evyatarmeged / Raccoon

A high performance offensive security tool for reconnaissance and vulnerability scanning
MIT License
3.09k stars 399 forks source link

Subdomain bruteforcing does not check for wildcards #2

Closed schinkelg closed 6 years ago

schinkelg commented 6 years ago

When the domain you try to bruteforce has a wildcard all entries from the wordlist are 'hits'. Expected behavior would be to test for wildcard and then only consider a different IP result a 'hit'.

evyatarmeged commented 6 years ago

Hi @schinkelg, Thank you for pointing that out. Sometimes different domains share the same origin server. In that case, a false negative would occur as they will not be considered as a valid subdomain.

I can maybe test for same-IP subdomain hits and if they exceed a certain number, count all of them as false-positives. Nonetheless, false negatives will occur.

Can you think of any workaround for that?

schinkelg commented 6 years ago

I don't believe there is a workaround for false negatives in that scenario. But you can first test for a wildcard using this1willnotexist.domain.com for example. That way you won't have false negatives when a wildcard is not in use. This is the way Fierce(.pl) solves this problem if I'm not mistaken.

evyatarmeged commented 6 years ago

I've implemented a fix in this commit. It solves both the subdomain and URL bruteforcing problems (in addition to wildcard subdomain support, some sites return 200 for non-existent resources as well which breaks URL fuzzing). I'll keep this issue open for another day or two and close it afterward unless you share any further insights.

Much obliged for the suggestion, @schinkelg.