GitXplorerGitXplorer
a

nsdetect

public
7 stars
0 forks
0 issues

Commits

List of commits on branch main.
Unverified
39943553eaad7ec86d27c543c69ca33da9d59213

upgrade to clap 4, and bump trust-dns-resolver to 0.22

committed 2 years ago
Verified
5ee6a24945215bec023b77173db3a04333323d06

fix clippy warning, and minimize match statement a bit

aalexanderkjall committed 3 years ago
Verified
e2bf1e670a8d81556ccb559377aa9e36eadbb513

some cleanup, and report IO problems as LookupError

aalexanderkjall committed 3 years ago
Verified
5af997275f6ec59fb67c6413e84b5c0175217a8b

also add documentation line

aalexanderkjall committed 3 years ago
Verified
b08446d661652315637e85249f2553b17d6d2463

prepare for 0.2.0 release

aalexanderkjall committed 3 years ago
Verified
453b27ccf095f0061ea9e26863765316679872e7

add support for choosing what nameserver the queries goes against, with the --name-server option

aalexanderkjall committed 3 years ago

README

The README file for this repository.

NSDetect: A Rust Utility To Detect AWS NS Takeover

https://www.rust-lang.org/static/images/rust-logo-blk.svg

This is a rewrite of NSDetect in rust, since that tool requires python2 which is increasingly hard to use on a modern linux distribution.

Installation

Prerequisites

  • Cargo installed, for example via rustup

Installation

cargo install nsdetect

Reading Suggestions

  • If you are unaware of AWS NS Takeover and want to know more about it read this Medium story describing the misconfiguration and providing the walkthrough for automated exploitation.
  • If you are already aware of NS Takeover, have a look at this Medium story providing the detailed walkthrough on NSDetect.

Usage

The program takes a file with a list of domains as an input, scans each one of them(skipping duplicates) against this vulnerability and at last reports a list of vulnerable domains. For help you can run it with -h or --help option as shown below:

nsdetect  -h

The input file should simply be a list of domains, one per line

Once we have done sufficient recon on the target and have prepared the list of domains/subdomains, we can provide the list as an input to the tool in order to scan each domain in the list. We can use -i or --input option to provide the input file as shown below:

$ nsdetect -i ~/Desktop/temp.csv
example.com: false

Or use -d to specify just one domain.

$ nsdetect -d example.com
example.com: false

Or pipe the domains to nsdetect.

$ echo "example.org
example.com" | nsdetect
example.org: false
example.com: false

Use the --async option to do the lookups asynchronously.

cat /tmp/domains | nsdetect -a
example.org: false
example.com: false

For the takeover of the vulnerable domains, we can use **NSBrute**, which requires AWS Programmatic Access:

python NSBrute.py -d vulnerabledomain.com -a ThisIsNotMyAccessKey -s ThisIsNotMySecretKet

Note: While you are doing the POC for NSDetect locally, please keep in mind that DNS Propagation Issues might lead to unexpected results. You may need to provide sufficient time for DNS changes to propagate. In case you still observe the problem, feel free to raise an issue, we can fix it together!