First version of subdomain takeover runbook

2026-02-27 18:52:18 +01:00 · 2021-09-01 16:25:01 +02:00
parent ec9d1d34ae
commit 3a348fc8b0
11 changed files with 810 additions and 187 deletions
--- a/Powershell/Modules/Effectory.Dns/Effectory.Dns/public/VerifyEffectoryDomainResources.ps1
+++ b/Powershell/Modules/Effectory.Dns/Effectory.Dns/public/VerifyEffectoryDomainResources.ps1
@@ -0,0 +1,50 @@
+function VerifyEffectoryDomainResources {
+    <#
+   .SYNOPSIS
+    Find resources in Azure that no longer exist, but have DNS records.
+    .DESCRIPTION
+    Gets all resources that have hostnames.
+    .PARAMETER effectoryDomainPattern
+    The domain pattern to look for when enumerating hosts, e.g. '*.effectory.com'
+    .PARAMETER effectoryResources
+    The resources that currently exist.
+    .PARAMETER effectoryResourcesPrevious
+    The resources that existed previously.
+    #>
+    param(
+        [Parameter(Mandatory)]
+        [string] $effectoryDomainPattern,
+        [Parameter(Mandatory)]
+        [AllowNull()]
+        [EffectoryDomainNameCheck[]] $effectoryResources,
+        [Parameter(Mandatory)]
+        [AllowNull()]
+        [EffectoryDomainNameCheck[]] $effectoryResourcesPrevious
+    )
+
+    [bool] $hasErrors = $false
+
+    # ----------------------------------------------------------------------------------------------------------
+    Write-Information "Comparing found resources with previously stored resources to find records that should've been deleted."
+    foreach ($oldResource in $effectoryResourcesPrevious) {
+        $currentItem = $effectoryResources.Where({$_.DomainName -eq $oldResource.DomainName}, 'First')
+
+        if (($null -eq $currentItem) -or ($currentItem.Count -eq 0)) {
+            # Host name no longer exists, so there should be no DNS record
+            # check
+            Write-Warning "Host name '$($oldResource.DomainName)' no longer exists. Checking DNS record for '$($oldResource.ResourceName)' ($($oldResource.ResourceType))."
+            $CName = DnsResolveHost -domainName $oldResource.DomainName -effectoryDomainPattern $effectoryDomainPattern -externalDNSServer "8.8.8.8"
+            if (($null -ne $CName) -and ($CName -ne "")) {
+                Write-Error "Host name '$($oldResource.DomainName)' no longer exists, but found DNS record '$($CName)' for '$($oldResource.ResourceName)' ($($oldResource.ResourceType))."
+                $hasErrors = $true
+            }
+        }
+        elseif (($oldResource.ResourceName -ne $currentItem.ResourceName) -or ($oldResource.ResourceId -ne $currentItem.ResourceId)) {
+            # found, but does not point to the same resource 
+            # verify the DNS record to make sure it points to this resource
+            Write-Warning "Host name '$($oldResource.DomainName)' was found, but points to another resource. Assuming this was intentional."
+        }
+    }
+
+    $hasErrors
+}