1. Cybersecurity >
  2. Cybersecurity Nachrichten >
  3. Taken - Takeover AWS Ips And Have A Working POC For Subdomain Takeover


Taken - Takeover AWS Ips And Have A Working POC For Subdomain Takeover

IT Security Nachrichten vom | Direktlink: feedproxy.google.com Nachrichten Bewertung

Takeover AWS ips and have a working POC for Subdomain Takeover. Idea is simple

  • Get subdomains.
  • Do reverse lookups to only save AWS ips.
  • Restart EC2 instance every min. and public ip gets rotated on each restart. Match it with your existing list of subdomain ips and you have a working subdomain takeover POC.
  • Notify via email as soon as you take over a subdomain

  • AWS Account
  • Knowledge of Linux and Bash script

Tech/framework used

Built with

  • Bash

  • Gather subdomains and do reverse lookup to only target AWS ips.
  • Rotate IPs by restarting ec2 instance until it matches one of the ips in the list.
  • On a match that IP/host is added in a whitelist file, so it doesn't gets rotated again and send an email notification.

Detailed steps to use
  1. Create one instance t2.medium (attack machine), free of cost 24*365.
  2. Create 5-10 instances with instance type t3a.nano, probably lowest in cost (higher the no. better chances but more the charges around $60/month for 10 machines) in one or more region, takes 5min.s, have SG Group opened to only your public ip.
  3. Create AWS API keys to stop/start instances.
  4. SSH to your attack machine.
  5. Install email notification utility SSMTP. https://www.digitalocean.com/community/questions/how-to-send-emails-from-a-bash-script-using-ssmtp
  6. Install subfinder and sublist3r.py tools for collecting subdomains. (Or any other tools you want but that would require you adding it in the subdomain-collection script) Follow the steps to set these up https://github.com/aboul3la/Sublist3r https://github.com/projectdiscovery/subfinder
  7. Clone Taken repo and open a screen session to run subdomain-collection script. If you do not know how to use screen session - https://linuxize.com/post/how-to-use-linux-screen/
  8. Create a text file with all domains, you want to target, save it as "alldomains" in the same directory and then Run the subdomain-collection script. This script uses subfinder and sublist3r.py. This shall generate a list of all the subdomains for one or more domains in the format "subdomain:IP" in each line. Which would later be used to match and notify.
  9. Open another screen session and export AWS credentials in that session. Exporting AWS keys. export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE The access key for your AWS account.
    export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY The secret access key for your AWS account.
    Run the takeover script in a different screen session. You can also run for each region in different screen session (check the screenshot below).
    Reasoning - Each Region in AWS has associated different IP subnets. To target companies sitting in US, there are high chances they are running in any of US regions, but may also have assets in other regions like Ireland, Frankfurt etc. So instead of running 10 assets in one region, try running 5 assets in the region company HQ is based and other 5 in different regions.

Screen session example- 

Email Notification -

Took over a subdomain what next - SSH into that host, create a simple HTML file and start a python server and you have a running POC. (I plan on automating this as well in next release)

Running at Bulk

I scraped through all the public programs at HackerOne and Bugcrowd and top 500 SaaS Forbes/SaaS companies, collected their subdomains and started hitting. Within 24 hours i was able to take over 3 subdomains. Instances running total 10 in 3 different regions. Success rate depends highly upon no. of instances running. Since with the script you change around 1440 ips in 24 hours, that would make it around 14400 IPs with 10 instances in 24hours.


Tools used to collect subdomains. https://github.com/projectdiscovery/subfinder

  • Report bugs.
  • Suggestions for improvement.
  • Suggestions for future extensions.

Future Extensions
  • Creating ec2 instances using the same script.
  • Adding auto deploy of http service using AWS beanstalk.

