Microsoft Azure #5
Comments
|
I tested this, to make it work I had to create a zone per resource group. Creating a zone on a resource group gave 4 DNS servers, deleting the zone and re-creating it gave the very same DNS servers (I tried multiple times, the same result was observed). |
|
Hi @melardev, yes, you are correct, you do need a new resource group each time to "refresh" which DNS servers it assigns you. Thanks for adding this clarification, I've updated the instructions! |
|
Hi, |
|
I didn't find (and click + New. In the Name) |
|
@mohamed-faris You can try under "create a resource" and look for "DNS zones", but you may have to start a free trial or have a payment method on file to do it. |
|
@indianajson Can you or anyone else confirm this still works? I've made a script and created a DNS zone (in a new RG each time ) 30 times and only got NS names within the 30-36 range. (ns1-30, ns1-31 etc) |
indianajson
added
Edge Case
|
I can confirm. This is still vulnerable. |
How long did it take for you to get the same NS servers? |
|
I think it also depends on the account type. I had a student account where I was only getting ns name between 30-36 everytime. Then I tried with a regular account and I was able to get in within 5-6 tries. |
|
I created my third account (with and without trial) and I still only get high numbers > 30 ... I found a twitter post of shubs explaining how he managed to get high numbers https://twitter.com/infosec_au/status/1559466224794632192
So it is pretty safe to say, that if you either get only high numbers or low numbers on one account. High numbers can maybe be achieved by a trial account. @FalcoXYZ Did you succeed in getting low numbers < 30? |
|
@mheranco never managed to get anything < 30. Even with a new account. |
|
I had success in getting lower numbers. DM me over Twitter if you need to test a takeover |
|
Not getting low numbers anymore :| |
Same. Nowadays I'm getting between 30 and 39. |
|
Appreciate all the comments on this. Do we think the consensus is still Edge Case or Not Vulnerable? |
|
I can confirm that it is still vulnerable. I'm getting between 1-10, and trying to understand the algorithm. |
|
@ceylanb Thanks for sharing. Definitely let us know if you make any headway! |
ServiceMicrosoft AzureStatusEdge CaseNameserverns1-**.azure-dns.com
ns2-**.azure-dns.net
ns3-**.azure-dns.org
ns4-**.azure-dns.info
UPDATEIt seems a lot of people have been having trouble performing Azure takeovers and while it was always a bit hit or miss it seems to have gotten more difficult. For now, this is being re-assigned as an Edge Case until further research can be conducted.
Old ExplanationYou can set up a free account with Microsoft Azure, as long as you provide a credit card on file. Once you are logged in, head over to the DNS Zones and click
+ New. In theNamefield enter the vulnerable (sub)domain. You will automatically be assigned four nameservers as shown above, but you need the numbers to match your vulnerable domain. If the numbers do not match you need to delete the zone and the resource group associated with it before you try again. Simply creating a new zone within the same resource group will typically assign you the same nameservers. This process could take a while, but typically less than 50 attempts will suffice.The text was updated successfully, but these errors were encountered: