1
00:00:02,080 --> 00:00:04,930
Hello, everyone, and welcome to this video.

2
00:00:05,650 --> 00:00:11,620
So in this video, we are going to discuss about a very, very awesome resource, which is can I takeover

3
00:00:11,620 --> 00:00:13,320
XYZ now

4
00:00:13,330 --> 00:00:13,920
What is this?

5
00:00:14,470 --> 00:00:21,130
So it is a complete comprehensive guide for the subdomain because they are very, very useful resource

6
00:00:21,190 --> 00:00:28,090
which has been available and which has been used by many security researchers to identify some domain

7
00:00:28,100 --> 00:00:29,930
takeover based vulnerabilities.

8
00:00:30,310 --> 00:00:37,330
So what exactly is can I take over xyz it contains a list of services and how you can claim

9
00:00:37,330 --> 00:00:44,650
the domains as well as the subdomains with dangling DNS records, which basically means the DNS records,

10
00:00:44,650 --> 00:00:47,620
which are being pointed to these cloud platforms.

11
00:00:47,620 --> 00:00:55,540
But are never claimed and we as security researchers can easily claim those subdomains or the dangling

12
00:00:55,540 --> 00:00:58,470
DNS record and claim the subdomain as well.

13
00:00:59,580 --> 00:01:06,600
So this comprehensive guide of subdomain takeover's contained in 58 fingerprints of different cloud

14
00:01:06,600 --> 00:01:13,500
services, which you can easily take over and prove subdomain takeover based vulnerabilities or flaws.

15
00:01:14,130 --> 00:01:18,770
Now, there are few points to know and remember about this.

16
00:01:18,780 --> 00:01:21,920
Can I take over XYZ comprehensive guide.

17
00:01:22,110 --> 00:01:30,450
The first one is it contains the rich and refined list of services that are running on cloud platforms.

18
00:01:30,840 --> 00:01:34,850
The second point is identification of dangling CName.

19
00:01:34,890 --> 00:01:42,570
So we are going to identify the vulnerable DNS records that have been written and has been pointed to

20
00:01:42,570 --> 00:01:43,790
these cloud services.

21
00:01:44,970 --> 00:01:51,020
And the third one is the list of fingerprints and the status of takeover that we are going to perform.

22
00:01:51,240 --> 00:01:58,200
So we are going to utilize the fingerprint from this resource and we are going to match and identify

23
00:01:58,410 --> 00:01:59,730
on many subdomains.

24
00:01:59,730 --> 00:02:05,340
If these fingerprints match, then we can successfully claim a subdomain takeover over their.

25
00:02:06,880 --> 00:02:13,390
So now it is a practical time and let's see, how does this look like and how can we utilize it for

26
00:02:13,390 --> 00:02:14,950
our benefit of subdomain

27
00:02:14,960 --> 00:02:17,480
Takeover's.As you can see over here

28
00:02:17,710 --> 00:02:23,620
This is a repository by Edoverflow in which you can see over here, can it takeover xyz

29
00:02:23,810 --> 00:02:27,190
Now, first of all, what is subdomain take-over?

30
00:02:27,250 --> 00:02:31,430
You guys are already aware about subdomain take over based vulnerability.

31
00:02:31,510 --> 00:02:38,440
So let me just come to all entries, which contains the fingerprint of all the cloud services.

32
00:02:38,920 --> 00:02:47,170
As you can see here, the engine, the engine stands for the type of subdomain or the type of cloud

33
00:02:47,170 --> 00:02:54,430
service, the status, if it is venerable or not, the fingerprint that you need to check into the response

34
00:02:54,430 --> 00:02:55,960
for that particular subdomain.

35
00:02:56,380 --> 00:03:02,020
That discussion contains the discussion of the issues that have been opened by other security researchers,

36
00:03:02,380 --> 00:03:06,750
which also contains sometimes the steps of taking over any subdomain.

37
00:03:07,000 --> 00:03:13,200
And if it is not possible to take over the subdomain, it is also mentioned into the ISSUES section.

38
00:03:13,750 --> 00:03:20,140
The documentation contains the documentation about the cloud platform and how the subdomain takeover's

39
00:03:20,140 --> 00:03:21,190
can be possible.

40
00:03:22,480 --> 00:03:22,950
All right.

41
00:03:22,960 --> 00:03:28,510
So starting with the first one, as you can see, the first one is Acquia, which is not vulnerable,

42
00:03:28,990 --> 00:03:31,010
and the fingerprint is a website not found.

43
00:03:31,450 --> 00:03:38,110
Now, if the status is not vulnerable that means that particular cloud service provider cannot

44
00:03:38,110 --> 00:03:38,650
be done.

