Microsoft’s lack of interest in this issue, and the potential intervention of threat actor groups, led security firm Vulnerability researchers to hijack some of the compromised domains, holding Microsoft accountable for bad DNS practices.

In total, the researchers managed to take control of ten subdomains, including addresses such as:

• mybrowser.microsoft.com
• data.teams.microsoft.com
• admin.recognition.microsoft.com
• identityhelp.microsoft.com, among others

In addition, participants from the information security training mention that the total number of domains exposed has increased to 670.

In their report, experts mention that it was really easy to detect where subdomains were supposed to redirect, as Microsoft hosts them on Azure; for example, mybrowser.microsoft.com is linked to browserver.azurewebsites.net. Researchers focused on subdomains that are not linked to some website.

When Microsoft stops using a particular subdomain, DNS registration was left as is, so all threat actors require is to create an Azure account and request browserver.azurewebsites.net, allowing them to host any kind of content on the subdomain, such as websites infested with invasive or malicious advertising or Microsoft phishing pages to extract usernames and passwords from employees and customers of the company.

Information security training instructors ensured that this is a really simple procedure and requires minimal technical knowledge (in addition, completing the hijacking takes less than an hour), so the possible malicious use of these subdomains is a real threat.

As already mentioned, the company does not seem to be interested in correcting this cybersecurity threat, even though researchers claim that this would be a very simple process for Microsoft. According to the International Institute of Cyber Security (IICS), this remains a good time to secure exposed subdomains, although entry-to-scene for cybercriminals may be a matter of time.

The post Be careful with any email sent from a microsoft.com domain. Multiple Microsoft subdomains hijacked; 650 domains affected appeared first on Information Security Newspaper | Hacking News.

Spyse is a cybersecurity company which focuses on gathering mass internet data to help users maintain a high level of network security and prevent hacker attacks. This tool, in particular, gives you expanded information on the subdomains of any specified domain. A unique feature of this tool is the map view, which offers a coherent vision on the subdomains net. Spyse services are meant to be used all together to enrich data and gain more useful information. We will discuss this further in the blog, but for now, let’s dive into the FindSubdomains tool.

Who Can Use This Tool?

Finding subdomains used to require lots of effort, and Spyse did well to simplify the process. This tool was made for security experts, but it also lends itself quite easily to new-coming programmers. Here’s who can benefit from this tool:

• Specialists in the cybersecurity industry;
• Pentesters;
• Business analysts;
• Grassroots or startup organizations;
• Anybody who owns a website;

Let’s take a look at some examples.

Security Engineers

Your engineers can use this subdomain finder to monitor vulnerabilities easily, and see network gaps and weaknesses to prevent hacker attacks.

Pentesters

By using FindSubdomains, pentesters significantly improve their workflow and can quickly check endpoints for vulnerabilities, including subdomains in development, open-to-public technical domains, and more.

System Administrators

Sysadmins’ workflow is also greatly improved. They can utilize the subdomain scanner to support their organization’s infrastructure continually. It helps them gather useful information, and overall manage security tasks at a faster rate.

Business Analysts

FindSubdomains empowers analysts with heaps of analytical information on any organization or business in the world. This way, they can evaluate competitors, viewing changes and developments in their network, getting the first glimpse at new features and services way before launch.

More on Spyse Services

We’ve said before that Spyse services are best used in unison. In addition to the subdomain lookup service, Spyse has created 6 unique tools combined under one search engine. These tools are currently in beta testing as Spyse is collecting feedback for further development. Here are the 6 tools developed by Spyse:

• DNSlookup – a handy way of performing DNS lookup to find necessary DNS records;
• CertDB – an SSL/TLS certificate lookup service; find info on certificate expiration dates, issuers, and more;
• FindSubdomains – as discussed above;
• PortMap – lets map your network perimeters and find open ports – a great port checker;
• Parse IP – allows you to you parse any text or image for IP’s and domains inside;
• ASlookup – an all-encompassing Autonomous System and Subnets explorer which lets you get AS info on any company in the world;

These tools are extremely powerful, and this is just a small portion fo what they can do. Each tool utilizes filters for easier sorting of information (forget those dreaded command-line methods), and has a friendly user interface.

Spyse gives away 3 free credits for newcomers and a complementary one each month — so feel free to try them out!

Find Subdomains of Any Domain With This New Tool

Are you still using command-line subdomain search? There are many methods of finding information about subdomains, but most of them can be time-consuming and disorganized, especially for newcomers to the field of programming. The trend of the moment is using online tools to find information about subdomains. The tool we will be discussing here is FindSubdomain by Spyse.

