Shulou(Shulou.com)06/01 Report--

Preface of 0x00

In the process of developing our own scanner, the scanner naturally includes the function of sub-domain name collection, but when it comes to pan-parsed websites, it also increases a lot of unnecessary detection of the scanner, resulting in a waste of efficiency and resources. This paper mainly aims at solving and optimizing the problems encountered by the scanner.

Introduction to pan-domain name resolution https://baike.baidu.com/item/%E6%B3%9B%E5%9F%9F%E5%90%8D%E8%A7%A3%E6%9E%90/9845966?fr=aladdin

0x01 problem generation

The universal parsing feature provides convenience for manufacturers, but it brings trouble for automated scanning. What is the trouble? Here is a demonstration of a vendor that uses universal parsing.

Because the website uses pan-resolution, the sub-domain name that originally does not exist will be resolved successfully, so in fact, accessing this domain name will be redirected to the home page.

In automatic scanning, we usually use a dictionary to combine domain names, and then perform dns resolution. If the successful resolution indicates that the sub-domain name exists, this method is used for exhaustion of sub-domain names, but if pan-resolution is used, it will cause all domain names to be resolved successfully, making the exhaustion of sub-domain names inaccurate.

Ps: just a pan-parsing test

0x02 solution

So how to determine that the domain name uses universal resolution and how to solve this situation in the scanner?

Pan-resolved domain names automatically match all *. Domain name resolution, using this point, we can deliberately resolve a domain name that does not exist at all. If successful resolution represents the use of universal resolution, otherwise it will not be adopted.

The solution of the scanner is the same as above, and the demonstration process is attached (the specific code is posted last)

As you can see in the figure above, if you can successfully resolve a domain name that does not exist, then universal resolution is used, and socket.getaddrinfo will not throw an exception.

Then the improved detection code is import socketimport sysdef dns_resolve (domain): url = 'abc1q2w3e4r5t.' + domain flag = False # throwing an exception indicates that universal parsing try: socket.getaddrinfo (url) is used None) flag = True except: pass if not flag: print ('[+]% s does not use universal parsing'% domain) else: print ('[-]% s uses universal parsing'% domain) if _ _ name__ = ='_ main__': if len (sys.argv) < 2: print ('python3% s'% sys.argv [0]) Exit (1) dns_resolve (sys.argv [1])

0x03 tips when the domain name uses universal resolution, then give up the exhaustive way to obtain the subdomain name, you can get it through other ways, such as crawlers or search engines. If there is any error, please correct it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.