blacklanternsecurity · liquidsec · Oct 29, 2025 · Oct 18, 2024 · Nov 21, 2024 · Nov 21, 2024
diff --git a/baddns/lib/dnsmanager.py b/baddns/lib/dnsmanager.py
@@ -67,19 +67,29 @@ def process_answer(self, answer, rdatatype):
 
             rdtype = str(record.rdtype.name).upper()
             if rdtype in ("A", "AAAA", "NS", "CNAME", "PTR"):
-                results.add(self._clean_dns_record(record))
+                cleaned = self._clean_dns_record(record)
+                if cleaned:
+                    results.add(cleaned)
             elif rdtype == "SOA":
-                results.add(self._clean_dns_record(record.mname))
+                cleaned = self._clean_dns_record(record.mname)
+                if cleaned:
+                    results.add(cleaned)
             elif rdtype == "MX":
-                results.add(self._clean_dns_record(record.exchange))
+                cleaned = self._clean_dns_record(record.exchange)
+                if cleaned:
+                    results.add(cleaned)
             elif rdtype == "SRV":
-                results.add(self._clean_dns_record(record.target))
+                cleaned = self._clean_dns_record(record.target)
+                if cleaned:
+                    results.add(cleaned)
             elif rdtype == "TXT":
                 for s in record.strings:
                     s = s.decode()
                     results.add(s)
             elif rdtype == "NSEC":
-                results.add(self._clean_dns_record(record.next))
+                cleaned = self._clean_dns_record(record.next)
+                if cleaned:
+                    results.add(cleaned)
             else:
                 log.debug(f'Unknown DNS record type "{rdtype}"')
         return list(results)

diff --git a/baddns/lib/whoismanager.py b/baddns/lib/whoismanager.py
@@ -4,6 +4,7 @@
 import tldextract
 from datetime import datetime, timezone, timedelta, date
 from dateutil import parser as date_parser
+from whois.exceptions import PywhoisError
 
 log = logging.getLogger(__name__)
 
@@ -19,13 +20,19 @@ async def dispatchWHOIS(self):
             registered_domain = self.target
         else:
             registered_domain = ext.registered_domain
+
+        # Guard against empty/invalid domains
+        if not registered_domain or "." not in registered_domain:
+            log.debug(f"Skipping WHOIS for invalid domain [{registered_domain}] from [{self.target}]")
+            self.whois_result = {"type": "error", "data": "Invalid domain for WHOIS"}
+            return
         log.debug(f"Extracted base domain [{registered_domain}] from [{self.target}]")
         log.debug(f"Submitting WHOIS query for {registered_domain}")
         try:
             w = await asyncio.to_thread(whois.whois, registered_domain, quiet=True)
             log.debug(f"Got response to whois request for {registered_domain}")
             self.whois_result = {"type": "response", "data": w}
-        except whois.parser.PywhoisError as e:
+        except PywhoisError as e:
             log.debug(f"Got PywhoisError for whois request for {registered_domain}")
             self.whois_result = {"type": "error", "data": str(e)}
         except Exception as e:

diff --git a/baddns/modules/mx.py b/baddns/modules/mx.py
@@ -27,6 +27,8 @@ async def dispatch(self):
             return False
 
         for mx_record in self.target_dnsmanager.answers["MX"]:
+            if not mx_record:
+                continue
             log.debug(f"performing WHOIS lookup for [{mx_record}]")
             self.mx_whoismanager[mx_record] = WhoisManager(mx_record)
             await self.mx_whoismanager[mx_record].dispatchWHOIS()

diff --git a/baddns/signatures/dnsreaper_bettermode.yml b/baddns/signatures/dnsreaper_bettermode.yml
@@ -0,0 +1,15 @@
+identifiers:
+  cnames:
+  - type: word
+    value: domains.bettermode.io
+  ips: []
+  nameservers: []
+  not_cnames: []
+matcher_rule:
+  matchers:
+  - status: 409
+    type: status
+  matchers-condition: and
+mode: http
+service_name: bettermode.com
+source: dnsreaper
diff --git a/baddns/signatures/dnsreaper_hatenablog.yml b/baddns/signatures/dnsreaper_hatenablog.yml
@@ -11,7 +11,7 @@ matcher_rule:
     part: body
     type: word
     words:
-    - 404 Blog is not found
+    - The request could not be satisfied.
   matchers-condition: and
 mode: http
 service_name: hatenablog.com

diff --git a/baddns/signatures/dnsreaper_helpscout.yml b/baddns/signatures/dnsreaper_helpscout.yml
@@ -7,11 +7,8 @@ identifiers:
   not_cnames: []
 matcher_rule:
   matchers:
-  - condition: or
-    part: body
-    type: word
-    words:
-    - Not Found
+  - status: 0
+    type: status
   matchers-condition: and
 mode: http
 service_name: helpscoutdocs.com

diff --git a/baddns/signatures/dnsreaper_teamwork.yml b/baddns/signatures/dnsreaper_teamwork.yml
@@ -11,7 +11,7 @@ matcher_rule:
     part: body
     type: word
     words:
-    - Unable to determine installationID from domain
+    - The request could not be satisfied.
   matchers-condition: and
 mode: http
 service_name: teamwork

diff --git a/baddns/signatures/nucleitemplates_leadpages-takeover.yml b/baddns/signatures/nucleitemplates_leadpages-takeover.yml
@@ -12,9 +12,10 @@ matcher_rule:
     part: body
     type: word
     words:
-    - <h1>We couldn't find that page</h1>
-    - "The page you\u2019re looking for may have been moved"
-    - Double-check that you have the right web address and give it another go!
+    - <h2 class="lp-headline text-align-center subhead">This page couldn't be found,
+      so let's get you turned around!</h2>
+    - The page you're looking for may have moved.
+    - Double check that you have the right web address and give it another go!
   matchers-condition: and
 mode: http
 service_name: Leadpages takeover detection

