Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is Cloud and CDN Detection Missing During Port Scanning? #1967

Closed
Luoooio opened this issue Nov 15, 2024 · 9 comments
Closed

Is Cloud and CDN Detection Missing During Port Scanning? #1967

Luoooio opened this issue Nov 15, 2024 · 9 comments
Assignees
Labels
enhancement New feature or request

Comments

@Luoooio
Copy link

Luoooio commented Nov 15, 2024

I came across this project today and have to say it's impressive—its recursive approach greatly enhances the depth and scope of asset discovery. However, after a quick look at the code, I noticed there’s no built-in detection for CDNs. This could lead to a lot of false positives and wasted time during port scans. I think adding CDN detection would boost efficiency. In the past, I’ve used CNAME checks for CDN detection and included checks for open ports on the same IP during port scans. According to my rules, if an IP has more than 10 open ports, it’s very likely to be a CDN or a hosting provider, making further port scanning pointless. Maybe 10 is too low for some, but it really depends on personal experience. Overall, determining whether an IP is worth scanning should be considered essential.

@Luoooio Luoooio added the enhancement New feature or request label Nov 15, 2024
@TheTechromancer
Copy link
Collaborator

CDN detection has always been part of BBOT. Is there a specific detection you need?

@Luoooio
Copy link
Author

Luoooio commented Nov 15, 2024

CDN detection has always been part of BBOT. Is there a specific detection you need?CDN 检测一直是 BBOT 的一部分。您是否需要特定的检测功能?

Sorry, I didn’t see any module that provides this functionality. I only found cloudcheck, but it clearly doesn’t detect CDNs. Could you point me to the relevant part of the code?

@Sh4d0wHunt3rX
Copy link
Contributor

I think @Luoooio means something like exclude CDN IP from port scanning feature in Naabu

image

@TheTechromancer
Copy link
Collaborator

Lol @Sh4d0wHunt3rX it's coming back to me now

@TheTechromancer TheTechromancer self-assigned this Nov 15, 2024
@TheTechromancer
Copy link
Collaborator

Okay yeah I think this feature has been requested enough that it makes sense to add. I can see how the extra cloudflare ports could be annoying.

@TheTechromancer
Copy link
Collaborator

Added in #1970.

@Luoooio
Copy link
Author

Luoooio commented Nov 16, 2024

Added in #1970. 添加于 #1970

Thanks for your response. I reviewed the latest submitted PR, and it seems that after the port scan is complete, abort_if is used to determine whether the port should emit_event. Why not check for CDNs at the start of the port scan? If it is a CDN, you could simply scan the allowed_cdn_ports to prevent the efficiency loss that comes from scanning first and then making the judgment.

@TheTechromancer
Copy link
Collaborator

TheTechromancer commented Nov 16, 2024

@Luoooio I like you, you are very observant ;)

It's a good question. The reason is because we're scanning the hosts in extremely large batches. Since we use masscan, which is capable of scanning the entire Internet in 5 minutes, and since often our target is a subnet, it's not economical to break it down into individual IP addresses before the scan. Especially with large subnets, checking each host against the CDN database and splitting the results into two scans takes longer than simply letting masscan do its thing, which is very fast.

@Luoooio
Copy link
Author

Luoooio commented Nov 16, 2024

@Luoooio I like you, you are very observant ;)我喜欢你,你真是个细心的人 ;)

It's a good question. The reason is because we're scanning the hosts in extremely large batches. Since we use masscan, which is capable of scanning the entire Internet in 5 minutes, and since often our target is a subnet, it's not economical to break it down into individual IP addresses before the scan. Especially with large subnets, checking each host against the CDN database and splitting the results into two scans takes longer than simply letting masscan do its thing, which is very fast.这是个好问题。原因在于我们是以极大规模批量扫描主机。由于我们使用的是 masscan,它能在 5 分钟内扫描整个互联网,而且通常我们的目标是子网,因此在扫描前将其分解为单个 IP 地址并不经济。特别是对于大型子网,先逐一检查每个主机是否属于 CDN 数据库,再将结果分成两次扫描,这比直接让 masscan 快速完成扫描要耗时得多。

Great response, and thank you for the detailed explanation! It makes sense that a tool needs to consider the overall strategy. I now understand why bbot uses masscan for port scanning—it’s fast enough when large subnets are used as input. In a recursive design, sacrificing some accuracy to gain efficiency is indeed necessary. It’s all about the philosophy of making choices. Impressive!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants