Open stevegriffs opened 1 month ago
Hi @stevegriffs - thanks for opening an issue!
Were there many more than the 5 shown? 5 errors out of 3486 checks isn't too bad.
If there were a bunch, can you try using a different DNS server and/or trying it while connected to a VPN?
I noticed that the DNS server defaults to 8.8.8.8
this tends to timeout on certain servers such as azure.com
- I think it is intentionally done to prevent hacking
It fails for pretty much everything in Azure. I tried it again using a different dns (Cloudflares 1.1.1.1) and there was a significant reduction in timeouts until it got to the Azure Table Accounts. Then the DNS timeout errors increased to the point it didn't return any results from that point forward.
Is there a way to specify which part of Azure I want to target? Say I only want to Target Azure Websites? Or is there a way to spread out the number of DNS queries at a given time? Yes this might take longer to run, but it might be a way around DNS timeouts
[+] Checking for Azure Table Accounts
[*] Brute-forcing a list of 3486 possible DNS names
[!] DNS Timeout on emails\
Elapsed time: 00:01:23
[+] Checking for Azure App Management Accounts
[*] Brute-forcing a list of 3486 possible DNS names
[!] DNS Timeout on \
Elapsed time: 00:03:18
[+] Checking for Azure Key Vault Accounts
[*] Brute-forcing a list of 3486 possible DNS names
[!] DNS Timeout on db\
Elapsed time: 00:01:31
[+] Checking for Azure Websites
[*] Brute-forcing a list of 11346 possible DNS names
[!] DNS Timeout on 2017-\
Getting DNS Timeouts during execution, below is the command used along with a sample output. There were no errors with the Google Checks, just Amazon and Azure.
command: ./cloud_enum.py -kf ./enum_tools/\<redacted>_keyfile.txt -m ./enum_tools/\<redacted>_fuzz.txt -t 5 -l ./output.txt
output:
++++++++++++++++++++++++++ amazon checks ++++++++++++++++++++++++++
[+] Checking for S3 buckets Protected S3 Bucket: http://\<redacted>amazon.s3.amazonaws.com/ Protected S3 Bucket: http://\<redacted>-backup.s3.amazonaws.com/ Protected S3 Bucket: http://client-<redacted>.s3.amazonaws.com/ Protected S3 Bucket: http://\<redacted>-demo.s3.amazonaws.com/ Protected S3 Bucket: http://\<redacted>-images.s3.amazonaws.com/ Protected S3 Bucket: http://\<redacted>-prod.s3.amazonaws.com/ Protected S3 Bucket: http://\<redacted>-production.s3.amazonaws.com/ Protected S3 Bucket: http://production-<redacted>.s3.amazonaws.com/ Protected S3 Bucket: http://\<redacted>.store.s3.amazonaws.com/ Protected S3 Bucket: http://\<redacted>.s3.amazonaws.com/ Protected S3 Bucket: http://\<redacted>.s3.amazonaws.com/
Elapsed time: 00:02:35
[+] Checking for AWS Apps [*] Brute-forcing a list of 11346 possible DNS names [!] DNS Timeout on test.\<redacted>.awsapps.com. Investigate if there are many of these. [!] DNS Timeout on \<redacted>.backup.awsapps.com. Investigate if there are many of these.
++++++++++++++++++++++++++ azure checks ++++++++++++++++++++++++++
[+] Checking for Azure Storage Accounts [*] Brute-forcing a list of 3486 possible DNS names HTTPS-Only Account: http://\<redacted>.blob.core.windows.net/ HTTPS-Only Account: http://\<redacted>1.blob.core.windows.net/ HTTPS-Only Account: http://storage<redacted>.blob.core.windows.net/ HTTPS-Only Account: http://\<redacted>test.blob.core.windows.net/
Elapsed time: 00:00:51
[] Checking 4 accounts for status before brute-forcing [] Brute-forcing container names in 4 storage accounts [] Brute-forcing 274 container names in \<redacted>1.blob.core.windows.net [] Brute-forcing 274 container names in storage\<redacted>.blob.core.windows.net [] Brute-forcing 274 container names in \<redacted>.blob.core.windows.net [!] Breaking out early, auth required. [] Brute-forcing 274 container names in \<redacted>test.blob.core.windows.net [!] Breaking out early, auth required.
Elapsed time: 00:00:15
[+] Checking for Azure File Accounts [*] Brute-forcing a list of 3486 possible DNS names [!] DNS Timeout on \<redacted>pro.file.core.windows.net. Investigate if there are many of these. [!] DNS Timeout on \<redacted>syslog.file.core.windows.net. Investigate if there are many of these. [!] DNS Timeout on builds\<redacted>.file.core.windows.net. Investigate if there are many of these. [!] DNS Timeout on \<redacted>graphite.file.core.windows.net. Investigate if there are many of these. [!] DNS Timeout on \<redacted>client.file.core.windows.net. Investigate if there are many of these. HTTPS-Only Account: http://\<redacted>.file.core.windows.net/ HTTPS-Only Account: http://\<redacted>1.file.core.windows.net/ HTTPS-Only Account: http://storage<redacted>.file.core.windows.net/ HTTPS-Only Account: http://\<redacted>test.file.core.windows.net/