"DNS Timeout...Investigate if there are many of these" Error

[stevegriffs]

Getting DNS Timeouts during execution, below is the command used along with a sample output. There were no errors with the Google Checks, just Amazon and Azure.

command:
./cloud_enum.py -kf ./enum_tools/<redacted>_keyfile.txt -m ./enum_tools/<redacted>_fuzz.txt -t 5 -l ./output.txt

output:

++++++++++++++++++++++++++
amazon checks
++++++++++++++++++++++++++

[+] Checking for S3 buckets
Protected S3 Bucket: http://<redacted>amazon.s3.amazonaws.com/
Protected S3 Bucket: http://<redacted>-backup.s3.amazonaws.com/
Protected S3 Bucket: http://client-<redacted>.s3.amazonaws.com/
Protected S3 Bucket: http://<redacted>-demo.s3.amazonaws.com/
Protected S3 Bucket: http://<redacted>-images.s3.amazonaws.com/
Protected S3 Bucket: http://<redacted>-prod.s3.amazonaws.com/
Protected S3 Bucket: http://<redacted>-production.s3.amazonaws.com/
Protected S3 Bucket: http://production-<redacted>.s3.amazonaws.com/
Protected S3 Bucket: http://<redacted>.store.s3.amazonaws.com/
Protected S3 Bucket: http://<redacted>.s3.amazonaws.com/
Protected S3 Bucket: http://<redacted>.s3.amazonaws.com/

Elapsed time: 00:02:35

[+] Checking for AWS Apps
[*] Brute-forcing a list of 11346 possible DNS names
[!] DNS Timeout on test.<redacted>.awsapps.com. Investigate if there are many of these.
[!] DNS Timeout on <redacted>.backup.awsapps.com. Investigate if there are many of these.

++++++++++++++++++++++++++
azure checks
++++++++++++++++++++++++++

[+] Checking for Azure Storage Accounts
[*] Brute-forcing a list of 3486 possible DNS names
HTTPS-Only Account: http://<redacted>.blob.core.windows.net/
HTTPS-Only Account: http://<redacted>1.blob.core.windows.net/
HTTPS-Only Account: http://storage<redacted>.blob.core.windows.net/
HTTPS-Only Account: http://<redacted>test.blob.core.windows.net/

Elapsed time: 00:00:51

[] Checking 4 accounts for status before brute-forcing
[] Brute-forcing container names in 4 storage accounts
[] Brute-forcing 274 container names in <redacted>1.blob.core.windows.net
[] Brute-forcing 274 container names in storage<redacted>.blob.core.windows.net
[] Brute-forcing 274 container names in <redacted>.blob.core.windows.net
[!] Breaking out early, auth required.
[] Brute-forcing 274 container names in <redacted>test.blob.core.windows.net
[!] Breaking out early, auth required.

Elapsed time: 00:00:15

[+] Checking for Azure File Accounts
[*] Brute-forcing a list of 3486 possible DNS names
[!] DNS Timeout on <redacted>pro.file.core.windows.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>syslog.file.core.windows.net. Investigate if there are many of these.
[!] DNS Timeout on builds<redacted>.file.core.windows.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>graphite.file.core.windows.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>client.file.core.windows.net. Investigate if there are many of these.
HTTPS-Only Account: http://<redacted>.file.core.windows.net/
HTTPS-Only Account: http://<redacted>1.file.core.windows.net/
HTTPS-Only Account: http://storage<redacted>.file.core.windows.net/
HTTPS-Only Account: http://<redacted>test.file.core.windows.net/

[initstring]

Hi @stevegriffs - thanks for opening an issue!

Were there many more than the 5 shown? 5 errors out of 3486 checks isn't too bad.

If there were a bunch, can you try using a different DNS server and/or trying it while connected to a VPN?

[nrathaus]

I noticed that the DNS server defaults to 8.8.8.8 this tends to timeout on certain servers such as azure.com - I think it is intentionally done to prevent hacking

[stevegriffs]

It fails for pretty much everything in Azure. I tried it again using a different dns (Cloudflares 1.1.1.1) and there was a significant reduction in timeouts until it got to the Azure Table Accounts. Then the DNS timeout errors increased to the point it didn't return any results from that point forward.

