Microsoft Azure
indianajson opened this issue · 15 comments
Service
Microsoft Azure
Status
Edge Case
Nameserver
ns1-**.azure-dns.com
ns2-**.azure-dns.net
ns3-**.azure-dns.org
ns4-**.azure-dns.info
UPDATE
It seems a lot of people have been having trouble performing Azure takeovers and while it was always a bit hit or miss it seems to have gotten more difficult. For now, this is being re-assigned as an Edge Case until further research can be conducted.
Old Explanation
You can set up a free account with Microsoft Azure, as long as you provide a credit card on file. Once you are logged in, head over to the DNS Zones and click + New
. In the Name
field enter the vulnerable (sub)domain. You will automatically be assigned four nameservers as shown above, but you need the numbers to match your vulnerable domain. If the numbers do not match you need to delete the zone and the resource group associated with it before you try again. Simply creating a new zone within the same resource group will typically assign you the same nameservers. This process could take a while, but typically less than 50 attempts will suffice.
I tested this, to make it work I had to create a zone per resource group. Creating a zone on a resource group gave 4 DNS servers, deleting the zone and re-creating it gave the very same DNS servers (I tried multiple times, the same result was observed).
Hi @melardev, yes, you are correct, you do need a new resource group each time to "refresh" which DNS servers it assigns you. Thanks for adding this clarification, I've updated the instructions!
Hi,
Although I tried many times, it did not give the address I needed.
I needed ns1-03.azure.dns.com. All numbers are out except 03.
@mohamed-faris You can try under "create a resource" and look for "DNS zones", but you may have to start a free trial or have a payment method on file to do it.
@indianajson Can you or anyone else confirm this still works? I've made a script and created a DNS zone (in a new RG each time ) 30 times and only got NS names within the 30-36 range. (ns1-30, ns1-31 etc)
I can confirm. This is still vulnerable.
I can confirm. This is still vulnerable.
How long did it take for you to get the same NS servers?
I think it also depends on the account type. I had a student account where I was only getting ns name between 30-36 everytime. Then I tried with a regular account and I was able to get in within 5-6 tries.
I created my third account (with and without trial) and I still only get high numbers > 30 ...
I found a twitter post of shubs explaining how he managed to get high numbers https://twitter.com/infosec_au/status/1559466224794632192
If anyone is wondering how to perform hosted zone takeovers on Azure DNS with a high ns-{number} i.e. 37,38 etc, you can achieve this by signing up to Azure's trial, and then performing your hosted zone takeover.
So it is pretty safe to say, that if you either get only high numbers or low numbers on one account.
High numbers can maybe be achieved by a trial account.
But low numbers... ?
@FalcoXYZ Did you succeed in getting low numbers < 30?
I had success in getting lower numbers. DM me over Twitter if you need to test a takeover
Not getting low numbers anymore :|
@mheranco never managed to get anything < 30. Even with a new account.
Same. Nowadays I'm getting between 30 and 39.
Appreciate all the comments on this. Do we think the consensus is still Edge Case or Not Vulnerable?