Using AzDanglingDnsFinder to find vulnerable DNS names for Azure sub-domain takeover
I recently put together a tool to automate the identification of DNS names that are vulnerable to sub-domain takeover in an Azure pentest scenario. The tool, called AzDanglingDnsFinder, is a response to the growing need for automated security solutions in the cloud.
Why AzDanglingDnsFinder?
During an anonymous security assessment, it can be time-consuming and error-prone to manually identify dangling DNS records for Azure services. These records are often left behind after resources in Azure are deleted but the DNS records remain, pointing to them. It provides an opportunity for threat actors to take control of that resource name to divert traffic intended for your services or to serve harmful content under your trusted domain name. Multiple reports like the ones below shows how even established organizations like the US DoD and Starbucks have faced such issues:
- https://www.theregister.com/2020/07/07/microsoft_azure_takeovers/
- https://hackerone.com/reports/1457928
- https://hackerone.com/reports/661751
- https://hackerone.com/reports/570651
How AzDanglingDnsFinder Helps
AzDanglingDnsFinder simplifies the process of finding these vulnerable DNS names. It scans for DNS records that point to Azure aliases, checks if they are tied to active Azure resources, and flags any loose ends that could be potential security risks.
Here’s a simple breakdown of how it works:
- Scan DNS Records: The tool checks if the given DNS names have CNAME records that point to Azure services.
- Check Azure Resources: It then checks if the identified sub-domain names are currently linked to an active Azure resource using Azure’s API operations and PowerShell commands.
- Flag and Report: If an Azure sub-domain name is found not tied to an active resource, it is flagged, indicating a potential vulnerability that could be exploited.
The approach of starting from a list of public DNS names contrasts with the previous tool, Get-DanglingDnsRecords
— https://aka.ms/Get-DanglingDnsRecords, which operates from an authenticated perspective and focuses on Azure DNS or an uploaded zone record file. AzDanglingDnsFinder works anonymously and is designed for pentesting use cases.
Open Source and Ready to Use
AzDanglingDnsFinder is open source, and I encourage the community to contribute to its development. Whether you’re securing your own Azure environment or conducting pentests, this tool aims to make the process more efficient.
Find the tool and how to use it on GitHub: https://github.com/davidokeyode/AzDanglingDnsFinder
Stay secure and checkout our affordable cloud design and multi-cloud security courses on https://chariscloud.com/training-and-workshops/