DNSTake – To check Missing Hosted DNS Zones Prevents Subdomain Takeover

A fast software to check missing hosted DNS zones that can lead to subdomain takeover.

What is a DNS takeover?

DNS takeover vulnerabilities occur when a subdomain (subdomain.example.com) or domain has its authoritative nameserver set to a provider (e.g. AWS Route 53, Akamai, Microsoft Azure, etc.) but the hosted zone has been removed or deleted.

Consequently, when making a request for DNS records the server responds with a SERVFAIL error. This allows an attacker to create the missing hosted zone on the service that was being used and thus control all DNS records for that (sub)domain.

Installation

from Binary

The easy way! You can download a pre-built binary from releases page, just unpack and run!

from Source

NOTE: Go 1.16+ compiler should be installed & configured!

Very quick and clean!

▶ go install github.com/pwnesia/dnstake/cmd/[email protected]

— or

Manual building executable from source code:

▶ git clone https://github.com/pwnesia/dnstake
▶ cd dnstake/cmd/dnstake
▶ go build .
▶ (sudo) mv dnstake /usr/local/bin

Also See: DNSMONSTER- Passive DNS Capture / Monitoring Framework

Usage

$ dnstake -h
·▄▄▄▄ ▐ ▄ .▄▄ ·▄▄▄▄▄ ▄▄▄· ▄ •▄ ▄▄▄ .
██▪ ██ •█▌▐█▐█ ▀.•██ ▐█ ▀█ █▌▄▌▪▀▄.▀·
▐█· ▐█▌▐█▐▐▌▄▀▀▀█▄▐█.▪▄█▀▀█ ▐▀▀▄·▐▀▀▪▄
██. ██ ██▐█▌▐█▄▪▐█▐█▌·▐█ ▪▐▌▐█.█▌▐█▄▄▌
▀▀▀▀▀• ▀▀ █▪ ▀▀▀▀ ▀▀▀ ▀ ▀ ·▀ ▀ ▀▀▀
 (c) pwnesia.org — v0.0.1

Usage:

[stdin] | dnstake [options]
dnstake -t HOSTNAME [options]

Options:

-t, --target Define single target host/list to check
-c, --concurrent Set the concurrency level (default: 25)
-s, --silent Suppress errors and/or clean output
-h, --help Display its help

Examples:

dnstake -t (sub.)domain.tld
dnstake -t hosts.txt
cat hosts.txt | dnstake
subfinder -silent -d domain.tld | dnstake

Workflow

DNSTake use RetryableDNS client library to send DNS queries. Initial engagement using Google and Cloudflare DNS as the resolver, then check & fingerprinting the nameservers of target host — if there is one, it will resolving the target host again with its nameserver IPs as resolver, if it gets weird DNS status response (other than NOERROR/NXDOMAIN), then it’s vulnerable to be taken over.

Download DNSTake


Source: HackersOnlineClub

Leave a Reply