|
|
|
|
|
|
by tialaramex
1667 days ago
|
|
|
> how do you scan all the DNS records with their subdomains? You needn't do this for stuff that would work in these "Hijack" situations. Your target is any link that gets visited, maybe following a bookmark somebody made in 2018, maybe it's linked from some page that was never updated, maybe it's in an email somebody archived. If you're phishing you have one set of preferences, if you're doing SEO you have different preferences (you want crawlers to see it but not too many humans). When anything follows that link, a DNS lookup happens. Most of the world's DNS queries and answers (not who asked, but what is looked up and the answer) are sold in bulk as "passive DNS". You buy a passive DNS feed from one of a handful of big suppliers, or if you're cheap you hijack somebody with money's feed. So, you're working from a pile like: www.google.com A 142.250.200.4
www.bigbank.com CNAME www1.bigbank.com
www1.bigbank.com A 10.20.30.40
charts.dft.gov.uk CNAME charts.dft.gov.uk.s3-website-eu-west-1.amazonaws.com
Obviously you can grep out all those S3 buckets and then you ask S3, hey, does charts.dft.gov.uk exist? And it says of course not, so you create charts.dft.gov.uk as an S3 bucket and you win. |
|
|