README
¶
Contents
Route53 Zone Auditor
Crawls records in hosted zones and checks for listening ports to help prevent DNS hijacking. Stale DNS aliases may allow crackers to stand something up at target addresses and masquerade as you.
Only aliases in public zones are audited by default since these pose the most risk in cloud environments. You can optionally enable A and AAAA. MX, NS, SOA, TXT and ACM-related CNAMEs are ignored.
While you can run local scans easily with aws-vault, the ideal place is a pipeline or EC2 instance within AWS. This is because AWS generally blocks anything that looks like "scanning" -- the exception is when scanning your own resources. Be aware of the guidelines. For Route53 zone enumeration in particular, the approach is to leverage APIs vs crawling public DNS infrastructure. The latter violates AWS policy.
Usage
Thanks to spf13/viper and spf13/cobra, configuration can be specified as environment variables, YAML configuration or command line arguments.
By default all public hosted zones in the target account are enumerated, but you can limit to specific zones.
❯ aws-vault exec dev -- ./d -h
Scan for dark (stale) Route53 records
Usage:
d [flags]
Flags:
-a, --all scan A/AAAA records (in addition to aliases)
-c, --config string config file (default "config.yml")
-h, --help help for d
-j, --json json output
-n, --name string report file name (default "report")
-p, --ports strings TCP ports to scan
-t, --timeout int port scan timeout (default 10)
-z, --zones strings zone ids to scan
❯ aws-vault exec dev -- ./d -r custom_report.csv
[status output trimmed]
Writing report: custom_report
❯ cat custom_report.csv
Zone ID,Name,Type,Values (no open ports)
Zabc...,foo.bar.com,CNAME,somehost.somedomain
Zdef...,baz.bar.com,CNAME,anotherhost.somedomain
❯ aws-vault exec dev -- ./d -j -p "80 443" -z "Zabc... Zdef..." -t 5
{
"Zabc...": [
{
"Name": "foo.com",
"Type": "A",
"Alias": true,
"Values": [
"bar.az-1.elasticbeanstalk.com"
],
"Active": [
"baz.az-1.elasticbeanstalk.com:80"
]
},
...
The environment prefix is PKD_.
$ PKD_PORTS="443 4443 8443" PKD_ZONES="ZXXX..." aws-vault exec dev -- ./d
Processing zone ZXXX...
Skipping foo.domain.dev (NS)
Skipping foo.domain.dev (SOA)
Skipping _XXX.foo.domain.dev (ACM)
Scanning bar.az-1.elb.amazonaws.com:80... open.
$ cat report
Zone ID,Name,Type,Results (no open ports)
ZXXX...,foo.domain.dev,Alias,bar.az-1.elb.amazonaws.com
...
TODO
Parallel scanning would speed things up, but potentially look more suspect. Alternate approach may be removing scanning entirely and feeding hosts to an external tool (e.g. nmap).
- Parallel scanning
- More scan types (HEAD, version check, etc.)
- Scan more record types (External NS? Bogus MX?)
Dependencies
References
Documentation
¶
There is no documentation for this package.
Source Files
Directories