Spyse is a cybersecurity company which focuses on gathering mass internet data to help users maintain a high level of network security and prevent hacker attacks. This tool, in particular, gives you expanded information on the subdomains of any specified domain. A unique feature of this tool is the map view, which offers a coherent vision on the subdomains net. Spyse services are meant to be used all together to enrich data and gain more useful information. We will discuss this further in the blog, but for now, let’s dive into the FindSubdomains tool.

Who Can Use This Tool?

Finding subdomains used to require lots of effort, and Spyse did well to simplify the process. This tool was made for security experts, but it also lends itself quite easily to new-coming programmers. Here’s who can benefit from this tool:

• Specialists in the cybersecurity industry;
• Pentesters;
• Business analysts;
• Grassroots or startup organizations;
• Anybody who owns a website;

Let’s take a look at some examples.

Security Engineers

Your engineers can use this subdomain finder to monitor vulnerabilities easily, and see network gaps and weaknesses to prevent hacker attacks.

Pentesters

By using FindSubdomains, pentesters significantly improve their workflow and can quickly check endpoints for vulnerabilities, including subdomains in development, open-to-public technical domains, and more.

System Administrators

Sysadmins’ workflow is also greatly improved. They can utilize the subdomain scanner to support their organization’s infrastructure continually. It helps them gather useful information, and overall manage security tasks at a faster rate.

Business Analysts

FindSubdomains empowers analysts with heaps of analytical information on any organization or business in the world. This way, they can evaluate competitors, viewing changes and developments in their network, getting the first glimpse at new features and services way before launch.

More on Spyse Services

We’ve said before that Spyse services are best used in unison. In addition to the subdomain lookup service, Spyse has created 6 unique tools combined under one search engine. These tools are currently in beta testing as Spyse is collecting feedback for further development. Here are the 6 tools developed by Spyse:

• DNSlookup – a handy way of performing DNS lookup to find necessary DNS records;
• CertDB – an SSL/TLS certificate lookup service; find info on certificate expiration dates, issuers, and more;
• FindSubdomains – as discussed above;
• PortMap – lets map your network perimeters and find open ports – a great port checker;
• Parse IP – allows you to you parse any text or image for IP’s and domains inside;
• ASlookup – an all-encompassing Autonomous System and Subnets explorer which lets you get AS info on any company in the world;

These tools are extremely powerful, and this is just a small portion fo what they can do. Each tool utilizes filters for easier sorting of information (forget those dreaded command-line methods), and has a friendly user interface.

Spyse gives away 3 free credits for newcomers and a complementary one each month — so feel free to try them out!

The post Find Subdomains of Any Domain With This New Tool appeared first on Information Security Newspaper | Hacking News.

A subdomain that points to a GitHub page is www. testing. com. If someone decides to remove https:// github. com/test0x01/testing and does not delete the DNS entry that points to this page, you can post content at www. testing. com.

Some hackers use sub-domain and brute force scraping tools such as Sublist3r to find the sub-domains of a target, say information security professionals. Then the DNS records will be verified and / or a screen capture script will be used to detect vulnerable subdomains. A subdomain that points to a GitHub page that returns a 404 can be an indicator that can be claimed on GitHub.

Now we will talk about Sublist3r. It is important to know that Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. Information security researchers tell us that it also helps penetration verifiers and bug hunters collect sub-domains for the domain they point to. In addition, Sublist3r lists subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. On the other hand, it enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS.

Experts comment that subbrute was integrated with Sublist3r to increase the possibility of finding more subdomains using bruteforce with an improved word list.

Installation: git clone https://github.com/aboul3la/Sublist3r.git

About the security impact; a subdomain control takeover could allow an attacker to publish content in the subdomain, information security experts said. In the case where a subdomain is a secondary domain of the base name of the service, the attacker can also read and set cookies in the base name: subdomain.example.com can set cookies for example.com.

We have a real case of a subdomain acquisition made by Frans Rosén on inside.gratipay.com. Researchers tell us that, Frans posted a page on a hidden route (login123) instead of posting content on the landing page. This is the best way to avoid damaging the image of the company.

It is important to remove the DNS entry in the subdomain that points to the deleted service to make sure no one can take over.

The post How to make a Subdomain Takeover Attack appeared first on Information Security Newspaper | Hacking News.

