1 00:00:01,530 --> 00:00:04,290 Hello, everyone, and welcome to this video. 2 00:00:05,100 --> 00:00:14,070 In this video, we are going to see a subdomain takeover for a very, very famous online cloud platform, 3 00:00:14,400 --> 00:00:21,660 which is a A.W.S. for those of you who does not know what it stands for. 4 00:00:21,690 --> 00:00:31,410 It is Amazon Web Services, one of the biggest platforms that has taken over multiple cloud platforms. 5 00:00:31,410 --> 00:00:35,640 Then Azure and Google hosted cloud platforms as well. 6 00:00:36,450 --> 00:00:46,410 Now, as people have increased and shifted to these cloud platforms to a majority of percentage, the 7 00:00:46,410 --> 00:00:52,770 chances are that they may arise some of the security configurations. 8 00:00:53,850 --> 00:01:03,090 So a higher number of people migrating to these particular cloud platforms, the higher number of chances 9 00:01:03,120 --> 00:01:12,480 of some of the security issues that attacker can compromise, or for bug bounty hunters like us, we 10 00:01:12,480 --> 00:01:20,760 can at least take benefit of that in identifying the vulnerability and helping the company to fix it 11 00:01:20,760 --> 00:01:22,630 and getting a reward in return. 12 00:01:24,170 --> 00:01:33,260 All right, so here we are going to identify those particular subdomains, which are pointing to AWS 13 00:01:33,410 --> 00:01:41,210 platform, and we are going to identify that once we have identified, we're going to take over those 14 00:01:41,210 --> 00:01:48,170 particular subdomains by creating A.W.S. account and then taking up that particular bucket. 15 00:01:48,890 --> 00:01:49,490 All right. 16 00:01:49,880 --> 00:01:50,930 Enough of talking. 17 00:01:51,080 --> 00:01:58,490 Let's quickly see how can we do this attack and take over A.W.S. based subdomains. 18 00:01:59,270 --> 00:02:03,500 So it is the practical name and let's see how to do this. 19 00:02:05,570 --> 00:02:12,810 So, for example, over here, I have taken over one of the subdomain of kippt dot com. 20 00:02:13,400 --> 00:02:20,290 This particular program is an acquisition of Krunch Base. 21 00:02:20,810 --> 00:02:22,400 I'm sorry, it's Coinbase. 22 00:02:23,270 --> 00:02:28,100 So this particular program is an acquisition of Coinbase. 23 00:02:28,640 --> 00:02:35,630 I have identified all the subdomains for this particular target program and there is a subdomain which 24 00:02:35,630 --> 00:02:40,430 is uploads, dot kippt dot com, which I have seen. 25 00:02:40,430 --> 00:02:44,150 Is something wrong with this particular subdomain 26 00:02:45,380 --> 00:02:50,120 As you can see, you would hear the fingerprint is no such Bucket. 27 00:02:50,690 --> 00:02:56,240 This is the fingerprint for AWS types of subdomain takeover's. 28 00:02:56,780 --> 00:03:04,340 Do you remember in the previous videos for Shopify we have seen the subdomain take our fingerprint and 29 00:03:04,400 --> 00:03:07,790 fingerprint was only one step left. 30 00:03:08,270 --> 00:03:15,710 But for AWS based fingerprints or AWS based subdomain takeover's, you need to see the fingerprint, 31 00:03:15,710 --> 00:03:17,480 which is no such bucket. 32 00:03:17,870 --> 00:03:20,870 The specified bucket does not exist. 33 00:03:21,770 --> 00:03:22,280 All right. 34 00:03:22,520 --> 00:03:30,170 So we have completed the first step that is identifying a venerable subdomain after this subdomain enumeration. 35 00:03:30,170 --> 00:03:39,140 But now, as we have identified this subdomain to be vulnerable, we are going to do a successful takeover. 36 00:03:39,620 --> 00:03:45,830 As you can see, I have shown over the here that keppt is acquired by Coinbase. 37 00:03:45,830 --> 00:03:53,600 For this, I am using the platform, which is crunchbase to identify the acquisitions for target organizations. 38 00:03:54,410 --> 00:03:54,860 All right. 39 00:03:55,340 --> 00:04:03,740 Now, the first step that we have to do is we have to go on to AWS and create a free account. 40 00:04:04,160 --> 00:04:12,350 So whenever you create account on AWS you have the complimentary free access for one year until 41 00:04:12,350 --> 00:04:15,080 that you are not going to get charged for anything. 42 00:04:15,830 --> 00:04:22,010 But when you are making an account on AWS is just for their security reasons, they ask your card. 43 00:04:22,010 --> 00:04:28,490 So you need to add your credit card with them and after verification, your account will be activated. 44 00:04:28,490 --> 00:04:30,230 It may take a few hours. 45 00:04:30,410 --> 00:04:38,570 It took me six to seven hours for verification of my account and after that I was able to use my account 46 00:04:38,570 --> 00:04:39,500 with no issues. 47 00:04:40,070 --> 00:04:45,590 All right, so once you have created your AWS account, you will get one year of free membership to 48 00:04:45,590 --> 00:04:46,820 use this particular account. 49 00:04:47,570 --> 00:04:54,110 After you have verified you need to login into your account and over there you will be able to see your 50 00:04:54,110 --> 00:04:56,420 option, which is S3 bucket. 51 00:04:56,480 --> 00:04:58,580 So you just need to click on S3 Bucket. 52 00:04:58,880 --> 00:05:04,670 And as you can see over here, you will come to the bucket section over there. 53 00:05:05,330 --> 00:05:09,560 You need to click on this particular blue button, which is create bucket. 54 00:05:09,560 --> 00:05:16,190 As you can see over here, once you click on Create Bucket, it will give you a pop up like this where 55 00:05:16,190 --> 00:05:19,430 it is going to ask you to fill some of the details. 56 00:05:19,610 --> 00:05:26,300 And you need to complete this mandatory four steps, which is name and region configure options, permissions 57 00:05:26,480 --> 00:05:32,630 and finally review your settings that what you have done to make it much more simple. 58 00:05:32,780 --> 00:05:39,290 Let's quickly see what you need to do and which are some of the configurations which can be left blank. 59 00:05:40,160 --> 00:05:40,640 All right. 60 00:05:40,760 --> 00:05:44,900 So here you need to put the bucket name, which is the subdomain. 61 00:05:44,900 --> 00:05:46,730 You want to perform the takeover. 62 00:05:46,730 --> 00:05:47,900 It's pretty simple. 63 00:05:48,680 --> 00:05:52,880 Now, the most important thing is to choose the region. 64 00:05:54,210 --> 00:06:03,250 Now, you should know that on a AWS, the bucket which are made are independent of a region. 65 00:06:03,290 --> 00:06:05,010 OK, why am I telling this? 66 00:06:05,010 --> 00:06:12,600 Because this is going to get handy and you should know this because whenever you make any bucket so 67 00:06:12,600 --> 00:06:18,570 let's say I'm going to take this particular bucket, which is upload dot keppt dot com and I have to 68 00:06:18,570 --> 00:06:20,430 choose the right region. 69 00:06:20,670 --> 00:06:28,530 If I do not choose the right region, then I will get the error that the bucket is hosted, but it is 70 00:06:28,530 --> 00:06:30,810 hosted at the incorrect end point. 71 00:06:31,110 --> 00:06:38,430 Hence we cannot run the website or basically whatever you put onto this subdomain will not be visible 72 00:06:38,430 --> 00:06:39,030 to public. 73 00:06:39,690 --> 00:06:46,260 So for that, you need to choose a right region, which is a very, very important and mandatory step. 74 00:06:46,770 --> 00:06:51,330 Now, you may ask, how are we going to know the region for this particular subdomain? 75 00:06:52,020 --> 00:06:52,900 It's pretty simple. 76 00:06:53,640 --> 00:06:57,020 So for that, you just need to go to your terminal. 77 00:06:58,890 --> 00:07:03,000 And over here you have to type the command, which is Dig. 78 00:07:04,770 --> 00:07:11,460 And you need to check the name of your subdomain, as you can see, the C name of this particular subdomain 79 00:07:11,460 --> 00:07:15,780 is S3 dot Amazon AWS dot com. 80 00:07:16,260 --> 00:07:24,910 This basically means the particular subdomain is pointing to AWS account or AWS platform. 81 00:07:25,920 --> 00:07:26,390 All right. 82 00:07:26,400 --> 00:07:30,470 So we know it is pointing to Amazon AWSand S3 bucket. 83 00:07:30,750 --> 00:07:34,570 Now, what are the next steps that we should do in the next steps? 84 00:07:35,700 --> 00:07:41,160 We are going to identify the region for that particular subdomain. 