diff --git a/baddns/signatures/nucleitemplates_redirect-pizza-takeover.yml b/baddns/signatures/nucleitemplates_redirect-pizza-takeover.yml
@@ -0,0 +1,17 @@
+identifiers:
+  cnames: []
+  ips: []
+  nameservers: []
+  not_cnames: []
+matcher_rule:
+  matchers:
+  - condition: and
+    dsl:
+    - Host != ip
+    - contains_all(body, "Unable to redirect","redirect.pizza")
+    - contains(content_type, "text/html")
+    type: dsl
+  matchers-condition: and
+mode: http
+service_name: Redirect.pizza Subdomain Takeover Detection
+source: nucleitemplates
diff --git a/baddns/signatures/nucleitemplates_wasabi-bucket-takeover.yml b/baddns/signatures/nucleitemplates_wasabi-bucket-takeover.yml
@@ -0,0 +1,24 @@
+identifiers:
+  cnames:
+  - type: word
+    value: wasabisys.com
+  ips: []
+  nameservers: []
+  not_cnames: []
+matcher_rule:
+  matchers:
+  - condition: and
+    dsl:
+    - Host != ip
+    - contains(tolower(header), "wasabis3")
+    type: dsl
+  - condition: and
+    part: body
+    type: word
+    words:
+    - The specified bucket does not exist
+    - BucketName
+  matchers-condition: and
+mode: http
+service_name: wasabi Bucket Takeover - Detection
+source: nucleitemplates
diff --git a/baddns/signatures/nucleitemplates_wix-takeover.yml b/baddns/signatures/nucleitemplates_wix-takeover.yml
@@ -1,5 +1,7 @@
 identifiers:
-  cnames: []
+  cnames:
+  - type: word
+    value: wix.com
   ips: []
   nameservers: []
   not_cnames: []
@@ -16,6 +18,9 @@ matcher_rule:
     - wixErrorPagesApp
   - status: 404
     type: status
+  - dsl:
+    - '!contains(host,"wix.com")'
+    type: dsl
   matchers-condition: and
 mode: http
 service_name: Wix Takeover Detection

diff --git a/baddns/signatures/signature_history.txt b/baddns/signatures/signature_history.txt
@@ -113,6 +113,7 @@ e155aed36a19a0437650f5d1033a64a47f39a8981de9f1b5f39e2dfe7e14996d #nucleitemplate
 ad913111f8c498e0e5b0ef30714e6074832914e936f61c4dd3b10dad2dd9e436 #dnsreaper_surveysparrow.yml
 9075b7665514a4ed5e342152a2f80c804959bb5ee5f94c1e8dfdb50858e969bd #dnsreaper_wix.yml
 d3ec2dfaec7ac79042848aee837c2391958e46e2c7824dedb6a9590939d25f44 #dnsreaper_simplebooklet.yml
+ab314bbf1d879ea9ada35b4ca6735663c209d481a359426a2bec478a53ea4833 #nucleitemplates_wasabi-bucket-takeover.yml
 4882b47122e85dd71cab1cee417c23f5ed8f495c305922cffa57627bd86a8271 #nucleitemplates_greatpages-takeover.yml
 c52773fd1de7ba1e3a9137626b0c9c0232964eeb5e779fbf549ecab8c22d3817 #nucleitemplates_framer-takeover.yml
 b3d1600a3fe2c2d3739e9024d89f205ee65d9d733fcb2765ad58dba215e9bd57 #nucleitemplates_zendesk-takeover.yml
@@ -123,3 +124,12 @@ b3d1600a3fe2c2d3739e9024d89f205ee65d9d733fcb2765ad58dba215e9bd57 #nucleitemplate
 cd698c5180cba3ee1bee876cf4a6ebc65be5e57f95b02de27ff7521c3b9f73da #nucleitemplates_cargo-takeover.yml
 653b478bb93f7657f4c0b01c0376c349903e4e5701ba206c9720d9c9f1efdfd2 #nucleitemplates_uptimerobot-takeover.yml
 f8188d3aea41c1711498ec5ed36aceb864168d6907b5f1297176068cae04452f #dnsreaper_short.yml
+b9218825ff262b6f94d43ae05c8178f738cc1901cc5937a2fe39e0d2139fccfe #dnsreaper_hatenablog.yml
+cd7d0669e80ab911f274e09a8ef390cf295f2e1a2421980ee715bc575e3267ba #nucleitemplates_wix-takeover.yml
+72829905abfc7a663ee8360005dcd6105440794a0330792b1fbf0f3eb4b00849 #nucleitemplates_leadpages-takeover.yml
+ee0f1a8b0eb221e3cf23fd98ce652d68485fca06d2a57d943fa220af972e6acc #nucleitemplates_redirect-pizza-takeover.yml
+91eedb328aa6c1bf2d5073a1627f10c8ee79d5bddad2320df43da95e44fa297b #dnsreaper_bettermode.yml
+cd7d0669e80ab911f274e09a8ef390cf295f2e1a2421980ee715bc575e3267ba #nucleitemplates_wix-takeover.yml
+b9218825ff262b6f94d43ae05c8178f738cc1901cc5937a2fe39e0d2139fccfe #dnsreaper_hatenablog.yml
+4a68439abb82bac01c40fa285322d704531f0521fcbedb20e503e07cc528721d #dnsreaper_teamwork.yml
+9e80e1a3303e74eaa5ac1e212d26f494d29ded7aef7a80a7384b36b9296cc94e #dnsreaper_helpscout.yml