Nov 24, 2024

Unveiling more attack surface using matching NS records

Discover hidden domains for bug bounty targets by analyzing NS records and using an API to lookup matching domains.

Hey everyone!

I'm always on the lookout for new techniques to expand the attack surface for my bug bounty targets. While reviewing my old notes, I came across a very interesting and, as far as I know, unique method for discovering domain names owned by companies.

Short introduction

Every domain has it's own NS records. NS records tell the Internet where to go to find out a domain's IP address. Companies may own many domains, which not all of them have the company's name in their domain name. We can find them, by reverse-searching those Name Servers.

Every domain has its own NS (Name Server) records. These records tell the Internet where to look to find a domain's IP address. Companies often own multiple domains, many of which may not include the company's name in their URLs. However, we can uncover these domains by performing a reverse search on their Name Servers. It's quite cool!

PoC || GTFO

Let’s get hands-on! For this example, I’ll be using hackerone.com as the target. First, we need to retrieve the Name Server (NS) records for hackerone.com. This can be done using the dig tool:

dig ns hackerone.com

This commands returns two ns records in the ANSWERS section:

;; ANSWER SECTION:
hackerone.com.          86400   IN      NS      a.ns.hackerone.com.
hackerone.com.          86400   IN      NS      b.ns.hackerone.com.

The NS records returned are a.ns.hackerone.com and b.ns.hackerone.com. These are unique to our target company, which is a fortunate scenario for us. However, in some cases, you might encounter shared Name Servers, such as those provided by Akamai. When that happens, it becomes nearly impossible to determine which domains belong to a specific company.

Let's continue! We can use these two nameservers with the sharedns.asp.gg api, to find out what other domains belong to these NS':

curl -s -H 'Content-Type: application/json' --data-raw '{"name_servers":["a.ns.hackerone.com","b.ns.hackerone.com"]}' https://sharedns.asp.gg/api/v1/search | jq

This query, in my case, returned a total of 815 unique domain names. Here are a few examples:

breaker101.com
wearehackebone.com
theinternetbugbounty.com
inverselink.com
together-we-hit-harder.com
zerodaily.net

and many other cool ones! Go give it a try yourself!

Outro

As you can imagine, this API can be incredibly powerful. For instance, Cloudflare assigns each customer a (mostly) unique set of NS records, which works to our advantage! However, as mentioned earlier, some providers use shared NS records. In those cases, it becomes impossible to determine which domains are owned by a specific company.

I highly recommend exploring this API on your own, as it offers significant potential for uncovering valuable information. However, always use it responsibly! Additionally, keep in mind that I don’t own this API, so exercise caution with any data you send to it.

Cheers! Have fun!🎉

dream big