184.108.40.206will be used as an example during this blog post.
NSrecords, while in EC2-based subdomain takeover we hunt
CNAMErecord which match one of the following regex
Arecord and with reverse IP lookup we get hostname which matches previous regex. We can use
hostcommand to perform reverse lookup or using Python.
http://sub.example.com/on your browser and check for:
locationfrom the HTTP response. This tool is very efficient when checking huge list with EC2-Based subdomains. Then I'll have to check results manually.
Frans Rosén mentioned this technique during a talk "DNS hijacking using cloud providers" in 2017
https://sub.example.com/on your browser and check for:
organizationfrom the SSL certificate. This tool is very efficient when checking huge list with EC2-Based subdomains.
organizationfrom the SSL certificate and compare It against hostname and print out possible vulnerable subdomains. I'll be using notify to send notification and anew. This technique may produce a false positive results so make sure to confirm SSL data before reporting.
Spyse, I'll be using
Shodanin the next part.
Shodan, I use the following script to fetch data then analyze them manually.
sub.example.comand check open ports for data to confirm the owner on the current IP.
220.127.116.11which falls within region
ap-southeast-1, theoretically this can work and we can take over this IP and serve our content on EC2 server to create our PoC.
takeover.htmlPoC and added into web server path
/var/www/html/Now when we visit
http://sub.example.com/takeover.html, we should see our PoC live. If you can not access your HTTP server, make sure network access in allowed as mentioned here.