Understanding the Process of we couldn't find any subdomain #47
Description
Howdy
I picked a random example here: (anthropic.com)
~/sublert$ python3 sublert.py -u anthropic.com
_____ __ __ __
/ ___/__ __/ /_ / /__ _____/ /_
\__ \/ / / / __ \/ / _ \/ ___/ __/
___/ / /_/ / /_/ / / __/ / / /_
/____/\__,_/_.___/_/\___/_/ \__/
Author: Yassine Aboukir (@yassineaboukir)
Version: 1.4.7
[!] Added but unfortunately, we couldn't find any subdomain for anthropic.com
I am struggling to understand why no [!] Added but unfortunately, we couldn't find any subdomain for anthropic.com as an example domain, could not be found.
If I navigate to https://crt.sh/ and perform a query for the Certificate Transparency DB, I do see matching entries:
| 10552791737 | 2023-10-01 | 2023-09-29 | 2023-12-28 | anthropic.com | anthropic.com | C=US, O=Google Trust Services LLC, CN=GTS CA 1D4 |
|---|---|---|---|---|---|---|
| 10530892335 | 2023-09-29 | 2023-09-29 | 2023-12-28 | anthropic.com | anthropic.com | C=US, O=Google Trust Services LLC, CN=GTS CA 1D4 |
10552791737 2023-10-01 2023-09-29 2023-12-28 anthropic.com anthropic.com C=US, O=Google Trust Services LLC, CN=GTS CA 1D4
10530892335 2023-09-29 2023-09-29 2023-12-28 anthropic.com anthropic.com C=US, O=Google Trust Services LLC, CN=GTS CA 1D4
I can confirm this is not a DNS-related error for example:
;; ANSWER SECTION:
anthropic.com. 300 IN A 160.79.104.10
I ran a packet-capture on the host, I see the following DNS resolution process being performed:
~$ sudo tcpdump -i any 'udp and port 53' -nvv
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
00:00:51.897858 ens4 Out IP (tos 0x0, ttl 64, id 6162, offset 0, flags [DF], proto UDP (17), length 52)
10.128.0.4.36219 > 169.254.169.254.53: [bad udp cksum 0x5eb2 -> 0x8842!] 43500+ A? crt.sh. (24)
00:00:51.897862 ens4 Out IP (tos 0x0, ttl 64, id 6163, offset 0, flags [DF], proto UDP (17), length 52)
10.128.0.4.36219 > 169.254.169.254.53: [bad udp cksum 0x5eb2 -> 0x8333!] 44768+ AAAA? crt.sh. (24)
00:00:51.901073 ens4 In IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 68)
169.254.169.254.53 > 10.128.0.4.36219: [udp sum ok] 43500 q: A? crt.sh. 1/0/0 crt.sh. A 91.199.212.73 (40)
00:00:51.901075 ens4 In IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 80)
169.254.169.254.53 > 10.128.0.4.36219: [udp sum ok] 44768 q: AAAA? crt.sh. 1/0/0 crt.sh. AAAA 2a0e:ac00:c7:d449::5bc7:d449 (52)
This looks identical to a working example:
:~/sublert$ python3 sublert.py -u openai.com
_____ __ __ __
/ ___/__ __/ /_ / /__ _____/ /_
\__ \/ / / / __ \/ / _ \/ ___/ __/
___/ / /_/ / /_/ / / __/ / / /_
/____/\__,_/_.___/_/\___/_/ \__/
Author: Yassine Aboukir (@yassineaboukir)
Version: 1.4.7
[+] Adding openai.com to the monitored list of domains.
[?] Do you wish to list subdomains found for openai.com? [Y]es [N]o (default: [N]) y
...
00:05:00.194661 ens4 Out IP (tos 0x0, ttl 64, id 27180, offset 0, flags [DF], proto UDP (17), length 52)
10.128.0.4.39400 > 169.254.169.254.53: [bad udp cksum 0x5eb2 -> 0x49f6!] 56267+ A? crt.sh. (24)
00:05:00.194666 ens4 Out IP (tos 0x0, ttl 64, id 27181, offset 0, flags [DF], proto UDP (17), length 52)
10.128.0.4.39400 > 169.254.169.254.53: [bad udp cksum 0x5eb2 -> 0x58e5!] 52417+ AAAA? crt.sh. (24)
00:05:00.198196 ens4 In IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 80)
169.254.169.254.53 > 10.128.0.4.39400: [udp sum ok] 52417 q: AAAA? crt.sh. 1/0/0 crt.sh. AAAA 2a0e:ac00:c7:d449::5bc7:d449 (52)
00:05:00.198496 ens4 In IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 68)
169.254.169.254.53 > 10.128.0.4.39400: [udp sum ok] 56267 q: A? crt.sh. 1/0/0 crt.sh. A 91.199.212.73 (40)
crt.sh here
Can somebody nudge me in the correct direction here? Is there a debug functionality I can run to understand why I yield zero results?
TYIA!