Methods

Brute force

This is the easiest way. Try millions and millions words as subdomains and check which ones are alive with a forward DNS request.

Zone transfer aka AXFR

Zone transfer is a mechanism that administrators can use to replicate DNS databases but sometimes the DNS is not well configured and this operation is allowed by anyone, revealing all subdomains configured.

DNS cache snooping

DNS cache snooping is a specific way to query a DNS server in order to check if a record exists in his cache.

Reverse DNS

Try to find the domain name associated with an IP address, it’s the opposite of Forward DNS.

Alternative names

Once the first round of your recon is finished, apply permutations and transformations (based on another wordlist maybe?) to all subdomains discovered in order to find new ones.

Online DNS tools

There are many websites that allow to query DNS databases and their history.

SSL Certificates

Request information about all certificates linked to a specific domain, and obtain a list of subdomains covered by these certificates.

Search engines

Search for a specific domain in your favorite search engine then minus the discovered subdomains one by one site:example.com -www -dev

Technical tools/search engines

More and more companies host their code online on public platform, most of the time these services have a search bar.

Text parsing

Parse the HTML code of a website to find new subdomains; this can be applied to every resources of the company, office documents as well.

VHost discovery

Try to find any other subdomain configured on the same web server by brute forcing the Host header.

Tools

Altdns: alternative names brute forcing

Amass: brute force, Google, VirusTotal, alt names

aquatone-discover: Brute force, Riddler, PassiveTotal, Threat Crowd, Google, VirusTotal, Shodan, SSL Certificates, Netcraft, HackerTarget, DNSDB

BiLE-suite: HTML parsing, alt names, reverse DNS

blacksheepwall: AXFR, brute force, reverse DNS, Censys, Yandex, Bing, Shodan, Logontube, SSL Certificates, Virus Total

Bluto: AXFR, netcraft, brute force

brutesubs: enumall, Sublist3r, Altdns

cloudflare_enum: Cloudflare DNS

CTFR: SSL Certificates

DNS-Discovery: brute force

DNS Parallel Prober: DNS resolver

dnscan: AXFR, brute force

dnsrecon: AXFR, brute force, reverse DNS, snoop caching, Google

dnssearch: brute force

domained: Sublist3r, enumall, Knockpy, SubBrute, MassDNS, recon-ng

enumall: recon-ng -> Google, Bing, Baidu, Netcraft, brute force

Fierce: AXFR, brute force, reverse DNS

Knockpy: AXFR, virustotal, brute force

MassDNS: DNS resolver

Second Order: HTML parsing

Sonar: AXFR, brute force

SubBrute: brute force

Sublist3r: Baidu, Yahoo, Google, Bing, Ask, Netcraft, DNSdumpster, VirusTotal, Threat Crowd, SSL Certificates, PassiveDNS

theHarvester: reverse DNS, brute force, Google, Bing, Dogpile, Yahoo, Baidu, Shodan, Exalead

TXDNS: alt names (typo/tld)

vhost-brute: vhost discovery

VHostScan: vhost discovery

virtual-host-discovery: vhost discovery

Online DNS tools

https://hackertarget.com/

https://searchdns.netcraft.com/

https://dnsdumpster.com/

https://www.threatcrowd.org/

https://riddler.io/

https://api.passivetotal.org

https://www.censys.io

https://api.shodan.io

https://www.dnsdb.org/f/

https://www.dnsdb.info/

https://scans.io/

https://findsubdomains.com/

https://securitytrails.com/dns-trails

https://crt.sh/

https://certspotter.com/api/v0/certs?domain=example.com

https://transparencyreport.google.com/https/certificates

https://developers.facebook.com/tools/ct

Search engines

https://www.baidu.com/

https://www.yahoo.com/

https://www.google.com/

https://www.bing.com/

https://www.yandex.ru/

https://www.exalead.com/search/

https://www.dogpile.com/

https://www.zoomeye.org/

https://fofa.so/

Technical tools/search engines

https://github.com/

https://gitlab.com/

https://www.virustotal.com/fr/

DNS cache snooping

nslookup -norecursive domain.com

nmap -sU -p 53 –script dns-cache-snoop.nse –script-args ‘dns-cache-snoop.mode=timed,dns-cache-snoop.domains={domain1,domain2,domain3}’ <ip>

Others online resources

https://ask.fm/

https://logontube.com/

Homepage

https://www.sitedossier.com/

The post Different ways of Subdomain enumeration appeared first on Information Security Newspaper | Hacking News.