85 00:07:41,700 --> 00:07:48,180 So now what I'm going to do is I'm going to type the command nslook up and I'm going to type. 86 00:07:49,190 --> 00:07:56,210 Uploads.kippt.com, and here you can verify the Cname is again, s3.amazonaws.com. 87 00:07:56,840 --> 00:08:02,900 All right, so we know it is hosted in S3 Amazon AWS but still we have not got the correct 88 00:08:02,900 --> 00:08:03,300 region. 89 00:08:04,200 --> 00:08:07,780 Now, what should we do to get the region? 90 00:08:07,970 --> 00:08:14,770 So we are going to again hit Dig for any other subdomain of that target organization. 91 00:08:15,080 --> 00:08:18,020 So I'm going to hit Dig Cname for an addons.kippt.com. 92 00:08:18,020 --> 00:08:22,010 and let's see if we get the region, perfect. 93 00:08:22,280 --> 00:08:29,570 As you can see, we have got the region for this particular subdomain and you can see it is keppt addons 94 00:08:29,570 --> 00:08:38,150 dot s3 website hyphen us, hyphen east hyphen one dot Amazon AWS as dot com. 95 00:08:38,420 --> 00:08:42,320 So one thing to notice over here, the region is US east-1. 96 00:08:42,350 --> 00:08:51,920 Well let's go over here and identify us east one now and then you will choose us east one you should 97 00:08:51,920 --> 00:08:57,000 know what is the region name because region name will not be shown over there. 98 00:08:57,800 --> 00:09:01,450 So the code is this the region name is this. 99 00:09:01,460 --> 00:09:03,870 So you have to choose North Virginia. 100 00:09:04,250 --> 00:09:05,660 Now, how will you know this? 101 00:09:05,930 --> 00:09:10,160 This is from the AWB Official Documentation Guide. 102 00:09:10,430 --> 00:09:13,740 You will come to know that what is the code for which region? 103 00:09:14,000 --> 00:09:20,570 So from this guide, we have identified that southeast US E1 is North Virginia. 104 00:09:21,530 --> 00:09:26,570 Now you can copy settings from what the market if you have already hosted in your pocket, if you have 105 00:09:26,570 --> 00:09:32,510 not hosted any bucket, just leave this option blank and hit next and you will be able to create your 106 00:09:32,510 --> 00:09:32,900 bucket. 107 00:09:33,930 --> 00:09:43,020 Now, as you can see over here, you need to disable or block all public access may result in pocket 108 00:09:43,020 --> 00:09:45,700 and objects within within becoming public. 109 00:09:45,990 --> 00:09:54,720 So basically, you want to disable this block all public access and we want to make our buckets publicly 110 00:09:54,720 --> 00:09:55,410 accessible. 111 00:09:56,580 --> 00:09:57,030 All right. 112 00:09:57,300 --> 00:09:59,680 So just hit next and create a bucket. 113 00:09:59,790 --> 00:10:02,240 And we are done with creating a bucket. 114 00:10:02,610 --> 00:10:09,210 If you do not get any error and you're able to successfully make a bucket, which means your work is 115 00:10:09,210 --> 00:10:09,570 done. 116 00:10:10,990 --> 00:10:16,420 Now, over here, you can see when you will click on your bucket name, it is uploads that Kim Dotcom, 117 00:10:16,420 --> 00:10:22,470 you just need to come on properties and you need to click on stetting website hosting. 118 00:10:23,050 --> 00:10:29,590 So once you have clicked on Statik, a website hosting there, you need to give a redirect, which we 119 00:10:29,590 --> 00:10:31,340 are going to see in the next steps. 120 00:10:31,750 --> 00:10:34,590 First, let's upload a file over here. 121 00:10:35,080 --> 00:10:40,480 So let's say I'm going to upload RBOC file, which says Subdomain takeover by. 122 00:10:41,500 --> 00:10:49,420 So I'm going to upload this file and you just need to click next and give permission, which is grand 123 00:10:49,420 --> 00:10:55,960 public read access to the objects once they have done this trip next and hit upload. 124 00:10:57,270 --> 00:11:04,560 It will take a few seconds and you can notice all your success and the file has been successfully uploaded. 125 00:11:05,220 --> 00:11:08,720 Now you need to click that file and you have to click make public. 126 00:11:09,000 --> 00:11:12,750 So once you again do that public, it will become publicly accessible. 127 00:11:13,860 --> 00:11:16,860 Now, what you can do is you can rename this file as well. 128 00:11:16,860 --> 00:11:23,730 So I'm going to rename this file as Index Ratman, which is basically a good thing to do. 129 00:11:24,000 --> 00:11:26,520 Do not try to make custom names. 