Is there a way to specify which part of Azure I want to target? Say I only want to Target Azure Websites?
Or is there a way to spread out the number of DNS queries at a given time? Yes this might take longer to run, but it might be a way around DNS timeouts

[+] Checking for Azure Table Accounts
[*] Brute-forcing a list of 3486 possible DNS names
[!] DNS Timeout on emails<redacted>.table.core.windows.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>club.table.core.windows.net. Investigate if there are many of these.
[!] DNS Timeout on config<redacted>.table.core.windows.net. Investigate if there are many of these.
[!] DNS Timeout on gke<redacted>.table.core.windows.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>logstash.table.core.windows.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>prod.table.core.windows.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>blog.table.core.windows.net. Investigate if there are many of these.
[!] DNS Timeout on directory<redacted>.table.core.windows.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>media.table.core.windows.net. Investigate if there are many of these.
HTTPS-Only Account: http://<redacted>.table.core.windows.net/
HTTPS-Only Account: http://<redacted>1.table.core.windows.net/
HTTPS-Only Account: http://storage<redacted>.table.core.windows.net/
HTTPS-Only Account: http://<redacted>test.table.core.windows.net/

Elapsed time: 00:01:23

[+] Checking for Azure App Management Accounts
[*] Brute-forcing a list of 3486 possible DNS names
[!] DNS Timeout on <redacted>2025.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on administrator<redacted>.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on azure<redacted>.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on bucket<redacted>.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>dataflow.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on db<redacted>.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on development<redacted>.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on 01<redacted>gas.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>gasgitlab.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>gasimages.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on mattermost<redacted>gas.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on userpictures<redacted>gas.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on subversion<redacted>.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on appengine<redacted>.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on dns<redacted>.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on infra<redacted>.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on 1<redacted>.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>2024.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on corporate<redacted>.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on gateway<redacted>.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>hub.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on it<redacted>.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on panel<redacted>.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on pictures<redacted>.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>static.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>staging.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on tasks<redacted>.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on 1<redacted>.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>cache.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on common<redacted>.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on data<redacted>.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on temp<redacted>.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on templates<redacted>.scm.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>useast.scm.azurewebsites.net. Investigate if there are many of these.

Elapsed time: 00:03:18

[+] Checking for Azure Key Vault Accounts
[*] Brute-forcing a list of 3486 possible DNS names
[!] DNS Timeout on db<redacted>.vault.azure.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>org.vault.azure.net. Investigate if there are many of these.
[!] DNS Timeout on cache<redacted>.vault.azure.net. Investigate if there are many of these.
[!] DNS Timeout on content<redacted>.vault.azure.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>common.vault.azure.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>datastore.vault.azure.net. Investigate if there are many of these.
[!] Timeout on <redacted>test.vault.azure.net. Investigate if there are many of these

Elapsed time: 00:01:31

[+] Checking for Azure Websites
[*] Brute-forcing a list of 11346 possible DNS names
[!] DNS Timeout on 2017-<redacted>.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>-contact.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on jira.<redacted>.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on kube.<redacted>.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>.loadbalancer.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on store.<redacted>.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on 2016-<redacted>gas.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on administrator<redacted>gas.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on administrator.<redacted>gas.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on beta<redacted>gas.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on com.au<redacted>gas.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on net<redacted>gas.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on repo<redacted>gas.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on users<redacted>.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>-downloads.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on packages.<redacted>.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on storage-<redacted>.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on contact<redacted>.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>.demo.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>discount.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on <redacted>-kubernetes.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on mattermost<redacted>.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on static<redacted>.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on svc<redacted>.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on test.<redacted>.azurewebsites.net. Investigate if there are many of these.
[!] DNS Timeout on troposphere<redacted>.azurewebsites.net. Investigate if there are many of these.

[initstring]

HI @stevegriffs - there is another open PR that changes the default to 1.1.1.1, which will probably be merged.

There is no way to specify in args which checks within a given cloud provider to run. You could comment some lines in the code out if you'd like.

You can use the -t or --threads arg to reduce threads used by the fast dns lookup function, but this isn't exactly they method you mention about spacing them out.

I'm going to close this, but feel free to re-open or submit a PR if you have ideas to improve.

Thanks!