Closed decidedlygray closed 3 years ago
caffix
commented
3 years ago Active recon can be restricted by addresses, but DNS names must be resolved before addresses can be used for blacklisting. Knowing this, would you still be interested in the feature?
decidedlygray
commented
3 years ago I think so, yes.
My thinking is: with the current setup, unknown subdomains are already (in theory) being resolved for blacklisted addresses. With this addition, yes active recon would "break" the blacklist idea by resolving the address, but at least further downstream actions (like recursive bruteforcing of further subdomains) would be skipped.
Does that track?
decidedlygray
commented
3 years ago Hmmm... Now I'm thinking it breaks things.
If our blacklisted address was 123.123.123.123, and we find dev.example.com resolving to that, there could still be further subdomains (e.g. one.dev.example.com) that resolve outside of the blacklisted address. So we've created a gap in coverage.
Closing. Thanks for the considering.
Currently, [scope.blacklisted] only supports subdomains - https://github.com/OWASP/Amass/blob/master/doc/user_guide.md#the-blacklisted-section
Kind of an opposite to how [scope] expands scope, It would be nice if we could similarly restrict scope by putting in cidrs (and maybe even addresses)