search

yassineaboukir / sublert

Sublert is a security and reconnaissance tool which leverages certificate transparency to automatically monitor new subdomains deployed by specific organizations and issued TLS/SSL certificate.
MIT License
988 stars 166 forks source link

Understanding the Process of `we couldn't find any subdomain` #47

Open GangGreenTemperTatum opened 12 months ago

GangGreenTemperTatum commented 12 months ago

Howdy

I picked a random example here: (anthropic.com)

~/sublert$ python3 sublert.py -u anthropic.com

                   _____       __    __          __
                  / ___/__  __/ /_  / /__  _____/ /_
                  \__ \/ / / / __ \/ / _ \/ ___/ __/
                 ___/ / /_/ / /_/ / /  __/ /  / /_
                /____/\__,_/_.___/_/\___/_/   \__/

             Author: Yassine Aboukir (@yassineaboukir)
                           Version: 1.4.7

[!] Added but unfortunately, we couldn't find any subdomain for anthropic.com

I am struggling to understand why no [!] Added but unfortunately, we couldn't find any subdomain for anthropic.com as an example domain, could not be found.

If I navigate to https://crt.sh/ and perform a query for the Certificate Transparency DB, I do see matching entries:

image

10552791737 2023-10-01 2023-09-29 2023-12-28 anthropic.com anthropic.com C=US, O=Google Trust Services LLC, CN=GTS CA 1D4
10530892335 2023-09-29 2023-09-29 2023-12-28 anthropic.com anthropic.com C=US, O=Google Trust Services LLC, CN=GTS CA 1D4

10552791737 2023-10-01 2023-09-29 2023-12-28 anthropic.com anthropic.com C=US, O=Google Trust Services LLC, CN=GTS CA 1D4 10530892335 2023-09-29 2023-09-29 2023-12-28 anthropic.com anthropic.com C=US, O=Google Trust Services LLC, CN=GTS CA 1D4

I can confirm this is not a DNS-related error for example:

;; ANSWER SECTION:
anthropic.com.      300 IN  A   160.79.104.10

I ran a packet-capture on the host, I see the following DNS resolution process being performed:

~$ sudo tcpdump -i any 'udp and port 53' -nvv
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
00:00:51.897858 ens4  Out IP (tos 0x0, ttl 64, id 6162, offset 0, flags [DF], proto UDP (17), length 52)
    10.128.0.4.36219 > 169.254.169.254.53: [bad udp cksum 0x5eb2 -> 0x8842!] 43500+ A? crt.sh. (24)
00:00:51.897862 ens4  Out IP (tos 0x0, ttl 64, id 6163, offset 0, flags [DF], proto UDP (17), length 52)
    10.128.0.4.36219 > 169.254.169.254.53: [bad udp cksum 0x5eb2 -> 0x8333!] 44768+ AAAA? crt.sh. (24)
00:00:51.901073 ens4  In  IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 68)
    169.254.169.254.53 > 10.128.0.4.36219: [udp sum ok] 43500 q: A? crt.sh. 1/0/0 crt.sh. A 91.199.212.73 (40)
00:00:51.901075 ens4  In  IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 80)
    169.254.169.254.53 > 10.128.0.4.36219: [udp sum ok] 44768 q: AAAA? crt.sh. 1/0/0 crt.sh. AAAA 2a0e:ac00:c7:d449::5bc7:d449 (52)

This looks identical to a working example:

:~/sublert$ python3 sublert.py -u openai.com

                   _____       __    __          __
                  / ___/__  __/ /_  / /__  _____/ /_
                  \__ \/ / / / __ \/ / _ \/ ___/ __/
                 ___/ / /_/ / /_/ / /  __/ /  / /_
                /____/\__,_/_.___/_/\___/_/   \__/

             Author: Yassine Aboukir (@yassineaboukir)
                           Version: 1.4.7

[+] Adding openai.com to the monitored list of domains.

[?] Do you wish to list subdomains found for openai.com? [Y]es [N]o (default: [N]) y

...

00:05:00.194661 ens4  Out IP (tos 0x0, ttl 64, id 27180, offset 0, flags [DF], proto UDP (17), length 52)
    10.128.0.4.39400 > 169.254.169.254.53: [bad udp cksum 0x5eb2 -> 0x49f6!] 56267+ A? crt.sh. (24)
00:05:00.194666 ens4  Out IP (tos 0x0, ttl 64, id 27181, offset 0, flags [DF], proto UDP (17), length 52)
    10.128.0.4.39400 > 169.254.169.254.53: [bad udp cksum 0x5eb2 -> 0x58e5!] 52417+ AAAA? crt.sh. (24)
00:05:00.198196 ens4  In  IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 80)
    169.254.169.254.53 > 10.128.0.4.39400: [udp sum ok] 52417 q: AAAA? crt.sh. 1/0/0 crt.sh. AAAA 2a0e:ac00:c7:d449::5bc7:d449 (52)
00:05:00.198496 ens4  In  IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 68)
    169.254.169.254.53 > 10.128.0.4.39400: [udp sum ok] 56267 q: A? crt.sh. 1/0/0 crt.sh. A 91.199.212.73 (40)

crt.sh here

Can somebody nudge me in the correct direction here? Is there a debug functionality I can run to understand why I yield zero results?

TYIA!