Hackers can EASILY take over websites using a technique known as subdomain takeover. The scary part is that it’s not that hard. In this video, NetworkChuck will demonstrate how hackers can take over subdomains using tools like Takeover, Amass and Dig.
TOOLS USED IN THIS VIDEO
– AMASS: https://github.com/OWASP/Amass (find subdomains)
-TakeOver: https://github.com/m4ll0k/takeover (subdomain takeover vulnerability scanner)
-Dig (apt install dig)
0:00 ⏩ Intro
0:18 ⏩ How subdomain takeover works
1:59 ⏩ Why Subdomain takeovers are dangerous
2:33 ⏩ Make sure your code is secure using codesec!
4:06 ⏩ find our targets subdomains using Amass
5:06 ⏩ The username is not available
5:57 ⏩ IT actually worked!!
6:17 ⏩ Once you’re in github…
6:58 ⏩ The same thing can happen with Azure
7:45 ⏩ so how do you protect your website
This attack is crazy. It’s super easy to do. Like seriously, I can show you how to do this in about five minutes. It’s untraceable and it can be pretty devastating. So yeah, get your coffee ready. I’m gonna show you how easy it is to take over a sub domain. Let’s do this. So here’s how this is going to work. I’ve got my website hack well industries.com. This is my main domain, my route, and also super professional. Don’t be jealous, but we can also have sub domains like code dot hack well industries.com or Azure dot hack well industries.com. And these will often point to third party services like GitHub or Microsoft Azure. And right now everything is dandy. We can go to these websites and everything is right in the world. But then this happens, and I know this happens all the time, the admin for Hackle Industries, Bernard, he was told they no longer need a GitHub, so he deletes the account and calls it a day.
All good, right? No, it’s not. Do you see what he messed up? Do you see what he missed? You see, here’s the hack. Yes, Bernard Hackle deleted the GitHub account that this DNS entry was pointing to. But do you see what’s still there? This DNS entry, This is a CNAME entry pointing to this url. And even though Bernard deleted the GitHub account, the DNS entry is still there. Now why is that a big deal? Because now a hacker me, I can come in and create a new GitHub account. Guess what name I can take because it was deleted Hack. Well get to github.io. I create a new account with that name and suddenly this subdomain code dot hack well industries.com is pointing to a GitHub that I own, which means I can make it do or say whatever I want it to do. You see how powerful that is?
And it’s untraceable. There’s no way to detect this. And what did I do? All I did was sign up for a GitHub account, but now I’ve got ’em. And you can do the same thing with Azure. Bernard deletes that resource, but I can come in and create a new resource and use this newly available name as my resource dns. And now I own Azure dot hack well industries.com. So again, here’s why this is dangerous. That company probably won’t notice. There’s no alarms that will go off, no scanning that takes place. And I can also do some other attacks. This opens up a lot of doors. I could really up my fishing game sending customers to a fake website that is actually real. It’s using their real domain. But I can make customers do anything stealer credentials, make them log in and give me all their information.
Really, the possibilities are endless. And this attack was so simple, anybody could do this. So there’s two things I wanna show you with this. First, how do hackers identify if there are vulnerable sub domains? And second, how do they take them over? But first, let me tell you, even if you have your DNS settings, perfect, if your code, your apps aren’t secure, it doesn’t matter. Are you writing insecure code? Odds are pretty high that you are. So real quick, why don’t we take a quick coffee break and find out if your code is insecure with code sec. By contrast security, let’s try it out. Seriously, this only take you a few sip of coffee because you can scan your code right from the terminal and it takes seconds like they are the fastest code scanner out there, the fastest sas. That fast is fast.
Now if you do wanna follow along, check out the link below. Cosec is free. It’s free forever. And really quick to set up, I’m gonna download the Linux setup, make it executable and authenticate with contrast off. I’ll sign up with GitHub and I’m good to go. And with one command contrast scan, I can scan my project right here in the terminal. And within moments I’ll see what I almost did. Bam. Found one vulnerability. Now I know when you’re coding, you don’t want anything to hold you up. That’s why Code SEC is the fastest scanner out there. I think it’s about 10 times faster than others. And again, you saw how I ran right there on the terminal. Bam. So you can make sure your code is secure as you code and not much later when you’re super frustrated. And speed is cool, but it’s also stinking accurate.