130 00:11:26,640 --> 00:11:29,070 Just give the name as in next. 131 00:11:29,710 --> 00:11:32,370 So I'm going to give that name and save this file. 132 00:11:33,000 --> 00:11:41,580 Once I have saved this file, I'm going to again second make public and get on make public so the file 133 00:11:41,580 --> 00:11:43,320 becomes publicly accessible. 134 00:11:43,950 --> 00:11:46,440 Now let's go to Statik website hosting. 135 00:11:46,770 --> 00:11:53,840 And over here, we want to host our website through the bucket that we have created. 136 00:11:54,210 --> 00:12:00,870 So you need to choose the option number two, which is a redirect request, and you need to type the 137 00:12:00,880 --> 00:12:02,970 target bucket or domain name. 138 00:12:03,360 --> 00:12:10,800 So the domain name that we want as uploads, not kept dot com, just put the domain name and the protocol, 139 00:12:11,280 --> 00:12:12,100 whatever you want. 140 00:12:12,120 --> 00:12:18,600 So we are going to use HDB obviously, because there is no SSL certificate installed over there and 141 00:12:18,600 --> 00:12:22,200 I'm going to click on SAVE once we have done this. 142 00:12:22,290 --> 00:12:27,350 Let's go back to overview and you can see there are no changes over here. 143 00:12:27,570 --> 00:12:30,510 So this was the most important change that you need to do. 144 00:12:31,140 --> 00:12:32,900 That is a static website hosting. 145 00:12:33,480 --> 00:12:36,940 Once I click over here, then you will see the object you are. 146 00:12:36,940 --> 00:12:38,790 Well, let me click on the object. 147 00:12:38,790 --> 00:12:47,000 You all object your shows S3 Amazon, Arabella's dot com slash the bucket name, which is upload that 148 00:12:47,010 --> 00:12:47,760 Kim Dotcom. 149 00:12:48,060 --> 00:12:54,780 And there is a file into this bucket, which is Index Dot XHTML which says this is a subdomain take 150 00:12:54,780 --> 00:12:55,710 over post. 151 00:12:56,940 --> 00:12:57,450 All right. 152 00:12:57,450 --> 00:13:03,180 But we don't want our you order something like this because this is an object. 153 00:13:03,180 --> 00:13:04,170 You are a bucket. 154 00:13:04,170 --> 00:13:04,440 You are. 155 00:13:04,920 --> 00:13:10,410 But we need to show the policy of taking over, upload, start, give dot com. 156 00:13:10,920 --> 00:13:17,880 So what you need to do is you need to come back to this page and you just need to give the reference 157 00:13:17,880 --> 00:13:19,710 of the file that you have uploaded. 158 00:13:20,130 --> 00:13:22,980 So file that we uploaded was indexed at XHTML. 159 00:13:23,220 --> 00:13:30,540 So let's give the name of that file and try to fetch it and let's see if we have the full control over 160 00:13:30,540 --> 00:13:36,090 the subdomain or not or we were able to successfully take over the subdomain or not. 161 00:13:37,560 --> 00:13:43,000 So let me give the name and hit enter and you can see this is a subdomain take-over PEOC. 162 00:13:43,080 --> 00:13:49,170 Let me just reload it again and you can confirm that we are able to successfully take over this particular 163 00:13:49,170 --> 00:13:49,570 domain. 164 00:13:50,520 --> 00:13:50,910 Yes. 165 00:13:50,940 --> 00:13:51,740 So this was it. 166 00:13:52,050 --> 00:13:56,490 It looks a little bit tricky, but the steps are very, very simple. 167 00:13:56,490 --> 00:14:01,270 And once you do it, it will become very, very simple for you to do it next time. 168 00:14:02,190 --> 00:14:08,850 Now, I hope you guys understood how you can do subdomain takeover's for NWS involvement. 169 00:14:09,240 --> 00:14:15,600 And through this process, you can take over multiple subdomains and you can create multiple buckets. 170 00:14:15,990 --> 00:14:21,440 Remember, there is no restriction on making bucket into a free one year plan. 171 00:14:21,450 --> 00:14:29,880 You can make as many as buckets you want, which means you can make as many as proof of concept that 172 00:14:29,880 --> 00:14:31,860 you want for multiple targets. 173 00:14:32,910 --> 00:14:35,130 I hope you guys understood how to do this. 174 00:14:35,160 --> 00:14:35,760 Thank you.