You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a FQDN translates to multiple IP's, which usually happens with load-balanced endpoints, Scanner framework iterates on every IP's by default (run_host is called multiple times with each IP). This is usually fine when we want to run the module against each host. But, in some specific context, this can be an issue. For example, when enumerating username from a public endpoint like Azure, AWS, etc. repeating the operation for every host reported by a specific FQDN is not necessary and should be avoided.
A good example is the Azure AD scanner module, which query the Azure AD SSO autologon endpoint (autologon.microsoftazuread-sso.com). At the moment, it is not possible to implement this using the official Login Scanner template, since run_host would be called multiple times for each IP reported by this FQDN.
Basic example
A possible solution would be to have a special option that instructs the Scanner to only pick one IP from a single FQDN in RHOSTS.
Another option would be to force the use of RHOST when RHOSTS is empty. The Scanner could first check for RHOSTS and, if it is not there, look for RHOST value, knowing that only one IP should be used when a FQDN is provided.
Motivation
This will enable contributors to write Login Scanner modules against SaaS services, which are often behind a load balancer, using the official Scanner template.
The text was updated successfully, but these errors were encountered:
Summary
When a FQDN translates to multiple IP's, which usually happens with load-balanced endpoints, Scanner framework iterates on every IP's by default (
run_host
is called multiple times with each IP). This is usually fine when we want to run the module against each host. But, in some specific context, this can be an issue. For example, when enumerating username from a public endpoint like Azure, AWS, etc. repeating the operation for every host reported by a specific FQDN is not necessary and should be avoided.A good example is the Azure AD scanner module, which query the Azure AD SSO
autologon
endpoint (autologon.microsoftazuread-sso.com
). At the moment, it is not possible to implement this using the official Login Scanner template, sincerun_host
would be called multiple times for each IP reported by this FQDN.Basic example
A possible solution would be to have a special option that instructs the Scanner to only pick one IP from a single FQDN in
RHOSTS
.Another option would be to force the use of
RHOST
whenRHOSTS
is empty. The Scanner could first check forRHOSTS
and, if it is not there, look forRHOST
value, knowing that only one IP should be used when a FQDN is provided.Motivation
This will enable contributors to write Login Scanner modules against SaaS services, which are often behind a load balancer, using the official Scanner template.
The text was updated successfully, but these errors were encountered: