indianajson/can-i-take-over-dns

Google Cloud DNS

libertalialtd opened this issue ยท 14 comments

Service Google Cloud DNS

Status Vulnerable (as of July 2023)

Nameserver

ns-cloud-**.googledomains.com

Explanation

If a domain points to one of the nameservers listed above it is using Google Cloud DNS, a free service. A SERVFAIL error indicates the domain is vulnerable to take over. To perform the takeover set up a free Google Cloud account then navigate to Cloud DNS. Click Create Zone and then enter the (sub)domain name in the field named DNS name. Your new zone will be given four random Google nameservers. These must match the ones on the vulnerable domain. If they do not match simply delete the zone and create another one, you should be assigned a different random set of Google nameservers. It can take a few attempts to get them to match.

Errors / Issues

  1. If you get an error about domain verification then the domain is not vulnerable.
  2. There have been multiple comments about this fact that this may be patched, this needs to be investigated further and I haven't had time yet.

Is reaching the a* ns server impossible now?
I've tried about 70 times. Only getting b* - e*.

@indianajson Can ns-gcp-private.googledomains.com be taken over?

@molitona I am not sure about this, though the "GC" stands for "Google Cloud" and it may be only for internal testing.

b1bek commented

Can anyone confirm if this still works? I am getting an error saying to verify the domain ownership.
image

@b1bek This means the parent domain is already taken, so all subdomains of this domain should not be vulnerable.

I just found a subdomain, where the zone can be created. But I also have the problem that I do not get the needed letter "c" in the NS servers. So I think Google has some mitigation in place similar to AWS, where you cannot get the same NS, when they were previously used.

b1bek commented

Yeah, which tool are you using btw?

Ah that's just a "hacky" bash script I created which uses Gcloud CLI @b1bek .

Just pushed it on Github you can check it out:
https://github.com/RogueSMG/GCPShardJuggler

Thanks for the tool @RogueSMG , just confirmed it is still vulnerable. Got the expected shards after 75 tries + few manual creation. Get all the c1, d1, e1 and finally b1.

image

Thanks for the tool @RogueSMG , just confirmed it is still vulnerable. Got the expected shards after ~70 tries

Thanks for verifying this is still vulnerable as of July 2023.

GKNSB commented

I was trying to hit e1 shards. After more than 4000 attempts I never got them, only a1, b1, c1, d1. I'll keep looking into it.

jleuth commented

Are you sure this still works? Google dns doesn't let you delete a zone unless you delete all the record in it first. Maybe im just being dumb here but idk.

From the docs: https://cloud.google.com/dns/quotas#name-server-limits
Doesn't this effectively make DNS takeover on GCP an edge-case?

From the docs: https://cloud.google.com/dns/quotas#name-server-limits
Doesn't this effectively make DNS takeover on GCP an edge-case?

Yes, most GCP takeovers are edge-cases. It's also possible "in theory" to take over. subdomain via dangling A records if the DNS record is pointing to an ephemerally assigned GCP owned IP address. Once that IP gets released back into the GCP ephemeral IP pool, you "in theory" can take it over by generating VM instances over and over until you get assigned the IP that is still in the targets DNS panel in the Google Cloud Platform management panel. It's very difficult. I wrote some scripts to do this. But I have yet to "prove" that it actually works.

https://github.com/yeti-code/GCP-Genie

From the docs: https://cloud.google.com/dns/quotas#name-server-limits
Doesn't this effectively make DNS takeover on GCP an edge-case?

Yes, most GCP takeovers are edge-cases. It's also possible "in theory" to take over. subdomain via dangling A records if the DNS record is pointing to an ephemerally assigned GCP owned IP address. Once that IP gets released back into the GCP ephemeral IP pool, you "in theory" can take it over by generating VM instances over and over until you get assigned the IP that is still in the targets DNS panel in the Google Cloud Platform management panel. It's very difficult. I wrote some scripts to do this. But I have yet to "prove" that it actually works.

https://github.com/yeti-code/GCP-Genie

Interesting, I've just been doing the same in AWS but I'm approaching it from the angle of looking what traffic I get for an Elastic IP and seeing if the host header is valid domain then working backwards from that. Happy to collab if you are still working on this.