For some weird reason dmut wont work for some domain names

[NagliNagli]

dmut -u github.com -d ~/.config/wordlists/mutation -w 150 --dns-timeout 300 --dns-retries 3 --dns-errorLimit 1500000 --show-stats

Didn't run ^

dmut -u galnagli.com -d ~/.config/wordlists/mutation -w 150 --dns-timeout 300 --dns-retries 3 --dns-errorLimit 1500000 --show-stats

Worked ^

[bp0lr]

this happens because github.com has a DNS willcard enabled. This means every subdomain returns a NOERROR response becoming impossible to detect valid from invalid.

[NagliNagli]

So every domain with noerror can't be permuted?

[bp0lr]

no exactly. dmut is in the end just a brute force tool trying to find NOERROR domains using permutations.

in this case, github.com returns a NOERROR to every single request, so for dmut everything will be valid. to avoid this false/positive behavior, dmut comes with an anti wilcard mechanism.

regarding your question, NOERROR is just a response from dns server saying that exists an entry for the queried subdomain.

[NagliNagli]

I see,

How do you manage to run it in a fairly reasonable time?

I tried to deploy it with 50 axiom box instances on a ~40k list, it didn't end.

Though on your docs I saw that you used it on the whole BB scopes

my mutation file is ~half of yours

This is my command:

dmut -d wordlist -w 150 --dns-timeout 300 --dns-retries 3 --dns-errorLimit 1500000 --show-stats -o output

[bp0lr]

two things to have in mind here.

1) If you are running dmut against a main domain, then you are using dmut like a basic brute force tool. this is because there is no permutation to be executed.

./dmut github.com -d subs.txt

will test subs.txt one by one trying to find a NOERROR response.

2) dmut was created to be executed to brute force permutation in subdomains. ./dmut app.github.com -d subs.txt will test the amount of permutation that you have again the subdomain, using the different permutation options. example: perm.app.github.com perm-app.github.com app-perm.github.com app-perm01.github.com etc.

having this in mind, dmut create something like 15 permutations for each dictionary line, so if you have: 100 lines x 15 = 1500 permutations to be tested on each subdomain. 40k subdomains x 1500 = 60.000.000 millions of queries.

running dmut on 50 instances, it like 1.200.000 queries for each instance. (that a loooooot).

I know there is a problem running dmut again a large list because permutation jobs are generated on memory and if your machine has low specs this could finish in a crash. I hope to have some free time to fix it this week.

[NagliNagli]

Well it's not that much 1m queries, it takes 3 minutes with puredns to bruteforce that number.

[NagliNagli]

And thanks for your answers!

[bp0lr]

Well it's not that much 1m queries, it takes 3 minutes with puredns to bruteforce that number.

it's pretty clear why is so fast.

from puredns desc:

Unfortunately, the results are only as good as the answers provided by the public resolvers used. They are often polluted by DNS poisoned entries. Wildcard subdomains are also a pain to deal with, as they add a lot of noise to the list of resolved subdomains.

[NagliNagli]

You quoted the wrong tool

https://github.com/d3mondev/puredns

this is the one

I actually used it's wildcard method to filter some wildcards that dmut missed, only problem with that tool that it wont support permutation, but when I just permut with dnsgen and feed 70M records to puredns it's pretty fast (and it's in python) so It's probably possible for you to speed it up as well :D

[bp0lr]

You quoted the wrong tool

https://github.com/d3mondev/puredns

this is the one

???

I actually used it's wildcard method to filter some wildcards that dmut missed, only problem with that tool that it wont support permutation, but when I just permut with dnsgen and feed 70M records to puredns it's pretty fast (and it's in python) so It's probably possible for you to speed it up as well :D

would be great to have some examples to test again dmut. I'm always open to work on improving speed.

thanks

[NagliNagli]

Hi you actually highlighted the part that he says why massdns alone is bad and the motivation of creating puredns, for now the only problem I have with dmut that it seems way slower than puredns, and given the fact that you run it with go versus python you should win, puredns also deals with wildcards so generally the output of puredns is the one I trust over ~450 bounty programs on my automation, I really wanted to add a lightweight tool like dmut to generate permutations none-stop.

[bp0lr]

can you give me an example to work with? You mention some domains where dmut fails to check wild cards for example, or something to check against puredns and compare results.

thanks