NSDetect: A Tool To Discover Potential AWS Domain Takeovers
Utilities That Might Help You Earn/Save Few Hundred Thousand Dollars! 🤑
AWS is indeed a leading cloud platform and is widely used for various types of cloud services by tech giants such as Netflix, Airbnb, Lyft, Deliveroo, etc. In this story, I would be talking about the automated detection of AWS NS Takeover, a security issue related to the misconfiguration in AWS Route 53 service. The tool can be used by Infrastructure Security Engineers, DevSecOps Engineers, Penetration Testers and Bug Bounty Hunters(🤑) for automated detection of NS Takeover.
If you are unaware of AWS NS Takeover, I strongly recommend you to first go through the following story to better understand the issue. The story also talks about exploitation techniques using NSBrute which can be leveraged by Penetration Testers and Bug Bounty Hunters to generate a valid proof of concept.
To brush up the concepts for people already aware of this issue, AWS NS Takeover is a Security Issue which occurs due to a misconfiguration while using AWS Route53 for DNS services. It occurs when we associate AWS nameservers as the authoritative name server for a domain while the name server does not have the zone file for the associated domain.
This could occur in the scenario where the administrator while deleting domain deletes the hosted zones from AWS Route 53 but forgets to remove the dangling pointer at the domain registrar.
For example, for my domain shivsahni.com I have provided AWS nameservers as authoritative name servers as shown below:
Whereas in my AWS console, I have deleted the zone file and so the associated nameservers do not have zone file, making the domain potentially vulnerable to AWS NS Takeover.
Recently I developed AWS NSDetect, a Python utility to identify domains vulnerable to AWS NS Takeover. The scope of this utility is only limited to the identification of the misconfiguration. You can it in combination with NSBrute for the exploitation i.e. to gain access to the domain.
As shown below, the script takes a file having a list of domains as an input, scans each one of them against this vulnerability and at last reports list of vulnerable domains.
The input file can be of the following form:
💡Pro Tip💡You can refer this amazing blog on Subdomain Enumeration by Patrik Hudák(@0xpatrik) to prepare a rich list of domains to scan. Don't forget Enumeration Is The Key!
Once we have done sufficient recon on the target and have prepared the list of domains/subdomains we can provide the list as an input to the tool to scan each domain(skipping duplicates) in the list. As shown below, the script shows the results in the real-time such that the domains highlighted with red colour are vulnerable domains.
Once you have a list of vulnerable domains, you can use NSBrute to take over the vulnerable domain as shown below:
The vulnerability has a straightforward fix. We just need to remove the dangling nameserver entries corresponding to our domains at the domain registrar.
Note: While you are doing the POC for NSDetect locally, please keep in mind that DNS Propagation Issues might lead to unexpected results. You may need to provide sufficient time for DNS changes to propagate. In case you still observe the problem, feel free to raise an issue, we can together fix it!
Would appreciate your suggestions, bug reports, pull requests and other collaborations! Let’s save the world from hackers!