skepticfx / subquest

Fast, Elegant subdomain scanner using nodejs
MIT License
33 stars 4 forks source link

Bruteforcing domains with wildcard subdomains should be handled more precisely. #2

Closed skepticfx closed 6 years ago

skepticfx commented 10 years ago

In websites like github.com. We can have *github.com subdomains which are valid. We have to detect this.

Probably by querying,

what-the-heck-this-is-not-a-valid-domain.github.com

b4dnewz commented 7 years ago

Can you give me more info about this? I would like to fix it, to make the module results as valid as possible.

skepticfx commented 7 years ago

Some domains allow wildcard subdomains. So if you do a dictionary search on these domains - you get the result as domain found. In these cases, we need to determine whether any subdomain is allowed by testing from something like what-the-heck-this-is-not-a-valid-domain.domain.com.

Makes sense?

b4dnewz commented 7 years ago

yep it makes sense!

b4dnewz commented 6 years ago

while looking for different brute force tools I found this source code of Fierce a kali linux PERL dns brute script that check for wildcard:

http://git.kali.org/gitweb/?p=packages/fierce.git;a=blob_plain;f=fierce.pl;hb=HEAD

This is their approach.

Also this python version of Fierce which does widcard and zonetransfer check: https://github.com/mschwager/fierce

skepticfx commented 6 years ago

Yeah! Its using a random string as a subdomain. $wildcard_dns = 1e11 - int(rand(1e10));

b4dnewz commented 6 years ago

hi @skepticfx, how are you? happy new year! ~i'm into this issue, do you know any domain where I can test the new wildcard check subdomain?~ ~I googled a lot but I can't find any domain with wildcard enabled to test..~

edit: nothing man.. I'm just too tired.. is working as aspected with github (as you said in issue text) :sleeping:

b4dnewz commented 6 years ago

I moved all files inside the lib folder for convenience.

I made a first attempt based on what we said before for wildcard check: branch L136-L139 using Math.floor(Math.random() * 1e14) + 1e15; to create a random numeric string to test as subdomain.

The only thing that does not convince me is the kind of answer that the script should return.. right now I thought to return an array with wildcard value in it like so: ['*'] since if successful the script will return an array of subdomains (es: ['blog', 'www', ...]) What do you think?

skepticfx commented 6 years ago

@b4dnewz Happy new year! :)

Yeah! We need a consistent return type. Array is better. I know I made such silly mistakes a few years back.

Anyways! Great work and take care!

b4dnewz commented 6 years ago

thanks @skepticfx!

I've also added right now eslint and basic config to the project to avoid inconsistency in the code style, than I will merge this new wildcard check feature.

The next step is to make it fast like a running cheetah!