NSDetect: A Tool To Discover Potential AWS Domain Takeovers

Utilities That Might Help You Earn/Save Few Hundred Thousand Dollars! 🤑

Shiv Sahni
May 3 · 4 min read
Image for post
Image for post

Introduction

AWS is indeed a leading cloud platform and is widely used for various types of cloud services by tech giants such as Netflix, Airbnb, Lyft, Deliveroo, etc. In this story, I would be talking about the automated detection of , a security issue related to the misconfiguration in AWS Route 53 service. The tool can be used by Infrastructure Security Engineers, DevSecOps Engineers, Penetration Testers and Bug Bounty Hunters() for automated detection of NS Takeover.

If you are unaware of AWS NS Takeover, I strongly recommend you to first go through the following story to better understand the issue. The story also talks about exploitation techniques using which can be leveraged by Penetration Testers and Bug Bounty Hunters to generate a valid proof of concept.

To brush up the concepts for people already aware of this issue, AWS NS Takeover is a Security Issue which occurs due to a misconfiguration while using AWS Route53 for DNS services. Itoccurs when we associate AWS nameservers as the authoritative name server for a domain while the name server does not have the zone file for the associated domain.

This could occur in the scenario where the administrator while deleting domain deletes the hosted zones from AWS Route 53 but forgets to remove the dangling pointer at the domain registrar.

For example, for my domain I have provided AWS nameservers as authoritative name servers as shown below:

Image for post
Image for post

Whereas in my AWS console, I have deleted the zone file and so the associated nameservers do not have zone file, making the domain potentially vulnerable to AWS NS Takeover.

Image for post
Image for post

AWS NSDetect

Recently I developed , a Python utility to identify domains vulnerable to AWS NS Takeover. The scope of this utility is only limited to the identification of the misconfiguration. You can it in combination with NSBrute for the exploitation i.e. to gain access to the domain.

Usage

As shown below, the script takes a file having a list of domains as an input, scans each one of them against this vulnerability and at last reports list of vulnerable domains.

Image for post
Image for post

The input file can be of the following form:

Image for post
Image for post
💡💡You can refer  amazing blog on Subdomain Enumeration by Patrik Hudák(@0xpatrik) to prepare a rich list of domains to scan. Don't forget !

Once we have done sufficient recon on the target and have prepared the list of domains/subdomains we can provide the list as an input to the tool to scan each domain(skipping duplicates) in the list. As shown below, the script shows the results in the real-time such that the domains highlighted with red colour are vulnerable domains.

Image for post
Image for post

Once you have a list of vulnerable domains, you can use to take over the vulnerable domain as shown below:

Image for post
Image for post

Remediation

The vulnerability has a straightforward fix. We just need to remove the dangling nameserver entries corresponding to our domains at the domain registrar.

Image for post
Image for post
Note: While you are doing the POC for NSDetect locally, please keep in mind that DNS Propagation Issues might lead to unexpected results. You may need to provide sufficient time for DNS changes to propagate. In case you still observe the problem, feel free to raise an issue, we can  fix it!

Would appreciate your suggestions, bug reports, pull requests and other collaborations!

Stay tuned for some upcoming cool stuff around Microsoft Azure. Feel free to follow me on Medium and Twitter

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Sign up for Infosec Writeups

By InfoSec Write-ups

Newsletter from Infosec Writeups Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Shiv Sahni

Written by

Security Engineer |Security Consultant |Infosec Trainer | Author | Lecturer | Open Source Contributor | Learner https://www.linkedin.com/in/shivsahni/

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Shiv Sahni

Written by

Security Engineer |Security Consultant |Infosec Trainer | Author | Lecturer | Open Source Contributor | Learner https://www.linkedin.com/in/shivsahni/

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store