Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 20:53:37 +00:00
Code Issues Projects Releases Packages Wiki Activity

Translated ['pentesting-web/domain-subdomain-takeover.md'] to sw

Browse source
This commit is contained in:
Translator 2024-08-21 09:12:48 +00:00
parent 6264fe351f
commit dd1ff4f175
1 changed files with 28 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

60
pentesting-web/domain-subdomain-takeover.md
View file

@ -1,8 +1,8 @@
# Domain/Subdomain takeover
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
@ -18,18 +18,18 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=domain-subdomain-takeover) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=domain-subdomain-takeover) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=domain-subdomain-takeover" %}
## Domain takeover
Ikiwa unagundua jina la kikoa (domain.tld) ambalo **linatumika na huduma fulani ndani ya upeo** lakini **kampuni** imepoteza **umiliki** wake, unaweza kujaribu **kujiandikisha** (ikiwa ni ya bei nafuu) na kuwajulisha kampuni. Ikiwa jina hili la kikoa linapokea **habari nyeti** kama vile cookie za vikao kupitia **GET** parameter au katika kichwa cha **Referer**, hii ni hakika **udhaifu**.
Ikiwa unagundua jina la kikoa (domain.tld) ambalo **linatumika na huduma fulani ndani ya upeo** lakini **kampuni** ime **poteza** **umiliki** wake, unaweza kujaribu **kujiandikisha** (ikiwa ni ya bei nafuu) na kuwajulisha kampuni hiyo. Ikiwa jina hili la kikoa linapokea **habari nyeti** kama vile cookie ya kikao kupitia **GET** parameter au katika kichwa cha **Referer**, hii ni hakika **udhaifu**.
### Subdomain takeover
Subdomain ya kampuni inarejelea **huduma ya mtu wa tatu yenye jina ambalo halijajiandikisha**. Ikiwa unaweza **kuunda** **akaunti** katika **huduma hii ya mtu wa tatu** na **kujiandikisha** jina linalotumika, unaweza kufanya subdomain takeover.
Subdomain ya kampuni inashikilia **huduma ya mtu wa tatu yenye jina ambalo halijajiandikisha**. Ikiwa unaweza **kuunda** **akaunti** katika **huduma hii ya mtu wa tatu** na **kujiandikisha** jina linalotumika, unaweza kufanya subdomain takeover.
Kuna zana kadhaa zenye kamusi za kuangalia uwezekano wa takeover:
@ -45,82 +45,78 @@ Kuna zana kadhaa zenye kamusi za kuangalia uwezekano wa takeover:
* [https://github.com/antichown/subdomain-takeover](https://github.com/antichown/subdomain-takeover)
* [https://github.com/musana/mx-takeover](https://github.com/musana/mx-takeover)
* [https://github.com/PentestPad/subzy](https://github.com/PentestPad/subzy)
* [https://github.com/Stratus-Security/Subdominator](https://github.com/Stratus-Security/Subdominator)
#### Scanning for Hijackable Subdomains with [BBOT](https://github.com/blacklanternsecurity/bbot):
Subdomain takeover checks are included in BBOT's default subdomain enumeration. Signatures are pulled directly from [https://github.com/EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz).
```bash
bbot -t evilcorp.com -f subdomain-enum
```
### Subdomain Takeover Generation via DNS Wildcard
Wakati DNS wildcard inatumika katika domain, subdomain yoyote inayohitajika ya domain hiyo ambayo haina anwani tofauti wazi itakuwa **imeamuliwa kwa taarifa sawa**. Hii inaweza kuwa anwani ya A, CNAME...
Wakati wildcard ya DNS inatumika katika kikoa, subdomain yoyote iliyotolewa ya kikoa hicho ambayo haina anwani tofauti wazi itakuwa **imeelekezwa kwa habari ile ile**. Hii inaweza kuwa anwani ya A, CNAME...
Kwa mfano, ikiwa `*.testing.com` imewekwa kama wildcard kwa `1.1.1.1`. Basi, `not-existent.testing.com` itakuwa ikielekeza kwa `1.1.1.1`.
Kwa mfano, ikiwa `*.testing.com` imewekwa kama wildcard kwa `1.1.1.1`. Kisha, `not-existent.testing.com` itakuwa ikielekezwa kwa `1.1.1.1`.
Hata hivyo, ikiwa badala ya kuelekeza kwa anwani ya IP, msimamizi wa mfumo ataelekeza kwa **huduma ya mtu wa tatu kupitia CNAME**, kama subdomain ya **github** kwa mfano (`sohomdatta1.github.io`). Mshambuliaji anaweza **kuunda ukurasa wake wa mtu wa tatu** (katika Github katika kesi hii) na kusema kwamba `something.testing.com` inaelekeza huko. Kwa sababu, **CNAME wildcard** itakubali mshambuliaji ataweza **kuunda subdomains za kiholela kwa domain ya mwathirika ikielekeza kwa kurasa zake**.
