mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-19 14:09:40 +03:00
chore: fix license, add disclaimer, quick start, GitHub topics, issue templates
This commit is contained in:
@@ -0,0 +1,81 @@
|
||||
# API Reference: Hunting for DNS-based Persistence
|
||||
|
||||
## SecurityTrails API
|
||||
|
||||
```bash
|
||||
# Get current DNS records
|
||||
curl -s "https://api.securitytrails.com/v1/domain/example.com" \
|
||||
-H "APIKEY: ${ST_API_KEY}"
|
||||
|
||||
# Get subdomains
|
||||
curl -s "https://api.securitytrails.com/v1/domain/example.com/subdomains" \
|
||||
-H "APIKEY: ${ST_API_KEY}"
|
||||
|
||||
# Historical A records
|
||||
curl -s "https://api.securitytrails.com/v1/history/example.com/dns/a" \
|
||||
-H "APIKEY: ${ST_API_KEY}"
|
||||
|
||||
# Historical NS records
|
||||
curl -s "https://api.securitytrails.com/v1/history/example.com/dns/ns" \
|
||||
-H "APIKEY: ${ST_API_KEY}"
|
||||
|
||||
# WHOIS history
|
||||
curl -s "https://api.securitytrails.com/v1/history/example.com/whois" \
|
||||
-H "APIKEY: ${ST_API_KEY}"
|
||||
```
|
||||
|
||||
## DNS Record Types to Hunt
|
||||
|
||||
| Record | Persistence Risk | Detection |
|
||||
|--------|-----------------|-----------|
|
||||
| A/AAAA | IP hijacking to attacker infra | Compare against baseline |
|
||||
| CNAME | Subdomain takeover via dangling records | Resolve target, check NXDOMAIN |
|
||||
| NS | Full zone delegation hijack | Compare against registrar NS |
|
||||
| MX | Email interception | Monitor for unauthorized MX |
|
||||
| TXT | C2 data exfiltration channel | Check for encoded payloads |
|
||||
| Wildcard (*) | Catch-all subdomain resolution | Test random subdomain resolution |
|
||||
|
||||
## Dangling CNAME Services (Subdomain Takeover)
|
||||
|
||||
| Service | CNAME Pattern | Takeover Method |
|
||||
|---------|---------------|-----------------|
|
||||
| AWS S3 | *.s3.amazonaws.com | Create matching bucket |
|
||||
| GitHub Pages | *.github.io | Create matching repo |
|
||||
| Azure Web Apps | *.azurewebsites.net | Register app name |
|
||||
| Heroku | *.herokuapp.com | Create matching app |
|
||||
| Shopify | *.myshopify.com | Claim custom domain |
|
||||
| CloudFront | *.cloudfront.net | Create matching distribution |
|
||||
|
||||
## dig Commands for Hunting
|
||||
|
||||
```bash
|
||||
# Check all record types
|
||||
dig ANY example.com +noall +answer
|
||||
|
||||
# Test for wildcard records
|
||||
dig A randomtest123.example.com +short
|
||||
|
||||
# Check NS delegation chain
|
||||
dig NS example.com +trace
|
||||
|
||||
# Verify DNSSEC
|
||||
dig DNSKEY example.com +dnssec +short
|
||||
|
||||
# Check for zone transfer (authorized testing only)
|
||||
dig AXFR example.com @ns1.example.com
|
||||
```
|
||||
|
||||
## MITRE ATT&CK DNS Techniques
|
||||
|
||||
| Technique | ID | Description |
|
||||
|-----------|----|-------------|
|
||||
| DNS Hijacking | T1584.001 | Modify DNS records to redirect traffic |
|
||||
| DNS Server | T1583.002 | Acquire DNS server for C2 |
|
||||
| Domain Fronting | T1090.004 | Use CDN to mask C2 |
|
||||
| DNS Tunneling | T1572 | Encode data in DNS queries |
|
||||
|
||||
### References
|
||||
|
||||
- SecurityTrails API: https://securitytrails.com/corp/api
|
||||
- Can I Take Over XYZ: https://github.com/EdOverflow/can-i-take-over-xyz
|
||||
- Passive DNS databases: https://www.farsightsecurity.com/solutions/dnsdb/
|
||||
Reference in New Issue
Block a user