It’ll help you find 70% more vulnerabilities and six times more true positives. And I know you’re cloud native now everyone’s cloud native. So they will scan your AWS land to functions. They are native to the cloud native, they’re all up in there. They’ll make sure it’s safe. So again, this sucker’s free. Go ahead and try it out. Link below. Show some love to contrast security for sponsoring my channel, making all this stuff possible and giving us cool free things we can use coffee break over. Now let’s take over some domains. First we have to find the sub domains for our target. A lot of tools out there. But I like this one right here, a mass. And come on, that logo’s frick. Cool, I love it. I’ll run it through the Docker container and see what we find. Oh, is it not gonna find it bra?
Oh it did. Okay, we have a few targets. Let’s load those into a text file. And I’ll use this pretty cool tool called takeover to see if any of these are vulnerable because this is a pretty common attack and it checks against all of these services right here. That’s a lot. And let’s see what happens. I check that out. It found it so freaking fast. Get hub service. Found potential domain takeover found. So now that we know that code, do hack well industries.com is potentially vulnerable. Let’s see what it’s pointing to. Using a tool called dig. I can dig into this information code dot hack well industries.com. Bam. It gave me all the information. I can see you right here. It’s a CNA entry pointing to hack. Well get two dot get hub.io. So now what I’m gonna do is just simply sign up for a GitHub account and see if this username is available.
Let’s try it out. github.com. Sign up now let’s see if that username is available. Hack well get to. Okay, this was not supposed to happen. This was supposed to be available. Clearly it isn’t. And here’s why. GitHub, even though I deleted the account for Hack, well get two or Bernard Hack. Well, GitHub will keep this username unavailable for 90 days. Now after that it’s whoever wants, but for now during my demo, kind of sucks. Now, I didn’t expect this because as you can see, I have hack. Well get two, which means there was a one and also a hack. Well get, which I actually got that to work for both of those. I created a GitHub account, I deleted it, claimed it with another one, and it totally worked. So the demo Gods did not serve me well today. So pretend with me here that hack, well get two is actually hack.
Well get three and let me show you how you would do this. Okay, Chuck from the future here. I finished recording the video and just to make sure I wasn’t crazy, I tried deleting Hackle, get three and look what happened. <laugh>, it’s available. I knew I wasn’t crazy. So yeah, this is still totally possible. You don’t have to wait 90 days all the time. Whew, I feel vindicated. Anyways, back to the video. My favorite part of setting up, Forget hub. This is so fun. So once you’re in, all you have to do is set up a public repository, name it like this, your username.github.io. Just like that. And we’ll go ahead and create a new file, some fun HTML commit. And then we’ll create one more file ad file, create new file. We’ll name it cname and put in the URL of the website. We know we’re stealing code dot hack well industries.com and hit commit.
Now if we go to settings here at the top right and hit pages on the left, we should see that they have a DNS check in progress for that custom URL we have. It’s gonna make sure that that URL is actually pointing to this with a cna, this GitHub page and the DNS check successful and going out to the website. Bam, I have it. Now the same thing can happen with Azure too. Through our scan, we would discover that azure dot hackle industries.com is pointing to bing pot central us.cloud azure.com. Bernard Hackle deleted that resource, thereby releasing that domain name out into the wild. Can I claim it? Let’s see. And the Azure portal. I’ll create a new virtual machine making sure it’s in the central US regions so I can make sure the DNS entry looks just like this. And here in Azure, let’s see if I can claim this DNS label, Bing hot, dude, it’s available.
And there’s the rest of the URL right there. Let’s say that before it changes its mind. Got it. And if I go out to Azure dot hack, well industries.com, bam, it totally worked. So yeah, GitHub, you have to wait 90 days <laugh> that you don’t have to with Azure and a bunch of other services like you can do this with S3 Buckets, a bunch of storage services out there. So how do you protect yourself? Don’t be lazy. Make sure you’re not leaving any stale DNS entries. Go look through your dns. Make sure every entry is being used by you. <laugh>, not a hacker. And in this video, I just showed you two services. There’s a lot more that are vulnerable to this. And again, there’s really no easy way to track it, fix it. The person who does this, they got away. They’re, they’re done.
They’re good. No disclaimer, like all my videos talking about hacking, this was for educational purposes only. The purpose of this video is to show you that, hey, first, this vulnerability is real. So check your dns. And second, if you are doing bug bounty, this is a thing you’ll wanna check for scan for, because this is a legit hacking skill. And I say skill because honestly that wasn’t that hard, right? With two tools, we’re able to scan subdomains and then see if it’s vulnerable to one of these subdomain takeover attacks. And we just simply set up an account on that service. So our member kits, it’s always dns, always.