NSDetect: A Tool To Discover Potential AWS Domain Takeovers

Utilities That Might Help You Earn/Save Few Hundred Thousand Dollars! 🤑

Shiv Sahni
May 3 · 4 min read
Image for post
Image for post

Introduction

AWS is indeed a leading cloud platform and is widely used for various types of cloud services by tech giants such as Netflix, Airbnb, Lyft, Deliveroo, etc. In this story, I would be talking about the automated detection of AWS NS Takeover, a security issue related to the misconfiguration in AWS Route 53 service. The tool can be used by Infrastructure Security Engineers, DevSecOps Engineers, Penetration Testers and Bug Bounty Hunters(🤑) for automated detection of NS Takeover.

Image for post
Image for post
Image for post
Image for post

AWS NSDetect

Recently I developed AWS NSDetect, a Python utility to identify domains vulnerable to AWS NS Takeover. The scope of this utility is only limited to the identification of the misconfiguration. You can it in combination with NSBrute for the exploitation i.e. to gain access to the domain.

Usage

As shown below, the script takes a file having a list of domains as an input, scans each one of them against this vulnerability and at last reports list of vulnerable domains.

Image for post
Image for post
Image for post
Image for post
💡Pro Tip💡You can refer this amazing blog on Subdomain Enumeration by Patrik Hudák(@0xpatrik) to prepare a rich list of domains to scan. Don't forget Enumeration Is The Key!
Image for post
Image for post
Image for post
Image for post

Remediation

The vulnerability has a straightforward fix. We just need to remove the dangling nameserver entries corresponding to our domains at the domain registrar.

Image for post
Image for post
Note: While you are doing the POC for NSDetect locally, please keep in mind that DNS Propagation Issues might lead to unexpected results. You may need to provide sufficient time for DNS changes to propagate. In case you still observe the problem, feel free to raise an issue, we can together fix it!

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Sign up for Infosec Writeups

By InfoSec Write-ups

Newsletter from Infosec Writeups Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Shiv Sahni

Written by

Security Engineer |Security Consultant |Infosec Trainer | Author | Lecturer | Open Source Contributor | Learner https://www.linkedin.com/in/shivsahni/

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Shiv Sahni

Written by

Security Engineer |Security Consultant |Infosec Trainer | Author | Lecturer | Open Source Contributor | Learner https://www.linkedin.com/in/shivsahni/

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store