can-i-take-over-dns icon indicating copy to clipboard operation
can-i-take-over-dns copied to clipboard

Microsoft Azure

Open indianajson opened this issue 3 years ago • 14 comments

Service Microsoft Azure

Status Edge Case

Nameserver

ns1-**.azure-dns.com ns2-**.azure-dns.net ns3-**.azure-dns.org ns4-**.azure-dns.info

UPDATE

It seems a lot of people have been having trouble performing Azure takeovers and while it was always a bit hit or miss it seems to have gotten more difficult. For now, this is being re-assigned as an Edge Case until further research can be conducted.

Old Explanation

You can set up a free account with Microsoft Azure, as long as you provide a credit card on file. Once you are logged in, head over to the DNS Zones and click + New. In the Name field enter the vulnerable (sub)domain. You will automatically be assigned four nameservers as shown above, but you need the numbers to match your vulnerable domain. If the numbers do not match you need to delete the zone and the resource group associated with it before you try again. Simply creating a new zone within the same resource group will typically assign you the same nameservers. This process could take a while, but typically less than 50 attempts will suffice.

indianajson avatar Jun 01 '21 00:06 indianajson

I tested this, to make it work I had to create a zone per resource group. Creating a zone on a resource group gave 4 DNS servers, deleting the zone and re-creating it gave the very same DNS servers (I tried multiple times, the same result was observed).

melardev avatar Jun 28 '21 12:06 melardev

Hi @melardev, yes, you are correct, you do need a new resource group each time to "refresh" which DNS servers it assigns you. Thanks for adding this clarification, I've updated the instructions!

indianajson avatar Jun 28 '21 12:06 indianajson

Hi, Although I tried many times, it did not give the address I needed. I needed ns1-03.azure.dns.com. All numbers are out except 03.

tolgahand avatar Nov 14 '21 17:11 tolgahand

I didn't find (and click + New. In the Name) image

mohamed-faris avatar Jan 15 '22 16:01 mohamed-faris

@mohamed-faris You can try under "create a resource" and look for "DNS zones", but you may have to start a free trial or have a payment method on file to do it.

indianajson avatar Jan 15 '22 23:01 indianajson

@indianajson Can you or anyone else confirm this still works? I've made a script and created a DNS zone (in a new RG each time ) 30 times and only got NS names within the 30-36 range. (ns1-30, ns1-31 etc)

FalcoXYZ avatar Apr 07 '22 16:04 FalcoXYZ

I can confirm. This is still vulnerable.

b1bek avatar Sep 11 '22 13:09 b1bek

I can confirm. This is still vulnerable.

How long did it take for you to get the same NS servers?

FalcoXYZ avatar Sep 11 '22 14:09 FalcoXYZ

I think it also depends on the account type. I had a student account where I was only getting ns name between 30-36 everytime. Then I tried with a regular account and I was able to get in within 5-6 tries.

b1bek avatar Sep 11 '22 19:09 b1bek

I created my third account (with and without trial) and I still only get high numbers > 30 ...

I found a twitter post of shubs explaining how he managed to get high numbers https://twitter.com/infosec_au/status/1559466224794632192

If anyone is wondering how to perform hosted zone takeovers on Azure DNS with a high ns-{number} i.e. 37,38 etc, you can achieve this by signing up to Azure's trial, and then performing your hosted zone takeover.

So it is pretty safe to say, that if you either get only high numbers or low numbers on one account.

High numbers can maybe be achieved by a trial account. But low numbers... ?

@FalcoXYZ Did you succeed in getting low numbers < 30?

mheranco avatar Nov 08 '22 14:11 mheranco

@mheranco never managed to get anything < 30. Even with a new account.

FalcoXYZ avatar Nov 08 '22 15:11 FalcoXYZ

I had success in getting lower numbers. DM me over Twitter if you need to test a takeover

b1bek avatar Nov 09 '22 03:11 b1bek

Not getting low numbers anymore :|

b1bek avatar Nov 06 '23 21:11 b1bek