-
-
Notifications
You must be signed in to change notification settings - Fork 724
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Microsoft Azure proofs #35
Comments
Hi All, if a Azure Domain not Respond with NXDOMAIN that means it is not Vulnerable. Then what would be the answer is it vulnerable or not! Hope you understand my points Regards |
Linked back on the main repository, closing this as @Sechunt3r's comment is already addressed in @PatrikHudak's summary. |
if subdomain return public IP is possible subdomain takeover? |
If the sub-domain points to traffic manager service for Azure, is the takeover possible? When attempting to create a traffic manager profile using the same name as in the CNAME, getting error which mentions "Domain name xyz.trafficmanager.net already exists. Please choose a different DNS prefix". Has Microsoft patched the service or am I doing something wrong? Thanks |
@sumgro Microsoft haven't patched the service and you are doing everything ok. You are getting a error message because the Traffic Manager profile actually EXIST, so you are unable to claim it. When you make a DNS request to *.trafficmanager.net and get NXDOMAIN there are two possible outcomes:
It is pretty easy to setup a automation for that using Azure API. You would need to test a creation of particular TM profile and not rely only on DNS request as some external indicator of TM profile existence. Hope it helps. |
Thank you for the revert @PatrikHudak, really appreciate the detailed reply. I'm fairly new to the subdomain takeover subject. When testing for the subdomain in question, the dig <subdomain.domain.com> confirmed the error NXDOMAIN (thereby bringing a smile) and then the CNAME pointed to xyz.trafficmanager.net. From your reply, I understand that the profile already exists with the same name as the CNAME, even when the end-point may not have been setup, this results in the error message both when visiting the link and through the dig command. Hence, the takeover for in this situation may not be successful. Not able to get the pointers on the Azure API for automation, kindly point in the direction to be able to research more on the topic to get an understand for future hunting. Thanks |
I've come across a sub-domain, pointing to an azure web app service. This CNAME itself has 3 levels like xyz.abc.m.azurewebsites.net. It shows the NXDOMAIN error when checking with dig. However, when I try to create the App on the Azure Portal as xyz.abc.m to takeover, it does not allow periods in the same. Anyone aware of how can such scenario be handled for sub-domain takeover? Thanks |
I also faced this. I found a subdomain that resolved to Edit: turns out you could take over this by registering an Azure VM in the easteurope region ;) |
found this in relation to the above, but haven't been able to go through in details to understand: |
I found a subdomain pointing to 104.211.97.138. The ip certificate is issued to *.azurewebsites.net and the subdomain does not contain txt record. Is it vulnerable to subdomain takeover? |
I think it is a Edge case too.
"Domain name redacted.trafficmanager.net already exists. Please choose a different DNS prefix." |
Can anyone confirm if this isn't possible or im just stupid? when tryin to claim a CNAME with multiple levels like abc.aaa.azurewebsite.net i get
this means it is only possible to claim 1 level subdomains like abc.azurewebsite.net? |
Which azure service gives us mysubdomain.windows.net ? |
how can i claim this *.cloudapp.azure.com ? |
You can simply create a Virtual Machine in the specific region and then in the left menu select "Configure" and set a desired DNS name label. The format of the URL will be: |
Does anyone know if it is possible to claim *.azurewebsites.us domains? |
https://docs.microsoft.com/en-us/microsoft-365/admin/dns/create-dns-records-for-azure-dns-zones @adityathebe, it appears that this is no longer vulnerable. :( |
Never mind, it’s still vulnerable. Just observed one get snatched live. 😂 |
In *azurewebsites.net, there is also a verification of DNS records. |
@PH-Apolonio hey hey could you climb that? |
Guys, traffic manager is not vulnerable since at least 2 years. |
Hello Guys, hope you're all good!. |
If I have a subdomain point to third azurewebsites like example.example.azurewebsites.net |
Yes, it is still vulnerable. However, the number of vulnerable assets will decrease daily due to the following protection mechanism. Additionally, be careful if you have already taken over the target subdomain because you can't release/delete it if you can't change its CNAME record :)
|
Hi I have a question about the subdomain takeover regarding azure-api.net. I currently have a domain A pointing to xxx.azure-api.net in CNAME, and I have an Azure API Management to xxx.azure-api.net. Originally, it was failing to resolve the name of domain A, but now it can resolve the name, but when I access to domain A, I get a 404 Not Found error and cannot route to the API I prepared for xxx.azure-api.net. Can anyone tell me how to make the routing work or how to create a PoC ? |
same here |
I cannot add a custom domain for azurewebsites.net because it requires TXT verification. please can you help me. How will we get past this situation? |
If you're being asked for a TXT verification it means you can't take it over, the domain is not vulnerable. If you can bypass the TXT verification you can takeover all domains pointing to azurewebsites, therefore making you rich. |
Hi @PatrikHudak I successfully claimed cname for the *cloudapp.net service takeover but got struck to create real poc to showcase to traigers. |
Hey hi , did you find any real working poc ? I’m looking to create sample poc |
@sainath-reddiee if you took over the subdomain but are unable to upload the files (and the subdomains belong to a bbp and not a vdp), hit me up in twitter https://twitter.com/zonduu1 and I should be able to help get a PoC. Some accounts can, some can't create the poc, no idea why |
Hi @marcelo321 unable to ping you in twitter |
Note : |
No I claimed 3 takeovers :) |
@sainath-reddiee can you pls tell process here? |
Only some old accounts can create instances / apps for it, while all
accounts could create profile.
These old accounts will not be able to create after August which will make
cloudapp.net totally deprecated/disabled
6 Tem 2024 Cmt, saat 09:01 tarihinde Harsh-Navgale ***@***.***>
şunu yazdı:
… @sainath-reddiee <https://github.com/sainath-reddiee> can you pls tell
process here?
—
Reply to this email directly, view it on GitHub
<#35 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ALOHNRKWQOKRPQQCYXI2N43ZK6B4DAVCNFSM4FUUY4J2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMRRGE3DOMBRGYZQ>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
brother please help me any body can help me i found a subdomain like ---> subdomain.company.com which cname point to ---> subdomain.westus2.cloudapp.azure.com i can create service on azure portal like the name before westus2 (means subdomain name) but when adding custom domain azure want to verify through adding records like CNAME and TXT records so how can i takeover it please any one guide me or tell me @PatrikHudak @codingo @davisfreimanis @ceylanb @CalfCrusher please help and one thing also that i can create resource or service in east region i have created free account in which i have 200 usd credit |
@usmanzahid123999 Go through this blogpost -> https://godiego.co/posts/STO-Azure/ |
enterpriseregistration.test.net. 300 IN CNAME enterpriseregistration.windows.net. is ther any subdomain takeover for enterpriseregistration.test.net ? please reply guys ? |
@pdelteil @codingo @davisfreimanis |
Stop tagging people for answers that are easily searchable. The error
message means the resource is not vulnerable.
…On Thu, Oct 24, 2024, 08:32 SHROUD ***@***.***> wrote:
@pdelteil <https://github.com/pdelteil> @codingo
<https://github.com/codingo> @davisfreimanis
<https://github.com/davisfreimanis>
What is this error could you explain this to me
Screenshot.2024-10-24.at.7.01.43.PM.png (view on web)
<https://github.com/user-attachments/assets/d8a73cbd-2d28-4a80-b4e1-71861162c4f6>
—
Reply to this email directly, view it on GitHub
<#35 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AE2OS74RTPOZZ6WZ3GACNK3Z5DZHLAVCNFSM4FUUY4J2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TENBTGUZTCMBUGY2Q>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Is the Azure fixed the issue ? Needs to add dns record . |
This is still an edge case.
|
@YusukeJustinNakajima @Memmedyar check custom domains. don't forget to add the custom domain. Additionally, I just took over a subdomain (*.azure-api.net) through Azure API Management, so it is still vulnerable. |
Service name
Microsoft Azure
Proof
There is no general approach for PoC. Microsoft Azure offers multiple services (CloudApp, Azure Websites, etc.) that use different domain names.
General approach in verifying subdomain takeover is to check, whether the Azure domain responds with
NXDOMAIN
DNS status. This is (to my knowledge) the necessary condition of the domain, however it is not sufficient. In other words, not all Azure domains which are used in some CNAME and respond withNXDOMAIN
are vulnerable to subdomain takeover. I personally got a case where Azure portal refused to create a domain even though it responded withNXDOMAIN
.Some H1 reports to prove this point:
As mentioned before, the PoC creation depends on the service in question, however, they generally tend to have similar workflows.
Documentation
These are the domains that are identified as vulnerable. Each of these is used for particular Azure service:
The text was updated successfully, but these errors were encountered: