DNSTake - A Fast Tool To Check Missing Hosted DNS Zones That Can Lead To Subdomain Takeover

#294
Topic created · 1 Posts · 1 Views

  • A fast tool to check missing hosted DNS zones that can lead to subdomain takeover.
    What is a DNS takeover?
    DNS takeover vulnerabilities occur when a subdomain (subdomain.example.com) or domain has its authoritative nameserver set to a provider (e.g. AWS Route 53, Akamai, Microsoft Azure, etc.) but the hosted zone has been removed or deleted. Consequently, when making a request for DNS records the server responds with a SERVFAIL error. This allo ws an attacker to create the missing hosted zone on the service that was being used and thus control all DNS records for that (sub)domain.¹
    Installation
    from Binary
    The ez way! You can download a pre-built binary from releases page, just unpack and run!
    from Source
    | NOTE: Go 1.16+ compiler should be installed & configured! |
    Very quick & clean!

    ▶ go install github.com/pwnesia/dnstake/cmd/[[email protected]](/cdn-cgi/l/email-protection)
    

    — or
    Manual building executable from source code:

    ▶ git clone https://github.com/pwnesia/dnstake  
    ▶ cd dnstake/cmd/dnstake  
    ▶ go build .  
    ▶ (sudo) mv dnstake /usr/local/bin
    

    Usage

    $ dnstake -h  
    ·▄▄▄▄   ▐ ▄ .▄▄ ·▄▄▄▄▄ ▄▄▄· ▄ •▄ ▄▄▄ .  
    ██▪ ██ •█▌▐█▐█ ▀.•██  ▐█ ▀█ █▌▄▌▪▀▄.▀·  
    ▐█· ▐█▌▐█▐▐▌▄▀▀▀█▄▐█.▪▄█▀▀█ ▐▀▀▄·▐▀▀▪▄  
    ██. ██ ██▐█▌▐█▄▪▐█▐█▌·▐█ ▪▐▌▐█.█▌▐█▄▄▌  
    ▀▀▀▀▀• ▀&#9600   ; █▪ ▀▀▀▀ ▀▀▀  ▀  ▀ ·▀  ▀ ▀▀▀  
    (c) pwnesia.org — v0.0.1  
    Usage:  
    [stdin] | dnstake [options]  
    dnstake -t HOSTNAME [options]  
    Options:  
    -t, --target <HOST/FILE>    Define single target host/list to check  
    -c, --concurrent <i>        Set the concurrency level (default: 25)  
    -s, --silent                Suppress errors and/or clean output  
    -h, --help                  Display its help  
    Examples:  
    dnstake -t (sub.)domain.tld  
    dnstake -t hosts.txt  
    cat hosts.txt | dnstake  
    subfinder -silent -d domain.tld | dnstake
    

    Workflow
    DNSTake use RetryableDNS client library to send DNS queries. Initial engagement using Google & Cloudflare DNS as the resolver, then check & fingerprinting the nameservers of target host — if there is one, it will resolving the target host again with its nameserver IPs as resolver, if it gets weird DNS status response (other than NOERROR/NXDOMAIN), then it's vulnerable to be taken over. More or less like this in form of a diagram.
    Currently supported DNS providers, see here.
    References

Log in to reply