indianajson / can-i-take-over-dns

"Can I take over DNS?" — a list of DNS providers and how to claim (sub)domains via missing hosted zones

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

DNSMadeEasy

indianajson opened this issue · comments

Service DNSMadeEasy

Status Vulnerable

Nameserver

Managed DNS
      ns1.dnsmadeeasy.com
      ns2.dnsmadeeasy.com
      ns3.dnsmadeeasy.com
      ns4.dnsmadeeasy.com

Secondary DNS
      ns5.dnsmadeeasy.com
      ns6.dnsmadeeasy.com
      ns7.dnsmadeeasy.com

Alternate Managed DNS --> (not easily obtainable)
      ns10.dnsmadeeasy.com
      ns11.dnsmadeeasy.com
      ns12.dnsmadeeasy.com
      ns13.dnsmadeeasy.com
      ns14.dnsmadeeasy.com
      ns15.dnsmadeeasy.com

Explanation

Head over to the registration page on DNSMadeEasy. Since accounts are only active for 30 days I recommend you use an alteration to your primary email (e.g. hacker+dns@wearehackerone.com). Now, the number in the nameservers in your vulnerable domain will determine which service you use.

If the number is ns1-ns4 use Managed DNS to create the zone. After you enter your domain and submit the form it will assign you several nameservers. At least one of your assigned nameservers must match with your vulnerable domain. Theoretically, they all will match, but sometimes they don't.

If the number is ns5-ns7 things get a bit more complicated. First, use Secondary DNS to create the zone. You will need to add a Secondary IP Set before you can configure the zone. Add 192.135.223.10 as the IP address. For the takeover to work, you need to set up a primary DNS first, which will push records to the secondary DNS provided by DNSMadeEasy. I recommend you use NS1 as the primary in this instance, its free and easily configurable. This article will explain the steps to configure your NS1 zone. It will take a minute for everything to get in sync, but afterward you should receive a NOERROR response from the vulnerable server. Now configure the DNS records for the takeover on NS1.

If the number is ns10-ns15 you're probably not going to get this takeover. According to comments by DNSMadeEasy staff these nameservers are only delegated to a zone if the primary nameservers (ns1-ns4) are bogged down at that particular moment. There is no known reliable way to get the ns10-ns15 nameservers. Additionally, it has been discovered that these zones are used for whitelabel DNS services provided by DNSMadeEasy.

this is a case where the number is set to ns5-ns7. I was trying to add to secondary dns.

123

Does this mean it's not vulnerable ?

@royalcoder-sudo This error means that an account on DNSMadeEasy already has the (sub)domain in a zone. The domain is currently returning an NXDOMAIN error (which typically is not vulnerable to this attack vector). Despite the fact that xe-1-2-.br01.sjc1.squareup.com does not exist in a zone its root (br01.sjc1.squareup.com) does, thus the subdomain is not vulnerable. Performing a dig request for br01.sjc1.squareup.com returns NOERROR and running a trace shows us the zone is located on DNSMadeEasy's ns5-ns7 servers.

Hi @indianajson
Does it work with ns10-ns15 zone?

@xsh1synack I discussed this specific issue with another researcher a while back. They even asked DNSMadeEasy's customer service about delegating to those servers and were told that zones are only delegated to them if the main servers are having difficulty dealing with the load.

At the moment, I don't have a method for forcing zone delegation to those name servers. If anyone comes up with something please share!

if it's between ns1-ns4 should I report that I claimed it ? without any poc will it be enough?
screenshot-cp dnsmadeeasy com-2021 08 25-16_49_50

@Sn0wd3nn You definitely want a POC, but you don't need to host a website. For DNS takeover POCs, you should add a TXT record to the hosted zone, something like POC by @Sn0wd3nn and then check to make sure it resolves using this tool https://toolbox.googleapps.com/apps/dig/#TXT/. (You may need to give it up to an hour to show up). This way you know the takeover worked and any triager will be able to quickly verify the issue.

The thing is I found the subdomain is available in dnsmadeeasy to register it , and I did register it but I still feel like it's not vulnerable , like I cant do anything with it
@indianajson

If you want to DM me on Twitter with the details I'll try to tell you what exactly is going on with it. @Sn0wd3nn

I did , chcek ur dm @indianajson

Hi everyone,

hope you doing great. Just a recap what i did and then my question. So forgive me if missed something.

So i found a subdomain that is possible to takeover. I went to dnsmadeeasy and took that domain (so i think ):

2021-10-11_11-51

I add txt Record yesterday, but nothing came up. Do i have to purchase the domain to take it over at this point ? Probably ....right, because in that point i configure the dns before i purchase it?!?

Thank you in advance everyone :-)

Hi @UN1337KN0WN - If the subdomain is vulnerable and you added it to DNSMadeEasy the takeover should work and you should not need to purchase any domains. To clarify though you need to add the subdomain to DNSMadeEasy, not the domain. For example, if test.example.com is vulnerable you need to add test.example.com, not example.com.

I'm going to add an explanation on how to test a domain for vulnerability and add it to this issue, but in the meantime feel free to DM me on Twitter (@indianajson) and I'll try to help you troubleshoot this. Since it's already in your DNSMadeEasy account you've got it locked in if it is indeed vulnerable.

Hi @indianajson,

thanks for the quick response. 1. Okay, because i thought the txt record that i add it should give me a response but nothing happened there. 2. hahah i know about the subdomain takeover, i was not sure about subdomain takeover on dnsmadeeasy. It was just odd that i not receive my txt record.
3, Appreciate the effort :)

Looked around the setup and found the following message:

No delegated name servers were found for your domain. These name servers are usually supplied to the registrar.

Any clue here ?

@UN1337KN0WN - That sounds like the nameservers for the domain aren't actually pointing to DNSMadeEasy. Go run a trace on the domain using this tool (enter the affected subdomain and click Dig). The last line in the response will say something like this:

test.example.com.		86400	IN	NS	a.iana-servers.net.
test.example.com.		86400	IN	NS	b.iana-servers.net.

Tell me what appears after the NS in those two lines.