如AWS,github等云服务上的公司的子域时,。 这使攻击者可以在该子域上建立网络钓鱼页面或提供恶意内容。
Disadvantage:
坏处:
· Attacker can misuse company’s reputation by send phishing emails from the legitimate domain, perform XSS, phishing, stealing cookies and more.
·攻击者可以通过从合法域发送网络钓鱼电子邮件,执行XSS,网络钓鱼,窃取Cookie等来滥用公司的声誉。
What is S3(Simple Storage Service): S3 buckets are scalable , high speed , data availability web based cloud storage service designed to use read private, public content or upload content to the buckets. You can also host your webpage on it and can render the contents of this on any of your subdomain using the CNAME DNS entry
什么是S3(简单存储服务): S3存储桶是可伸缩,高速,基于数据可用性的基于Web的云存储服务,旨在使用读取私有,公共内容或将内容上传到存储桶。 您也可以在上面托管网页,并可以使用CNAME DNS条目在任何子域上呈现此网页的内容
Subdomain takeover in amazon s3: Each bucket pointing to a specific domain or subdomain. So sometimes, when s3 buckets is no longer in use customer delete them from their Amazon account, but forgets to remove the DNS entry pointing to that subdomain it may escalate to a subdomain takeover because amazon allow non existing bucket names to be claimed again on any other account.
亚马逊s3中的子域接管:每个存储桶都指向特定的域或子域。 因此有时,当不再使用s3存储桶时,客户将其从其Amazon帐户中删除,却忘记了删除指向该子域的DNS条目,这可能会升级为子域接管,因为亚马逊允许在任何其他存储桶名称上再次声明不存在的存储桶名称其他帐户。
Exploitation:
开发:
· We have s3 bucket located here (http://test.s3-website-south-.amazonaws.com) and this URL is getting rendered to this domain https://blessedgupta.online. This bucket contain data of https://blessedgupta.online
· 我们有 s3存储桶位于此处( http://test.s3-website-south-.amazonaws.com ),并且此URL正在呈现到该域https://blessedgupta.online 。 该存储桶包含https://blessedgupta.online的数据
· The blessedgupta.online is using a CNAME entry to render the data of the S3 bucket to his domain.
·blessedgupta.online正在使用CNAME条目将S3存储桶的数据呈现到他的域。
· Later she wants to move to another services so she delete the bucket from her amazon account. But forgets to remove the CNAME from DNS entries
·后来她想转到其他服务,因此她从自己的亚马逊帐户中删除了存储桶。 但是忘记从DNS条目中删除CNAME
· Now attacker creates a bucket with same name since CNAME entry has not been removed from the blessedgupta.online the data of the newly created will starts rendering on the blessedgupta.online.
·现在,攻击者创建了一个具有相同名称的存储桶,因为尚未从blessedgupta.online中删除CNAME条目,因此新创建的数据将开始在blessedgupta.online上呈现。
This whole process known as Subdomain takeover and attacker can serve malicious contents to the users.
整个过程称为子域接管和攻击者,可以将恶意内容提供给用户。
Basic Identification: By using any subdomain enumeration tool like Sublist3r or Knockpy we can get all the subdomain of a website. There might be some of the subdomains which they have used in early phase but not using as of now. These should be the main targets. In order to find out the CNAMe enter of any domain open the terminal and type this command.
基本标识:通过使用任何子域枚举工具(例如Sublist3r或Knockpy),我们可以获得网站的所有子域。 他们可能在早期使用了一些子域,但到目前为止尚未使用。 这些应该是主要目标。 为了找出任何域的CNAMe输入,请打开终端并键入此命令。
Dig cname <Enter any URL>
挖掘cname <输入任何URL>
This command will shows the CNAME of a domain/subdomain. You can also use any online DNS resolver tools to find that as well.
此命令将显示域/子域的CNAME。 您也可以使用任何在线DNS解析器工具来找到它。
Now in order to check whether there is subdomain takeover or not you have to use the URL in the CNAME entry to access the website.
现在,为了检查是否存在子域接管,您必须使用CNAME条目中的URL来访问网站。
After visiting the url, there are 2 types of response which you will see in the browser
访问该网址后,您将在浏览器中看到两种类型的响应
· Access Denied: It simply means subdomain is not available for takeover
· 访问被拒绝:这仅表示子域不可用于接管
· NoSuchBucket: It simply means that the user had delete the bucket from his account and you can claim that on the amazon.
· NoSuchBucket:仅表示用户已从其帐户中删除了存储桶,您可以在亚马逊上声明该存储桶。
Note: For more details you can check my github repository “https://github.com/guptabless/unclaim-s3-finder/blob/master/bucket-takeover.py” .
注意:有关更多详细信息,您可以检查我的github存储库“ https://github.com/guptabless/unclaim-s3-finder/blob/master/bucket-takeover.py ”。
How it Works: Sub-domain takeover is not only limited to CNAME records it also includes NS, MX and even A records.
工作原理:子域接管不仅限于CNAME记录,还包括NS,MX甚至A记录。
A web browser has implicitly trust to the DNS functionality means when attacker gets control over DNS records, all web browser security measurements are easily by passed.
Web浏览器隐含地信任DNS功能,这意味着当攻击者获得对DNS记录的控制权时,所有Web浏览器安全性度量都可以轻松通过。
RISK and Mitigation
风险与缓解
· Many organizations do not audit their configuration on a regular basis.
·许多组织不定期审核其配置。
· No standardized process for adding, changing or removing entries from their DNS zone file.
·没有用于从其DNS区域文件添加,更改或删除条目的标准化过程。
· Whenever organization discounting or terminating a service will safely remove its DNS records.
·每当组织打折或终止服务时,都将安全删除其DNS记录。
翻译自: https://medium.com/@gupta.bless/exploiting-subdomain-takeover-on-s3-6115730d01d7
子域名接管
扫一扫
77
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
