search

projectdiscovery / subfinder

Fast passive subdomain enumeration tool.
https://projectdiscovery.io
MIT License
10.28k stars 1.28k forks source link

[Issue] Shodan source reports false subdomains when enumerating a subdomain #1389

Closed Gby56 closed 1 month ago

Gby56 commented 1 month ago

Describe the bug A clear and concise description of what the bug is.

First, enumerate the parent domain.

  % subfinder -d hackerone.com                                                                          !10001

               __    _____           __
   _______  __/ /_  / __(_)___  ____/ /__  _____
  / ___/ / / / __ \/ /_/ / __ \/ __  / _ \/ ___/
 (__  ) /_/ / /_/ / __/ / / / / /_/ /  __/ /
/____/\__,_/_.___/_/ /_/_/ /_/\__,_/\___/_/

        projectdiscovery.io

[INF] Current subfinder version v2.6.6 (latest)
[INF] Loading provider config from /Users/gby/Library/Application Support/subfinder/provider-config.yaml
[INF] Enumerating subdomains for hackerone.com
design.hackerone.com
zendesk1.hackerone.com
3d.hackerone.com
hackerone.com
a.ns.hackerone.com
api.hackerone.com
mta-sts.managed.hackerone.com
mta-sts.forwarding.hackerone.com
support.hackerone.com

Then, enumerate a subdomain, and notice that zendesk2, docs, all of these subdomains suddenly appear underneath api.hackerone.com ?

  % subfinder -d api.hackerone.com                                                                      !10002

               __    _____           __
   _______  __/ /_  / __(_)___  ____/ /__  _____
  / ___/ / / / __ \/ /_/ / __ \/ __  / _ \/ ___/
 (__  ) /_/ / /_/ / __/ / / / / /_/ /  __/ /
/____/\__,_/_.___/_/ /_/_/ /_/\__,_/\___/_/

        projectdiscovery.io

[INF] Current subfinder version v2.6.6 (latest)
[INF] Loading provider config from /Users/gby/Library/Application Support/subfinder/provider-config.yaml
[INF] Enumerating subdomains for api.hackerone.com
zendesk2.api.hackerone.com
mta-sts.managed.api.hackerone.com
support.api.hackerone.com
mta-sts.forwarding.api.hackerone.com
gslink.api.hackerone.com
mta-sts.api.hackerone.com
resources.api.hackerone.com
www.api.hackerone.com
b.ns.api.hackerone.com
docs.api.hackerone.com
zendesk1.api.hackerone.com
_dmarc.api.hackerone.com
api.api.hackerone.com
[INF] Found 13 subdomains for api.hackerone.com in 21 seconds 284 milliseconds

Subfinder version Include the version of subfinder you are using, subfinder -version v2.6.6

The bug is exactly here https://github.com/projectdiscovery/subfinder/blob/6537b327867861ec4eb90d07604f8bb79bdce88d/v2/pkg/subscraping/sources/shodan/shodan.go#L79

Because subdomains are generated from concatenating the user input (api.hackerone.com) with the API response, which is giving you the subdomains of hackerone.com, NOT api.hackerone.com.

image image

cc @dwisiswant0

dwisiswant0 commented 1 month ago

I think that any subdomain (ex. Z.Y.X.domain.tld) queried in Shodan will still display results from the (root) domain (ex. X.domain.tld, X2.domain.tld). Am I understanding this correctly?

image

Gby56 commented 1 month ago

Yes that's exactly what's happening ! And the problem is that we assemble the requested domain from the user, via the cli, with the subdomains from the root domain, from Shodan's API. This basically generates fake subdomains, that don't exist at all. docs.api.hackerone.com is an obvious one