GithubHelp home page GithubHelp logo

Wildcard scan about dnscan HOT 11 OPEN

rbsec avatar rbsec commented on July 4, 2024
Wildcard scan

from dnscan.

Comments (11)

drakylar avatar drakylar commented on July 4, 2024

And the same at 508 string

from dnscan.

rbsec avatar rbsec commented on July 4, 2024

Hi @drakylar,

This isn't actually a bug. The recursive scanning is intentionally run even when a wildcard is present, because a wildcard record doesn't meant that there are no other records for a domain. In fact, most domains that have wildcards will also have other records.

github.com is a good example of this: it has a wildcard record that returns four IP addresses (185.199.109.153, 185.199.111.153, 185.199.110.153 and 185.199.108.153), but then has subdomains such as www.github.com (140.82.121.3) or api.github.com (140.82.121.5) with different IPs.

Any records that return the same IP as the wildcard are ignored, and the only ones that are returned at those with different IP addresses. It's not perfect (as it won't pick up VHOSTS), but it's the best we can do at a pure DNS level.

from dnscan.

drakylar avatar drakylar commented on July 4, 2024

Hi @drakylar,

This isn't actually a bug. The recursive scanning is intentionally run even when a wildcard is present, because a wildcard record doesn't meant that there are no other records for a domain. In fact, most domains that have wildcards will also have other records.

github.com is a good example of this: it has a wildcard record that returns four IP addresses (185.199.109.153, 185.199.111.153, 185.199.110.153 and 185.199.108.153), but then has subdomains such as www.github.com (140.82.121.3) or api.github.com (140.82.121.5) with different IPs.

Any records that return the same IP as the wildcard are ignored, and the only ones that are returned at those with different IP addresses. It's not perfect (as it won't pick up VHOSTS), but it's the best we can do at a pure DNS level.

Hello, yes, it's true. But I have several domains when this utility went into recursion and scanned up to 6th wildcard subdomain level. That was because of bad detection of wildcard ip-addresses. I will check later detection algorythm.

from dnscan.

rbsec avatar rbsec commented on July 4, 2024

@drakylar you can set the max recursion depth with -m or --maxdepth, which should stop it getting stuck for ever. Would that solve your issue?

from dnscan.

drakylar avatar drakylar commented on July 4, 2024

@drakylar you can set the max recursion depth with -m or --maxdepth, which should stop it getting stuck for ever. Would that solve your issue?

Think this will help, but I wanted to minimize false-positive results.

from dnscan.

rbsec avatar rbsec commented on July 4, 2024

I'm not really clear what false positives you're seeing.

So if you scan example.org, and it has a wildcard domain, that gets flagged. Is the issue that if it has recursive wildcards (*.*.example.org that those are being returned? Are they returned as wildcards or actual records?

from dnscan.

drakylar avatar drakylar commented on July 4, 2024

I'm not really clear what false positives you're seeing.

So if you scan example.org, and it has a wildcard domain, that gets flagged. Is the issue that if it has recursive wildcards (*.*.example.org that those are being returned? Are they returned as wildcards or actual records?

The issue was that if subdomain was wildcard (*.example.org) it returned non-existed domain a.example.org and started to scan wildcard subdomains *.a.example.org. So, I thought that there had been some problems with wildcard subdomains enumeration which leads to a lot of false-positive subdomains.

P.S. May be it will be better to add an option to ignore wildcard subdomains bruteforce?

from dnscan.

rbsec avatar rbsec commented on July 4, 2024

Ah, I understand where you're coming from. While I don't think it's technically incorrect to recursively scan a domain that we know has wildcards (as there's nothing stopping it also having default entries), this will be quite slow for domains that have a lot of them. I've added a --recurse-wildcards option to enable that (it's not performed by default) - does that solve the issue?

from dnscan.

drakylar avatar drakylar commented on July 4, 2024

Thanks! Will check it later.

from dnscan.

drakylar avatar drakylar commented on July 4, 2024

One new problem - sometimes DNS server from NX can stuck with response, so it is needed to add to dns.query.udp timeout parameter + I think it will be better to add several retries (line ~ 499).

dns.query.udp(request, nameserver, timeout=5)

from dnscan.

drakylar avatar drakylar commented on July 4, 2024

Two more suggestions

  1. Add availability to make TCP dns requests (cli argument) due to some strange NX-servers with stucked response.
  2. Add availability to select a dictionary for -a alterations argument.

from dnscan.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.