Open indianajson opened 3 years ago
melardev
commented
3 years ago I tested this, to make it work I had to create a zone per resource group. Creating a zone on a resource group gave 4 DNS servers, deleting the zone and re-creating it gave the very same DNS servers (I tried multiple times, the same result was observed).
indianajson
commented
3 years ago Hi @melardev, yes, you are correct, you do need a new resource group each time to "refresh" which DNS servers it assigns you. Thanks for adding this clarification, I've updated the instructions!
tolgahand
commented
2 years ago Hi, Although I tried many times, it did not give the address I needed. I needed ns1-03.azure.dns.com. All numbers are out except 03.
mohamed-faris
commented
2 years ago I didn't find (and click + New. In the Name)
indianajson
commented
2 years ago @mohamed-faris You can try under "create a resource" and look for "DNS zones", but you may have to start a free trial or have a payment method on file to do it.
FalcoXYZ
commented
2 years ago @indianajson Can you or anyone else confirm this still works? I've made a script and created a DNS zone (in a new RG each time ) 30 times and only got NS names within the 30-36 range. (ns1-30, ns1-31 etc)
b1bek
commented
1 year ago I can confirm. This is still vulnerable.
FalcoXYZ
commented
1 year ago I can confirm. This is still vulnerable.
How long did it take for you to get the same NS servers?
b1bek
commented
1 year ago I think it also depends on the account type. I had a student account where I was only getting ns name between 30-36 everytime. Then I tried with a regular account and I was able to get in within 5-6 tries.
mheranco
commented
1 year ago I created my third account (with and without trial) and I still only get high numbers > 30 ...
I found a twitter post of shubs explaining how he managed to get high numbers https://twitter.com/infosec_au/status/1559466224794632192
If anyone is wondering how to perform hosted zone takeovers on Azure DNS with a high ns-{number} i.e. 37,38 etc, you can achieve this by signing up to Azure's trial, and then performing your hosted zone takeover.
So it is pretty safe to say, that if you either get only high numbers or low numbers on one account.
High numbers can maybe be achieved by a trial account. But low numbers... ?
@FalcoXYZ Did you succeed in getting low numbers < 30?
FalcoXYZ
commented
1 year ago @mheranco never managed to get anything < 30. Even with a new account.
b1bek
commented
1 year ago I had success in getting lower numbers. DM me over Twitter if you need to test a takeover
b1bek
commented
8 months ago Not getting low numbers anymore :|
pdelteil
commented
1 month ago @mheranco never managed to get anything < 30. Even with a new account.
Same. Nowadays I'm getting between 30 and 39.
indianajson
commented
1 month ago Appreciate all the comments on this. Do we think the consensus is still Edge Case or Not Vulnerable?
ServiceMicrosoft AzureStatusEdge CaseNameserverns1-**.azure-dns.com ns2-**.azure-dns.net ns3-**.azure-dns.org ns4-**.azure-dns.info
UPDATEIt seems a lot of people have been having trouble performing Azure takeovers and while it was always a bit hit or miss it seems to have gotten more difficult. For now, this is being re-assigned as an Edge Case until further research can be conducted.
Old ExplanationYou can set up a free account with Microsoft Azure, as long as you provide a credit card on file. Once you are logged in, head over to the DNS Zones and click
+ New. In theNamefield enter the vulnerable (sub)domain. You will automatically be assigned four nameservers as shown above, but you need the numbers to match your vulnerable domain. If the numbers do not match you need to delete the zone and the resource group associated with it before you try again. Simply creating a new zone within the same resource group will typically assign you the same nameservers. This process could take a while, but typically less than 50 attempts will suffice.