Twitter - https://twitter.com/_In3tinct


Externe Quelle mit kompletten Inhalt anzeigen

Zur Startseite von Team IT Security

➤ Weitere Beiträge von Team Security | IT Sicherheit

Terraform AWS Secure Baseline - Terraform Module To Set Up Your AWS Account With The Secure Baseline Configuration Based On CIS Amazon Web Services Foundations

vom 573.1 Punkte ic_school_black_18dp
Terraform Module RegistryA terraform module to set up your AWS account with the reasonably secure configuration baseline. Most configurations are based on CIS Amazon Web Services Foundations v1.2.0.See Benchmark Compliance to check which items in C

"Can I Take Over XYZ?" - A List Of Services And How To Claim (Sub)Domains With Dangling DNS Records

vom 533.93 Punkte ic_school_black_18dp
What is a subdomain takeover?Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the

Taken - Takeover AWS Ips And Have A Working POC For Subdomain Takeover

vom 501.2 Punkte ic_school_black_18dp
Takeover AWS ips and have a working POC for Subdomain Takeover. Idea is simple Get subdomains. Do reverse lookups to only save AWS ips. Restart EC2 instance every min. and public ip gets rotated on each restart. Match it with your existing list of

AWS Recon - Multi-threaded AWS Inventory Collection Tool With A Focus On Security-Relevant Resources And Metadata

vom 308.18 Punkte ic_school_black_18dp
A multi-threaded AWS inventory collection tool.The creators of this tool have a recurring need to be able to efficiently collect a large amount of AWS resource attributes and metadata to help clients understand their cloud security posture.There are a

Cloudsplaining - An AWS IAM Security Assessment Tool That Identifies Violations Of Least Privilege And Generates A Risk-Prioritized Report

vom 302.52 Punkte ic_school_black_18dp
Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.Example reportDocumentationFor full documentation, please visit the project on ReadTheDocs.InstallationCheat sheetExample reportO

Sudomy - Subdomain Enumeration & Analysis

vom 301.31 Punkte ic_school_black_18dp
Sudomy is a subdomain enumeration tool, created using a bash script, to analyze domains and collect subdomains in fast and comprehensive way.FeaturesFor recent time, Sudomy has these 9 features: Easy, light, fast and powerful. Bash script is available

Celebrating International Women’s Day with 20 tech trailblazers

vom 270.27 Punkte ic_school_black_18dp
Posted by Google Developer Studio Today is International Women’s Day and we’re kicking off the celebration with a profile series featuring 20 tech trailblazers who have made significant contributions to the developer community. Many of the women we s

AWS Launches New Tools for Firewalls, Certificates, Credentials

vom 269.59 Punkte ic_school_black_18dp
Amazon Web Services (AWS) announced on Wednesday the launch of several tools and services designed to help customers manage their firewalls, use private certificates, and safely store credentials. Private Certificate Authority One of the new services is called

TakeOver v1 - Extracts CNAME Record Of All Subdomains At Once

vom 257.64 Punkte ic_school_black_18dp
What is Subdomain Takeover? Subdomain takeover is a class of vulnerability where subdomain points to an external service that has been deleted. The external services are Github, Heroku, Gitlab, Tumblr and so on. Let’s assume we have a subdomain sub.example

Domained – Multi Tool Subdomain Enumeration

vom 253.67 Punkte ic_school_black_18dp
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains that are passed to EyeWitness for reporting. This produces categorized screenshots, server respons

Takeover v0.2 - Sub-Domain TakeOver Vulnerability Scanner

vom 241.93 Punkte ic_school_black_18dp
Sub-domain takeover vulnerability occur when a sub-domain (subdomain.example.com) is pointing to a service (e.g: GitHub, AWS/S3,..) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their p

S3Tk - A Security Toolkit For Amazon S3

vom 234.03 Punkte ic_school_black_18dp
A security toolkit for Amazon S3Another day, another leaky Amazon S3 bucket— The Register, 12 Jul 2017Don’t be the... next... big... data... leakBattle-tested at InstacartInstallationRun:pip install s3tkYou can use the AWS CLI to set up your AWS

Team Security Diskussion über Taken - Takeover AWS Ips And Have A Working POC For Subdomain Takeover