1. takeovers
Contents
https://twitter.com/silentpush/status/1643554158891487232?s=20
ドメイン乗取、ハイジャックなどとも言われる。
- どういう状況を指すかはひとに依る。
奪取というのがふさわしい状況を指す名詞らしいので、lame delegation を利用したなりすましとは共存する状況はない。
手段、手法などもはっきり定義されていない。ひとに依る。
/guide A Guide to DNS Takeovers: The Misunderstood Cousin of Subdomain Takeovers https://blog.projectdiscovery.io/guide-to-dns-takeovers/
Currently known vulnerable DNS services
EdOverflow / can-i-take-over-xyz https://github.com/EdOverflow/can-i-take-over-xyz?ref=projectdiscovery-io-blog
5 Ways to Exploit a Domain Takeover Vulnerability
- Yash Anand October 28, 2021
https://redhuntlabs.com/blog/5-ways-to-exploit-a-domain-takeover-vulnerability.html
1.1. cloudflare
1.2. Google
How to take over a subdomain in Google Cloud DNS Mark van Holsteijn on Jan 27, 2022 /
https://binx.io/2022/01/27/how-to-take-over-a-subdomain-in-google-cloud-dns/
detect and resolve DNS dangling / sub-domain takeover in GCP Posted on 07-18-2022 05:24 AM https://www.googlecloudcommunity.com/gc/Security/detect-and-resolve-DNS-dangling-sub-domain-takeover-in-GCP/m-p/446094
https://github.com/manasmbellani/athena-cloud-dns-takeover
1.3. Marzano
Mining Takeovers for Fun and Profit
Artur Marzano 2023-03-02
https://www.linkedin.com/pulse/mining-takeovers-fun-profit-artur-marzano
1.3.1. Introduction
This article describes an experiment aimed at finding domains likely vulnerable to DNS takeover, a well-known technique that can be used to steal decomissioned, but active domains.
In this experiment I will show how I was able to find with little effort more than 200 domains that could be theoretically taken over across different providers and parent domains by using data from a public search tool (SecurityTrails) and an open-source repository (can-i-take-over-dns).
Please note that I did not find any new vulnerabilities nor develop any sort of attack tools or techniques during this research. I just analyzed what was already there, not being responsible in any way for whatever damages could be caused by the usage of the methods described below.
cloudflare は除外したとある。awsdnsは vulnerableではないとの扱いだ。:ー)
- Azure, NS1, Google Cloud が主なところらしい。
1.4. 2020
https://internet.watch.impress.co.jp/docs/event/1297384.html
1.5. 2018
もし、ドメイン名が他人にハイジャックされたら? 平成の記憶から学ぶ、その手口と対策
- 遠山 孝 2018年12月7日 14:35
https://internet.watch.impress.co.jp/docs/event/1157248.html
DNSテイクオーバーを題材に~ ランチのおともにDNS
1.5.1. 対策案
Lame Delegation Cleanup. Registrars
Nameserver Segregation. Providers
Detection & Response. Providers
Developing Awareness.
Vulnerable providers can warn customers explicitly when they try to remove a zone, informing them that they must remove the NS record at their registrar prior to removing the delegated zone.
Finally, about the title of the article - I did have lots of fun doing this, but I didn't really profit anything, so for now I just hope this article was instructive for readers and that this will inspire researchers, registrars and providers to think about the problem =)