Dangling Domains

by | Oct 18, 2020 | AWS tools, Azure tools, Blog, Cloud, Herramientas / tools

Dangling Domains in AWS script for exploitation

This was written by dafthack/aws-dangling-domain-discovery-tool.sh but was not working because BING updated its endpoints. Also I added some enhacements to the code. Like the last commented line, with that you can release your IPs manually if needed.

To run it you will need

  • AWS CLI
  • AWS profile that will let you allocate/deallocate IPs
  • Azure cognito Bing search api
    • Go to azure cognitive service
    • Clikc on Create
    • Search for Bing Search v7
    • Create a key (ideally a free one)

Running it is as simple as

aws configure
# put your keys aws 
chmod +x AWS-Dangling-Domains.sh
./dangRic.sh

Risks

Having a subdomain nets you a lot of implicit trust. For example, you could use your newly obtained subdomain to carry out powerful phishing attacks against the organization that owns the base domain. This is possible because you can send and receive email from the subdomain as well as host content on it. After all, why wouldn’t employees trust a subdomain that appears to belong to their company?

Having a subdomain is also useful for exploiting a company. If a website incorrectly scopes their cookies to all subdomains, you can hijack user sessions. This was the case with Origin, which scopes all of its cookies so that the subdomains of Origin.com can also read them. This means that we could send the link to the subdomain we took over (qa.oms.origin.com) to any logged-in Origin users and take full control over their account.

Do they have a crossdomain.xml policy? It probably allows all subdomains (as demonstrated in our recent Black Hat talk). You can then use Flash to hijack their account and steal sensitive account information. For example, if a financial institution made any of these mistakes, you could steal customer financial information or send money from a customer’s account.

The greater issue exposed by this attack is the challenge of trusting ephemeral resources. Organizations need to stay vigilant of who and what they are trusting, as things like cloud instances are subject to change. When that change happens, the trust placed in that asset could be reacquired by an attacker.

Results look like:

Code here or in github ->

#!/bin/bash

# This script attempts to locate potential dangling domains on AWS. You need AWS CLI installed and your keys configured
# Make sure you insert your Bing API key below as well.
# All the sleeps were necessary to not allocate the same IP address multiple times


while true
do
    unset IP
    unset ALLOCID
    unset RESULTS	
    IP=$(aws ec2 allocate-address --region us-west-1 --output text --query 'PublicIp')
    sleep 10
    ALLOCID=$(aws ec2 describe-addresses --region us-west-1 --output text --query 'Addresses[0].AllocationId')
    echo "Checking address: $IP with allocID: $ALLOCID"	
    sleep 10
    # Put your Bing v7.0 API key in the next line after Ocp-Apim-Subscription-Key
    RESULTS=$(curl -s -H "Ocp-Apim-Subscription-Key: BING-API-KEY-GOES-HERE" "https://api.cognitive.microsoft.com/bing/v7.0/search?q=ip:$IP&count=1&mkt-en-us")
    if echo "$RESULTS" | grep 'displayUrl'; then
        echo "We found one! $IP"
        break
    else
        echo "Releasing Address $IP with allocID: $ALLOCID"		
        RELEASE=$(aws ec2 release-address --region us-west-1 --allocation-id $ALLOCID)
        sleep 20
    fi
done

For more or the code

Mexican-Pentester
17 repositories, 6 followers.