45
00:03:38,650 --> 00:03:44,980
A subdomain takeover, which means you cannot takeover those subdomains which are being hosted by this

46
00:03:44,980 --> 00:03:46,380
platform, which is Acquia.

47
00:03:46,960 --> 00:03:52,570
But if you see the second one, which is agile CRM, then it is vulnerable and you will be able to see

48
00:03:52,570 --> 00:03:59,000
a message which says, sorry, this page is no longer available into the response of that subdomain.

49
00:03:59,140 --> 00:03:59,650
All right.

50
00:03:59,920 --> 00:04:04,340
So let me show you one of the example for one of the cloud service provider.

51
00:04:04,720 --> 00:04:11,800
So let's say we see for Heroku and you you can see the cloud service provider is Heroku.

52
00:04:12,130 --> 00:04:15,670
It is an edge case and the fingerprint is no such app.

53
00:04:15,850 --> 00:04:17,110
Now, what is Edge case?

54
00:04:17,350 --> 00:04:19,270
It should be vulnerable or not vulnerable.

55
00:04:19,870 --> 00:04:26,950
Now, edge case means that sometimes you will be able to claim those subdomains and it becomes vulnerable

56
00:04:27,160 --> 00:04:29,270
and sometimes you are not able to do it.

57
00:04:29,770 --> 00:04:30,700
Now, why this?

58
00:04:30,910 --> 00:04:38,290
Because the cloud service providers have put on some medications or some settings in which a few of

59
00:04:38,290 --> 00:04:44,490
the subdomains are not able to successfully get claimed by us, and in some cases we can claim it.

60
00:04:44,920 --> 00:04:48,850
So it is considered as an edge case for all the edge cases.

61
00:04:48,850 --> 00:04:55,630
You should at least try once to claim the subdomain, and if you are able to do it, then it can be

62
00:04:55,630 --> 00:04:56,680
a vulnerable subdomain.

63
00:04:56,680 --> 00:05:01,570
Take over and you can report to the target organization for this.

64
00:05:01,570 --> 00:05:03,730
We are going to utilize censys.

65
00:05:03,940 --> 00:05:07,930
So as soon as I come on Censys, you can see a search box over here.

66
00:05:08,440 --> 00:05:10,420
You just need to type the fingerprint name.

67
00:05:10,420 --> 00:05:14,200
The fingerprint name, as we saw, was no such app.

68
00:05:14,200 --> 00:05:16,720
So I need to copy and paste it over here and.

69
00:05:16,720 --> 00:05:17,140
Right.

70
00:05:17,140 --> 00:05:18,630
Heroku in front of it.

71
00:05:19,080 --> 00:05:27,040
Now, what this basically means is Censys has already crawled all the target addresses, Web servers

72
00:05:27,310 --> 00:05:31,350
and has its fingerprint saved into its database.

73
00:05:31,750 --> 00:05:38,290
So we are quering the database from the Censys to all the Web servers, which contains these fingerprints

74
00:05:38,500 --> 00:05:42,110
to match a subdomain takeover vulnerability of Heroku.

75
00:05:42,670 --> 00:05:49,540
So this becomes very, very simple and easy for us to identify those target domains or subdomain which are

76
00:05:49,540 --> 00:05:53,200
Hosted on Heroku but never claimed on Heroku all right.

77
00:05:53,410 --> 00:05:57,070
So you can see there are a couple of IP addresses that we have identified.

78
00:05:57,080 --> 00:06:03,880
So by opening each one by way, you can see over here, these are the targets that I have identified

79
00:06:03,880 --> 00:06:04,720
from Censys.

80
00:06:04,930 --> 00:06:12,490
And you can see a message which says, no, such a app over here, as you can see, and this is being

81
00:06:12,490 --> 00:06:13,660
served by Heroku.

82
00:06:13,780 --> 00:06:20,380
Now, this domains are these subdomains becomes automatically vulnerable to subdomain takeover's.

83
00:06:20,920 --> 00:06:23,960
Oh, you can report it to the target organisation.

84
00:06:24,250 --> 00:06:30,490
So this was one of the easiest way of using can I takeover XYZ to identify the fingerprint

85
00:06:30,490 --> 00:06:37,870
And also, you can use Censys to just identify if any targets are vulnerable to subdomains takeovers.

86
00:06:38,260 --> 00:06:44,520
And in a similar way, you can use different methods for like subdomain enumeration and from those of

87
00:06:44,530 --> 00:06:51,190
domain enumeration assets or targets that you have identified, you can test subdomains takeover based

88
00:06:51,190 --> 00:06:51,960
vulnerabilities.

89
00:06:52,240 --> 00:06:53,490
So I hope you guys understood.

90
00:06:53,500 --> 00:06:54,010
Thank you.