dnscan icon indicating copy to clipboard operation
dnscan copied to clipboard
verified publisher icon rbsec

Wildcard scan

Open drakylar opened this issue 3 years ago • 11 comments

Hello, there is a bug inside dnscan.py at line 114: add_target(domain) # Recursively scan subdomains

This function must be run only when wildcard = get_wildcard(domain) is empty, so it is needed to add a condition if not wildcard:, or wildcard domain will be added to recursive subdomain scan.

drakylar avatar Jul 29 '22 08:07 drakylar

And the same at 508 string

drakylar avatar Jul 29 '22 08:07 drakylar

Hi @drakylar,

This isn't actually a bug. The recursive scanning is intentionally run even when a wildcard is present, because a wildcard record doesn't meant that there are no other records for a domain. In fact, most domains that have wildcards will also have other records.

github.com is a good example of this: it has a wildcard record that returns four IP addresses (185.199.109.153, 185.199.111.153, 185.199.110.153 and 185.199.108.153), but then has subdomains such as www.github.com (140.82.121.3) or api.github.com (140.82.121.5) with different IPs.

Any records that return the same IP as the wildcard are ignored, and the only ones that are returned at those with different IP addresses. It's not perfect (as it won't pick up VHOSTS), but it's the best we can do at a pure DNS level.

rbsec avatar Jul 31 '22 08:07 rbsec

Hi @drakylar,

This isn't actually a bug. The recursive scanning is intentionally run even when a wildcard is present, because a wildcard record doesn't meant that there are no other records for a domain. In fact, most domains that have wildcards will also have other records.

github.com is a good example of this: it has a wildcard record that returns four IP addresses (185.199.109.153, 185.199.111.153, 185.199.110.153 and 185.199.108.153), but then has subdomains such as www.github.com (140.82.121.3) or api.github.com (140.82.121.5) with different IPs.

Any records that return the same IP as the wildcard are ignored, and the only ones that are returned at those with different IP addresses. It's not perfect (as it won't pick up VHOSTS), but it's the best we can do at a pure DNS level.

Hello, yes, it's true. But I have several domains when this utility went into recursion and scanned up to 6th wildcard subdomain level. That was because of bad detection of wildcard ip-addresses. I will check later detection algorythm.

drakylar avatar Jul 31 '22 11:07 drakylar

@drakylar you can set the max recursion depth with -m or --maxdepth, which should stop it getting stuck for ever. Would that solve your issue?

rbsec avatar Jul 31 '22 11:07 rbsec

@drakylar you can set the max recursion depth with -m or --maxdepth, which should stop it getting stuck for ever. Would that solve your issue?

Think this will help, but I wanted to minimize false-positive results.

drakylar avatar Jul 31 '22 11:07 drakylar

I'm not really clear what false positives you're seeing.

So if you scan example.org, and it has a wildcard domain, that gets flagged. Is the issue that if it has recursive wildcards (*.*.example.org that those are being returned? Are they returned as wildcards or actual records?

rbsec avatar Jul 31 '22 12:07 rbsec

I'm not really clear what false positives you're seeing.

So if you scan example.org, and it has a wildcard domain, that gets flagged. Is the issue that if it has recursive wildcards (*.*.example.org that those are being returned? Are they returned as wildcards or actual records?

The issue was that if subdomain was wildcard (*.example.org) it returned non-existed domain a.example.org and started to scan wildcard subdomains *.a.example.org. So, I thought that there had been some problems with wildcard subdomains enumeration which leads to a lot of false-positive subdomains.

P.S. May be it will be better to add an option to ignore wildcard subdomains bruteforce?

drakylar avatar Jul 31 '22 12:07 drakylar

Ah, I understand where you're coming from. While I don't think it's technically incorrect to recursively scan a domain that we know has wildcards (as there's nothing stopping it also having default entries), this will be quite slow for domains that have a lot of them. I've added a --recurse-wildcards option to enable that (it's not performed by default) - does that solve the issue?

rbsec avatar Jul 31 '22 13:07 rbsec

Thanks! Will check it later.

drakylar avatar Jul 31 '22 14:07 drakylar

One new problem - sometimes DNS server from NX can stuck with response, so it is needed to add to dns.query.udp timeout parameter + I think it will be better to add several retries (line ~ 499).

dns.query.udp(request, nameserver, timeout=5)

drakylar avatar Aug 01 '22 17:08 drakylar

Two more suggestions

  1. Add availability to make TCP dns requests (cli argument) due to some strange NX-servers with stucked response.
  2. Add availability to select a dictionary for -a alterations argument.

drakylar avatar Aug 01 '22 18:08 drakylar