Posts

Showing posts from December, 2020

My Domain Enumeration Logic

Image
My Domain Recon Flow Why? When approaching a new target you will want to find a place to start. Generally, it's always simpler to tackle the low-hanging fruit as you can possibly chain an attack on a subdomain impacting all components of the target.  My Approach When looking into bug bounties, my first thought was "where do I begin"? My understanding was the top producers were doing everything mostly in an automated fashion. I understand programming and scripting, so why not work on something like this for fun? I initially started off with a logic flow similar to the below image, but using files dropped to the system and importing them. As I wanted to add more to it, I realized I better move to something where I have methods to query and filter easier so I decided to leverage MongoDB and Python3. This was my first go at this and although this generic outline doesn't depict the full structure of the code with multi-processing and threads, it does outline the criteria a...

Subdomain Takeover - Azure Cloud Service (Classic)

Image
Subdomain Takeover: Azure Cloud Service  Background Information What is a subdomain takeover? The ability to take ownership of a subdomain (IE: xxxx .website.com) due to improper cleanup of CNAME/ALIAS DNS records when removing an external resource.  You own a company and a domain (suintel.com, for example). You want to leverage hosting a subdomain on an external resource, such as Discourse, Azure, AWS, GitHub, Ghost, etc. To keep the domain name of your company, you create an alias DNS record pointing from azureservice.suintel.com to the DNS of the provider's record. You later decide you don't want to host this resource on this external provider (maybe used it for testing, or no longer use the service) so you decommission the external resource. In doing so, you also release the DNS record of the resource from the provider.  Many of these external organizations allow users to pick the naming convention of the resource they are provisioning (IE: <your_input>.cloudapp...