You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently Chrome will use the systems DNS resolver to resolve hostnames before taking screenshots. Additionally, our code (when you use --all-hostnames) will attempt to resolve each hostname before including it in the list of targets.
There are a few shortcomings with this approach:
It discards all of the resolution information already included in the nmap scans.
It takes time re-resolving all hostnames (except user-defined ones)
It does not allow manually specified hostname->ip mappings
It does not allow screenshotting of targets by their hostnames if the mapping is not in /etc/hosts or publicly resolvable
The last one is the biggest issue. It is not uncommon for webservers to respond only to configured hostnames. If we know the hostname but cannot resolve it (even though we already know this information and have it documented in an nmap scan) then we will miss potentially interesting results.
AFAIK, the DevTools Protocol does not allow you to MiTM DNS requests. It does, however, allow you to issue the http requests on behalf of the browser. So for hostnames we want to resolve locally, we will need to hijack the requests and have go/rod issue the request with a custom resolver/transport.
We will likely need to update our Target object to include a resolved IP field. We'll also need to be able to get at this info from within the hijack handler.
The text was updated successfully, but these errors were encountered:
Currently Chrome will use the systems DNS resolver to resolve hostnames before taking screenshots. Additionally, our code (when you use
--all-hostnames) will attempt to resolve each hostname before including it in the list of targets.There are a few shortcomings with this approach:
/etc/hostsor publicly resolvableThe last one is the biggest issue. It is not uncommon for webservers to respond only to configured hostnames. If we know the hostname but cannot resolve it (even though we already know this information and have it documented in an nmap scan) then we will miss potentially interesting results.
AFAIK, the DevTools Protocol does not allow you to MiTM DNS requests. It does, however, allow you to issue the http requests on behalf of the browser. So for hostnames we want to resolve locally, we will need to hijack the requests and have go/rod issue the request with a custom resolver/transport.
We will likely need to update our Target object to include a resolved IP field. We'll also need to be able to get at this info from within the hijack handler.
The text was updated successfully, but these errors were encountered: