My Domain Enumeration Logic

My Domain Recon Flow

Why?

When approaching a new target you will want to find a place to start. Generally, it's always simpler to tackle the low-hanging fruit as you can possibly chain an attack on a subdomain impacting all components of the target. 

My Approach

When looking into bug bounties, my first thought was "where do I begin"? My understanding was the top producers were doing everything mostly in an automated fashion. I understand programming and scripting, so why not work on something like this for fun? I initially started off with a logic flow similar to the below image, but using files dropped to the system and importing them. As I wanted to add more to it, I realized I better move to something where I have methods to query and filter easier so I decided to leverage MongoDB and Python3. This was my first go at this and although this generic outline doesn't depict the full structure of the code with multi-processing and threads, it does outline the criteria and data movement I was looking at. I had the following within a week and had my first subdomain takeover the following week.



getScopes.py

I needed a way to pull in all of the projects from HackerOne, parse the output, then import them into a database where I have a list of in-scope and out-scope domains. When visiting the HackerOne site, it is javascript-driven with scroll/loading at the bottom. Leveraging a Python3 library for scrolling and loading content of a javascript webpage I pulled this data into a list. After a specific time set for scrolling, I then loop through the list checking if I already have this project stored in the Mongo database. If not, a request is sent to the page where I parse the in-scope and out-scope sections to store with the project. One thing that becomes an issue with HackerOne, not all programs list their domains in the same method. Some programs don't use the table format that HackerOne provides them, but simply explain it in their description what is in-scope. For programs that don't follow the standard format, the only way to import these correctly is via a manual process. 

enumDomains.py

Now that we have all of the projects and corresponding in-scope and out-of-scope domains, need to enumerate subdomains. Amass is an amazing tool for doing this, but eventually, there should be multiple steps to expand this using multiple tools. Once a list is returned from Amass, for items not already present in the database I insert them. At this time, I have over 1.3M domains for public programs solely from HackerOne. 

dnsPoll.py

The main lifting is already complete. Just need to get the DNS records of the listed subdomains enumerated. Using multi-threading, poll each domain that is missing data or has an entry older than 7 days. For items without a DNS response, removing them from the database keeps the clutter to a minimum.

checkCnames.py

This is where all of the logic comes into play for finding subdomain enumerations. Each document having a CNAME is passed to a method per vulnerable external site where a regex is performed. If matching said regex, then a check is performed that corresponds with how that external resource is found to be vulnerable. IE: Azure resources if there is a CNAME, but no actual A record it is vulnerable (except for CDN records), but the majority of sites you will do an HTTP request and look for a specific string to be within the HTML document. If a vulnerability is found, I have a bot post to a Slack channel with the domain in question and the CNAME record of the provider. From here it is a matter of putting the proof of concept together and submitting a report. Automating the POC component can also be automated to speed up the process. Once a domain is taken over, there is no rush on submission as nobody else can submit it; however, some providers may cost you money for hosting (Azure) so it may not be beneficial to automate those.

Other

Although this is the flow for a subdomain takeover to be automated in finding, whenever I begin doing manual checks I use my database as a starting point for further review. I made tools to operate with this MongoDB database for gathering information, inserting hosts outside of the normal flow, etc. Many times I'll take this output, then crawl/spider in Burp these subdomains. Once this is complete, I'll export the subdomains from burp into a .txt file where I have a tool for importing the missing domains being monitored into the database to make sure they are also being monitored.

Future Additions

  • Subdomain enumeration tools that leverage other external resources
  • BugCrowd and Intigriti bug bounty programs (have a few manually inserted right now)
  • HTTProbe data for each subdomain
  • HTTP screenshots for each subdomain returned from HTTProbe
  • Parsing HTML/Javascript files for external files loaded that may be vulnerable for takeover

Thanks for reading my blog! Feel free to share your thoughts and/or opinions. 

Comments

Popular posts from this blog

Subdomain Takeover - Azure Cloud Service (Classic)