Hata hivyo, ikiwa badala ya kuelekeza kwa anwani ya IP, msimamizi wa mfumo anaelekeza kwa **huduma ya mtu wa tatu kupitia CNAME**, kama subdomain ya G**ithub kwa mfano (`sohomdatta1.github.io`). Mshambuliaji anaweza **kuunda ukurasa wake wa mtu wa tatu** (katika Gihub katika kesi hii) na kusema kwamba `something.testing.com` inashikilia hapo. Kwa sababu, **CNAME wildcard** itakubali mshambuliaji atakuwa na uwezo wa **kuunda subdomains zisizo na mipaka kwa kikoa cha mwathirika zikielekezwa kwa kurasa zake**.
Unaweza kupata mfano wa udhaifu huu katika andiko la CTF: [https://ctf.zeyu2001.com/2022/nitectf-2022/undocumented-js-api](https://ctf.zeyu2001.com/2022/nitectf-2022/undocumented-js-api)
## Exploiting a subdomain takeover
Subdomain takeover kimsingi ni DNS spoofing kwa domain maalum kwenye mtandao, ikiruhusu washambuliaji kuweka rekodi za A kwa domain, ikifanya vivinjari kuonyesha maudhui kutoka kwa seva ya mshambuliaji. Hii **uwazi** katika vivinjari inafanya domain kuwa hatarini kwa phishing. Washambuliaji wanaweza kutumia [_typosquatting_](https://en.wikipedia.org/wiki/Typosquatting) au [_Doppelganger domains_](https://en.wikipedia.org/wiki/Doppelg%C3%A4nger) kwa kusudi hili. Domain ambazo URL katika barua pepe ya phishing inaonekana halali, zinakuwa hatarini zaidi, zikidanganya watumiaji na kukwepa vichujio vya spam kutokana na uaminifu wa domain hiyo.
Subdomain takeover ni kimsingi DNS spoofing kwa kikoa maalum kwenye mtandao, ikiruhusu washambuliaji kuweka rekodi za A kwa kikoa, na kupeleka vivinjari kuonyesha maudhui kutoka kwa seva ya mshambuliaji. Hii **uwazi** katika vivinjari inafanya kikoa kuwa hatarini kwa phishing. Washambuliaji wanaweza kutumia [_typosquatting_](https://en.wikipedia.org/wiki/Typosquatting) au [_Doppelganger domains_](https://en.wikipedia.org/wiki/Doppelg%C3%A4nger) kwa kusudi hili. Kikoa ambacho URL katika barua pepe ya phishing inaonekana halali, kinakuwa hatarini zaidi, kikidanganya watumiaji na kukwepa vichujio vya spam kutokana na uaminifu wa kikoa.
Angalia hii [post kwa maelezo zaidi](https://0xpatrik.com/subdomain-takeover/)
Angalia [post hii kwa maelezo zaidi](https://0xpatrik.com/subdomain-takeover/)
### **SSL Certificates**
Vyeti vya SSL, ikiwa vimeundwa na washambuliaji kupitia huduma kama [_Let's Encrypt_](https://letsencrypt.org/), vinaongeza uhalali wa hizi domain za uongo, na kufanya mashambulizi ya phishing kuwa ya kuaminika zaidi.
Vyeti vya SSL, ikiwa vimeundwa na washambuliaji kupitia huduma kama [_Let's Encrypt_](https://letsencrypt.org/), vinaongeza uhalali wa hizi domain bandia, na kufanya mashambulizi ya phishing kuwa ya kuaminika zaidi.
### **Cookie Security and Browser Transparency**
Uwazi wa kivinjari pia unahusisha usalama wa cookie, unaodhibitiwa na sera kama [Same-origin policy](https://en.wikipedia.org/wiki/Same-origin_policy). Cookies, mara nyingi hutumiwa kusimamia vikao na kuhifadhi alama za kuingia, zinaweza kutumiwa vibaya kupitia subdomain takeover. Washambuliaji wanaweza **kukusanya cookies za kikao** kwa kuongoza watumiaji kwenye subdomain iliyovunjwa, wakihatarisha data na faragha ya mtumiaji.
Uwazi wa kivinjari pia unapanuka kwa usalama wa cookie, unaodhibitiwa na sera kama [Same-origin policy](https://en.wikipedia.org/wiki/Same-origin\_policy). Cookies, mara nyingi hutumiwa kusimamia vikao na kuhifadhi alama za kuingia, zinaweza kutumiwa vibaya kupitia subdomain takeover. Washambuliaji wanaweza **kusanya session cookies** kwa urahisi kwa kuelekeza watumiaji kwenye subdomain iliyovunjwa, wakihatarisha data na faragha ya mtumiaji.
### **Emails and Subdomain Takeover**
Nafasi nyingine ya subdomain takeover inahusisha huduma za barua pepe. Washambuliaji wanaweza kubadilisha **rekodi za MX** kupokea au kutuma barua pepe kutoka subdomain halali, wakiongeza ufanisi wa mashambulizi ya phishing.
