Dangling Domains in AWS script for exploitation
This was written by dafthack/aws-dangling-domain-discovery-tool.sh but was not working because BING updated its endpoints. Also I added some enhacements to the code. Like the last commented line, with that you can release your IPs manually if needed.
To run it you will need
- AWS CLI
- AWS profile that will let you allocate/deallocate IPs
- Azure cognito Bing search api
- Go to azure cognitive service
- Clikc on Create
- Search for Bing Search v7
- Create a key (ideally a free one)
Running it is as simple as
aws configure
# put your keys aws
chmod +x AWS-Dangling-Domains.sh
./dangRic.sh
Risks
Having a subdomain nets you a lot of implicit trust. For example, you could use your newly obtained subdomain to carry out powerful phishing attacks against the organization that owns the base domain. This is possible because you can send and receive email from the subdomain as well as host content on it. After all, why wouldn’t employees trust a subdomain that appears to belong to their company?
Having a subdomain is also useful for exploiting a company. If a website incorrectly scopes their cookies to all subdomains, you can hijack user sessions. This was the case with Origin, which scopes all of its cookies so that the subdomains of Origin.com can also read them. This means that we could send the link to the subdomain we took over (qa.oms.origin.com) to any logged-in Origin users and take full control over their account.
Do they have a crossdomain.xml policy? It probably allows all subdomains (as demonstrated in our recent Black Hat talk). You can then use Flash to hijack their account and steal sensitive account information. For example, if a financial institution made any of these mistakes, you could steal customer financial information or send money from a customer’s account.
The greater issue exposed by this attack is the challenge of trusting ephemeral resources. Organizations need to stay vigilant of who and what they are trusting, as things like cloud instances are subject to change. When that change happens, the trust placed in that asset could be reacquired by an attacker.
Results look like:
Code here or in github ->
#!/bin/bash # This script attempts to locate potential dangling domains on AWS. You need AWS CLI installed and your keys configured # Make sure you insert your Bing API key below as well. # All the sleeps were necessary to not allocate the same IP address multiple times while true do unset IP unset ALLOCID unset RESULTS IP=$(aws ec2 allocate-address --region us-west-1 --output text --query 'PublicIp') sleep 10 ALLOCID=$(aws ec2 describe-addresses --region us-west-1 --output text --query 'Addresses[0].AllocationId') echo "Checking address: $IP with allocID: $ALLOCID" sleep 10 # Put your Bing v7.0 API key in the next line after Ocp-Apim-Subscription-Key RESULTS=$(curl -s -H "Ocp-Apim-Subscription-Key: BING-API-KEY-GOES-HERE" "https://api.cognitive.microsoft.com/bing/v7.0/search?q=ip:$IP&count=1&mkt-en-us") if echo "$RESULTS" | grep 'displayUrl'; then echo "We found one! $IP" break else echo "Releasing Address $IP with allocID: $ALLOCID" RELEASE=$(aws ec2 release-address --region us-west-1 --allocation-id $ALLOCID) sleep 20 fi done
For more or the code