STARS

⭐ STARS ⭐ is a multi-cloud DNS record scanner that aims to help cybersecurity/IT analysts identify dangling CNAME records in their cloud DNS services that could possibly lead to subdomain takeover scenarios.

This is a small tool that uses some of the takeover ideas from can-i-take-over-xyz for defensive purposes in cloud environments. For each CNAME domain registered in a cloud environment, the tool generates takeover factors (factors that could indicate a subdomain takeover scenario) and mitigation factors (factors that possibly mitigate that scenario). The factors identified by this tool should not be taken as definitive proof of a subdomain takeover scenario on a domain, but rather that a domain should be reviewed.

Subdomain takeovers are complex issues that often happen because of a lack of appropriate processes of management/review in DNS zones, which is a common issue in large corporations. This tool can be used to find possible takeover issues in cloud DNS environments which host multiple zones with large record sets.

📚 To learn more about subdomain takeovers:

• OWASP Article - Test for Subdomain Takeover
• HackTricks Article - Domain/Subdomain Takeover

Checks

Currently the tool performs the following checks:

Takeover Factors

• DNS_NXDOMAIN - The target domain resolves as NXDOMAIN
• WEB_NOTFOUND - The target domain returns a 404
• WEB_FINGERPRINT - The page at the target domain contains patterns related to a decomissioned page (such as "isn't available" or "doesn't exist")

Mitigation Factors

• PRIVATE_ZONE - The zone where the source domain is hosted is private
• AZURE_VERIFICATION_TXT - There is a TXT entry for an Azure verification code at asuid.source_domain

Prerequisites

If scanning Azure, AWS or GCP records, the appropriate CLI from the cloud you intend to scan needs to be installed before running the tool:

• Azure CLI
• AWS CLI
• GCloud CLI
• DigitalOcean - no need for CLI
• CloudFlare - no need for CLI

After that, run the following command to install the Python dependencies before running the tool:

$ pip install -r requirements.txt

Usage

AWS Route53

$ aws configure
(Authenticate with your AWS credentials)

$ python stars.py --aws

PS. The recommended way of authenticating to AWS is using AWS IAM Identity Center to authenticate using aws sso login instead of providing an access key with aws configure, but the legacy way is easier to use and more widespread. You can also use IAM roles directly if you intend to run the tool from AWS services such as an EC2 attached to a role via an instance profile.

Azure DNS

$ az login
(Authenticate with your Azure credentials)

$ python stars.py --azure --subscription <SUBSCRIPTION ID>

Google DNS

$ gcloud init
$ gcloud auth application-default login
(Authenticate with your GCP credentials and select your project)

$ python stars.py --gcp

DigitalOcean DNS

$ export DIGITALOCEAN_ACCESS_TOKEN="<YOUR API TOKEN>"
$ python stars.py --digitalocean

CloudFlare DNS

$ export CLOUDFLARE_API_TOKEN="<YOUR API TOKEN>"
$ python stars.py --cloudflare

File DNS

A CSV file can also be used as input for the scan, if your DNS provider is not yet supported and you have a CSV with your CNAME records. The CSV should have the following columns (without a header line):

ZoneName,IsPrivate,RecordType,RecordName,RecordValue

$ python stars.py --file <FILENAME>

Optional flags

• --all-cnames - Run the checks for all CNAME records in the environment, not just the ones in-scope (those known for subdomain takeover risks).
• --dump-records - Just dump all the records without performing any analysis.
• --no-banners - Don't show banners, just the results.
• --no-colors - Disable colorized output.
• --no-table - Disable building results table (just show results line-by-line).
• --output FILE - Write results to FILE.
• --google-dns - Use Google DoH for NXDOMAIN checks (by default it uses your local DNS resolver).
• --nameservers NS1,NS2 - Use custom nameservers for NXDOMAIN checks.

Example

Extending functionality

The scanners package can be used in a standalone manner by other modules by importing the scanner classes from it (e.g. from scanners.awsdns import AWSDNSScanner), instantiating them and running their fetch_records method. The fetch_records of each scanner class is a generator that yields a dictionary for each DNS record in the specified environment in each iteration. Example:

from scanners.awsdns import AWSDNSScanner

scanner = AWSDNSScanner()

for record in scanner.fetch_records():
    print(record)
    """
    "record" is a dict in the format:
    {
        "ZoneName": "DNS name of the zone",
        "Private": True or False indicating whether the zone is private or not,
        "Type": "Type of the record",
        "Name": "Name of the record",
        "Value": "Value of the record",
        ...other environment-specific values...
    }
    """

Other checks against individual cloud DNS records (not just CNAME records) can be implemented using these classes, but since this project is aimed at the specific issue of domain takeover it will be left as future work if anyone is interested in developing other use cases.

Contributing

Contributions are welcome by opening an issue or by submitting a pull request. If you find any bugs please let me know - I don't have many test environments to validate every edge case.

Todo

Some ideas of new features to add that weren't included originally but would be nice to have in the future:

• Option to return the details of the record sets in CSV format
• Improve efficiency by providing an option of doing requests / lookups in parallel
• Option to only dump specific record types
• Also dump more advanced attributes of DNS records and zones in the scanners (TTL, weight, priority, provider-specific attributes, etc)
• Implement a local DB with results from previous executions (maybe)
• Check previously-scanned zones for DNS Takeover (maybe)
• Taking screenshots with a headless browser (maybe)
• Verify whether a domain is public knowledge by scraping with passive tools like Sublist3r (maybe)

Domains Scope

If you run the tool without the --all-cnames flag, it will only report results on CNAMEs pointing to domains in the following scope:

The idea here is to only run the checks against CNAMEs pointing to services that have been seen in subdomain takeover cases. Most of these domains were hand-picked from the vulnerable services documented at the can-i-take-over-xyz project. Feel free to add more domains that could be subject to subdomain takeover to the scope by opening an issue.

License

The MIT License (MIT)

Copyright (c) 2023 Artur Henrique Marzano Gonzaga

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.