mx-takeover

How to worksFeaturesInstallationUsageRunning mx-takeover

mx-takeover focuses DNS MX records and detects misconfigured MX records. It currently support three technique. These are,

  • MX domains that will expire soon
  • Unregistered MX domains
  • Domains that points to not currently in use by mailgun.

How to works

Attack Scenario

  1. Your company starts using a new service for emails.
  2. Your company’s mx record points to mailgun. (eg: sub.domain.com MX mxa.mailgun.com)
  3. Your company stops using mailgun but does not remove the mx record from DNS
  4. Attacker signs up for the mailgun and claims the domain as theirs. No verification is done by the mailgun, and the DNS-setup is already correctly setup.
  5. Attacker can now read mail that sent associated the domain. (<something>@sub.domain.com)

Limitation Mailgun uses mx records for mail sending, txt records for mail receiving and cname record for tracking. of these records only the DKIM record is unique and generated randomly.

Therefore, can not be sent e-mails on behalf of someone else, but can be read e-mails sent by someone else to associated domain.

Features

mx-takeover

  • Domains deleted in mailgun but MX records held
  • Reclaiming domain automatically
  • Unregistered/expire MX domain
  • MX Domain that will expire soon
  • Domains that used same MX records
  • Saving scan results as json format
  • Support for concurrency

Installation Instructions

mx-takeover requires go1.17 to install successfully. Run the following command to install.

go install -v github.com/musana/[email protected]

Usage

mx-takeover -h

This will display help for the tool.

┌──(root㉿kali)-[/home/mx-takeover]
└─# mx-takeover -h

                     _        _
 _ __ ___ __  __    | |_ __ _| | _____  _____   _____ _ __
| '_ ' _ \\ \/ /____| __/ _' | |/ / _ \/ _ \ \ / / _ \ '__|
| | | | | |>  <_____| || (_| |   <  __/ (_) \ V /  __/ |
|_| |_| |_/_/\_\     \__\__,_|_|\_\___|\___/ \_/ \___|_|

hunting misconfigured MX records
musana.net | @musana

  -check-whois
        Check whois for detecting unregistered mx domain or will be expire soon
  -expire-day int
        Estimated days for expiration (default 30)
  -h    help
  -mailgun-api string
        mailgun api for domain takeover automatically
  -output string
        Save output to file as json
  -show-only-mx
        show only that have mx records
  -v    Print all log
  -w int
        number of worker (default 32)

Running mx-takeover

Takeover & Reclaim

reclaim

Expiring Soon

expiring

Unregistered Domains

unregistered

Save Scan Result

┌──(root㉿kali)-[/home/mx-takeover]
└─# cat sdomain.txt| mx-takeover -check-whois -w 64 --output mx.json

                     _        _
 _ __ ___ __  __    | |_ __ _| | _____  _____   _____ _ __
| '_ ' _ \\ \/ /____| __/ _' | |/ / _ \/ _ \ \ / / _ \ '__|
| | | | | |>  <_____| || (_| |   <  __/ (_) \ V /  __/ |
|_| |_| |_/_/\_\     \__\__,_|_|\_\___|\___/ \_/ \___|_|

hunting misconfigured MX records
musana.net | @musana

[*] Scan Starting Time: 2022-05-23 15:15:22
[!] Mailgun-api was not provided. You should register domain to mailgun manually
[*] 141 domain will be scanned.
[+] Possible Takeover Found! :: backup.acronis.com MX mxa.mailgun.org
[*] Domains that expire in less than 30 days
[*] Scan results was saved to mx.json
[*] End Time: 2022-05-23 15:15:24

┌──(root㉿kali)-[/home/mx-takeover]
└─# cat mx.json| jq .
{
  "google.com": [
    "_cisco-uds._tcp.wordcamp.org"
  ],
  "maximum.nl": [
    "mcdonalds.maximum.nl"
  ],
  "naver.jp": [
    "line.naver.jp"
  ],
  "slgnt.eu": [
    "leveranciersmail.bol.com"
  ],
  "wordpress.net": [
    "_cisco-uds._tcp.wordpress.net"
  ],
  "wordpress.org": [
    "92.wordpress.org",
    "_cisco-uds._tcp.planet.wordpress.org",
    "_cisco-uds._tcp.profiles.wordpress.org",
    "_cisco-uds._tcp.wordpress.org",
    "_cisco-uds.planet.wordpress.org",
    "_cisco-uds.profiles.wordpress.org",
    "93.wordpress.org",
    "94.wordpress.org",
    "95.wordpress.org"
  ]
}

GitHub

View Github