Nafasi nyingine ya subdomain takeover inahusisha huduma za barua pepe. Washambuliaji wanaweza kubadilisha **MX records** ili kupokea au kutuma barua pepe kutoka subdomain halali, wakiongeza ufanisi wa mashambulizi ya phishing.
### **Higher Order Risks**
Hatari zaidi ni pamoja na **NS record takeover**. Ikiwa mshambuliaji anapata udhibiti wa rekodi moja ya NS ya domain, wanaweza kwa urahisi kuelekeza sehemu ya trafiki kwa seva chini ya udhibiti wao. Hatari hii inazidishwa ikiwa mshambuliaji ataweka **TTL (Time to Live)** ya juu kwa rekodi za DNS, ikiongeza muda wa shambulizi.
Hatari zaidi ni pamoja na **NS record takeover**. Ikiwa mshambuliaji anapata udhibiti wa rekodi moja ya NS ya kikoa, wanaweza kwa urahisi kuelekeza sehemu ya trafiki kwa seva chini ya udhibiti wao. Hatari hii inazidishwa ikiwa mshambuliaji anaweka **TTL (Time to Live)** ya juu kwa rekodi za DNS, ikiongeza muda wa shambulizi.
### CNAME Record Vulnerability
Washambuliaji wanaweza kutumia rekodi za CNAME zisizodaiwa zinazoelekea kwa huduma za nje ambazo hazitumiki tena au zimeondolewa. Hii inawaruhusu kuunda ukurasa chini ya domain iliyoaminika, ikirahisisha zaidi phishing au usambazaji wa malware.
Washambuliaji wanaweza kutumia rekodi za CNAME zisizodaiwa zinazoshikilia huduma za nje ambazo hazitumiki tena au zimeondolewa. Hii inawaruhusu kuunda ukurasa chini ya kikoa kinachotambulika, ikirahisisha zaidi phishing au usambazaji wa malware.
### **Mitigation Strategies**
Mikakati ya kupunguza hatari ni pamoja na:
Mikakati ya kupunguza ni pamoja na:
1. **Kuondoa rekodi za DNS zenye udhaifu** - Hii ni bora ikiwa subdomain haitahitajika tena.
2. **Kudai jina la domain** - Kurekodi rasilimali hiyo na mtoa huduma husika wa wingu au kununua tena domain iliyokwisha.
3. **Kufanya ufuatiliaji wa mara kwa mara kwa udhaifu** - Zana kama [aquatone](https://github.com/michenriksen/aquatone) zinaweza kusaidia kubaini domain zenye hatari. Mashirika yanapaswa pia kurekebisha michakato yao ya usimamizi wa miundombinu, kuhakikisha kwamba uundaji wa rekodi za DNS ni hatua ya mwisho katika uundaji wa rasilimali na hatua ya kwanza katika uharibifu wa rasilimali.
2. **Kudai jina la kikoa** - Kujiandikisha rasilimali hiyo na mtoa huduma husika wa wingu au kununua tena kikoa kilichokwisha.
3. **Kufanya ufuatiliaji wa mara kwa mara kwa udhaifu** - Zana kama [aquatone](https://github.com/michenriksen/aquatone) zinaweza kusaidia kubaini viwango vya kikoa vinavyoweza kuathiriwa. Mashirika yanapaswa pia kupitia michakato yao ya usimamizi wa miundombinu, kuhakikisha kwamba uundaji wa rekodi za DNS ni hatua ya mwisho katika uundaji wa rasilimali na hatua ya kwanza katika uharibifu wa rasilimali.
Kwa watoa huduma wa wingu, kuthibitisha umiliki wa domain ni muhimu ili kuzuia subdomain takeovers. Wengine, kama [GitLab](https://about.gitlab.com/2018/02/05/gitlab-pages-custom-domain-validation/), wameelewa tatizo hili na kutekeleza mitambo ya uthibitishaji wa domain.
Kwa watoa huduma wa wingu, kuthibitisha umiliki wa kikoa ni muhimu ili kuzuia subdomain takeovers. Wengine, kama [GitLab](https://about.gitlab.com/2018/02/05/gitlab-pages-custom-domain-validation/), wamegundua tatizo hili na kutekeleza mifumo ya uthibitishaji wa kikoa.
## References
* [https://0xpatrik.com/subdomain-takeover/](https://0xpatrik.com/subdomain-takeover/)
* [https://www.stratussecurity.com/post/subdomain-takeover-guide](https://www.stratussecurity.com/post/subdomain-takeover-guide)
<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
\
Tumia [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=domain-subdomain-takeover) kujenga na **kujiendesha kiotomatiki** kwa kutumia zana za jamii **za kisasa zaidi** duniani.\
Pata Ufikiaji Leo:
Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=domain-subdomain-takeover) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=domain-subdomain-takeover" %}
{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}