search

anshumanbh / tko-subs

A tool that can help detect and takeover subdomains with dead DNS records
MIT License
741 stars 137 forks source link

Intercom DKIM records listed as vulnerable #43

Open emilstahl opened 2 years ago

emilstahl commented 2 years ago

tko-subs shows that intercom._domainkey.dandomain.dk is vulnerable and that "dig shows a dead record" - however this is an false positive, see below

+----------------------------------+--------------------------------------------------------+----------+------------+------------+--------------------------------+
|              DOMAIN              |                         CNAME                          | PROVIDER | VULNERABLE | TAKEN OVER |            RESPONSE            |
+----------------------------------+--------------------------------------------------------+----------+------------+------------+--------------------------------+
| intercom._domainkey.dandomain.dk | c460b03a-4e38-4a0f-9e36-0fba9436fc99.dkim.intercom.io. | intercom | true       | false      | Can't CURL it but dig shows a  |
|                                  |                                                        |          |            |            | dead DNS record                |
+----------------------------------+--------------------------------------------------------+----------+------------+------------+--------------------------------+

There is no A or CNAME

 % dig c460b03a-4e38-4a0f-9e36-0fba9436fc99.dkim.intercom.io

; <<>> DiG 9.10.6 <<>> c460b03a-4e38-4a0f-9e36-0fba9436fc99.dkim.intercom.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10655
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;c460b03a-4e38-4a0f-9e36-0fba9436fc99.dkim.intercom.io. IN A

;; AUTHORITY SECTION:
dkim.intercom.io.   120 IN  SOA ns-932.awsdns-52.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 57 msec
;; SERVER: 172.64.36.1#53(172.64.36.1)
;; WHEN: Sun Mar 27 12:13:47 CEST 2022
;; MSG SIZE  rcvd: 166

But a valid TXT (DKIM) record

% dig c460b03a-4e38-4a0f-9e36-0fba9436fc99.dkim.intercom.io TXT

; <<>> DiG 9.10.6 <<>> c460b03a-4e38-4a0f-9e36-0fba9436fc99.dkim.intercom.io TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10463
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;c460b03a-4e38-4a0f-9e36-0fba9436fc99.dkim.intercom.io. IN TXT

;; ANSWER SECTION:
c460b03a-4e38-4a0f-9e36-0fba9436fc99.dkim.intercom.io. 300 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDORqdpAl7oCoXaxT/HIkKbZORtTtlQRuWGqBagmHBea7FYoVr92sGtOqsyhe8NhUlNJfIFEbsi8JS57Dhb8aNekVV+F2es73MTqEh7MH88k6caohDBIqZSTQRxrlQDOIfuipNwigYsYdGqvSsXCdUGkFojKOvQGSgGfmoH39M3aQIDAQAB"

;; Query time: 58 msec
;; SERVER: 172.64.36.1#53(172.64.36.1)
;; WHEN: Sun Mar 27 12:13:49 CEST 2022
;; MSG SIZE  rcvd: 320