# Dangling DNS: Amazon EC2 ## **First Clue - Oct 3rd, 2019** **Asset**: Private Program \[fig.example.com] **Report**: ![](/files/-MUqBsZ8hz_HEdodJe_j) **Details:** I began with enumerating subdomains using [*Sublist3r*](https://github.com/aboul3la/Sublist3r) when I stumbled upon an interesting subdomain `fig.example.com`(I have no idea why it was interesting, but it was). I opened `http://fig.example.com/` on the browser, It showed nothing but a blank page with empty \_HTML \_code, So I decided to brute force directories using [*Dirsearch*](https://github.com/maurosoria/dirsearch). When I found `http://fig.example.com/includes/`a directory with directory listing enabled. ![](/files/-MUqC5igmMtcR0Da8FrH) **Response:** ![](/files/-MUqCWkwTH_-HkTS8_5Q) Then I decided to look for similar issues affecting other subdomains. Soon after, I found two other subdomains `github.example.com` and `goose.example.com` with the same issue. How did I figure it out? Simply it was redirecting to a different site. ![GET request for https://github.example.com/](/files/-MUqCi8k1s_JF28iZQSD) Then I checked DNS records for `github.example.com` maybe it will help me identify other subdomains with the same issue. ![dig command result for github.example.com](/files/-MUqCrmyb9dRAbRDk91A) I realized what they all have in common, “Amazon Web Service”. At this point, I decided to filter subdomains based on CNAME records. I used this [tool](https://github.com/melbadry9/cname/) which I have created with Python. Now let’s check for a similar issue; After spending some time, I had no luck. I had to take some time out. Then I realized what I had missed, Port scanning. ## **Second Clue - Nov 24th, 2019** **Asset**: Private Program \[emu.example.com] **Report**: ![](/files/-MUqD6ngSQ47uZSB4UrM) **Respond:** ![](/files/-MUqDGuzFxUsZqOluuhy) Now I know this program has a severe issue with dangling DNS records. ## **Third Clue - Nov 26th, 2019** **Asset:** Private Program \[rev.example.com] **Report:** ![](/files/-MUqDWMkvU1L2Qy3MeFG) *** ## Dangling Record - Dec 26th, 2019 Now I have a list of subdomains with possible dangling DNS records with no way to make sure it really is. What can we do? 1. Let’s check SSL certificate data for `pilot.example.com` And this turned out very helpful as I found an SSL certificate issued for a totally different Org. ![SSL certificate data for pilot.example.com](/files/-MUtQu32kA_NSjtsTlPo) 2\. Let’s check Shodan for archived data (SSL certificates - HTML) for `henry.example.com`, And again SSL certificate was issued for a different Org. Shodan Query: `net:54.161.231.55` ![SSL certificate for henry.example.com subdomain](/files/-MUtSCMLBzdf-fY5wN4-) 3\. Let’s use Google or Bing dorks `ip:54.161.231.55` And check for crawled data. 4\. Maybe all you have to do is ask. ![E-mail from security@example.com](/files/-MUtUXFTgZRtj_2WdIPW) ## **Payment Day - Jun 16th, 2020** **Asset:** Private Program \[ipa01.example.com] **Report:** ![](/files/-MUtVUCreheuTAgjxaM2) **Details:** After monitoring subdomains and confirming that every subdomain has a dangling DNS record before reporting, Program asked me to supply every possible dangling record, and they will confirm it all at once. ![list of subdomains send in report](https://miro.medium.com/max/491/1*prZ8tNWb-DFvhQ8KSzRTbQ.png) Turned out they all had dangling DNS records, Yay!! ## Underlying Issue - Jul 10th, 2020 It all started on Oct 7, 2015, when Matt Bryant [blogged](https://labs.bishopfox.com/tech-blog/2015/10/fishing-the-aws-ip-pool-for-dangling-domains) "Fishing the AWS IP Pool for Dangling Domains" about the AWS IP pool. > “What happened to that IP tied to that EC2 instance that you just killed? Well, when you terminate an instance, that IP address isn’t put to waste. Instead, it’s reused by other AWS customers. There is a massive pool of IP addresses that are constantly being recycled and trusted by various organizations and people.” The issue happens when a company uses EC2 instance public DNS as `CNAME`or `A` record, without using elastic IP. If the EC2 instance is killed or terminated and the DNS is not updated, this will lead to creating a dangling DNS record for the subdomain. Then EC2 IP will be released to the AWS IP pool, which means it’s possible to assign the IP to a new EC2 instance. ### How to find this kind of issue? Check for `compute.amazonaws.com` or `compute-1.amazonaws.com` in `CNAME` record. ![](https://miro.medium.com/max/489/1*PZNojgUfM2lW_h-xxrU61A.png) Ensure that subdomain has dangling DNS before reporting to avoid `N/A`, As mentioned before. Avoid managed bug bounty programs as they require a PoC file. ### Case Studies * **Asset**: [Transloadit](https://transloadit.com) ![](/files/-MUt_7s-L5ggs2n_K0N3) * **Asset**: [Avast](https://www.avast.com) ![](/files/-MUt_Ewh_gT8PHi-G1Q3) * **Asset**: [Amazon](https://hackerone.com/amazonvrp?) (Ironically, Amazon had a similar issue) ![](/files/-MUt_KiO2vkNtcM8xpaU) * **Asset**: Private Programs ![Private Program #2](/files/-MUta0CqpGmFOJOAMTdV) ![Private Program #3](/files/-MUt_u9Q7waSDRr1dTXJ) ## A piece of advice * Don’t ignore old research; It might be old but not dead. * Building trust with security teams is a two-way street. {% content-ref url="/pages/-MUq9GH4M78EcjjG9LSI" %} [About Me](/blog/readme.md) {% endcontent-ref %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://melbadry9.gitbook.io/blog/dangling-dns/aws/ddns-ec2.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.