rengine icon indicating copy to clipboard operation
rengine copied to clipboard

Published 20 hours ago verified publisher icon yogeshojha

Bug - Scan Doesn't Properly Run w/o Subdomain Discovery & No Optional Domains

Open quantumburnz opened this issue 3 years ago • 2 comments

Issue Summary

I'm using SpiderFoot for subdomain enumeration, and I want to feed these results into reNgine. In my use-case, I provided one target sub-domain to reNgine with a custom Scan Engine: NO "Subdomain Discovery" but I am performing Screenshot, Port Scan, Fetch URLs, and Vulnerability Scan. Upon running this on the subdomain with NO optional subdomains provided, I noticed the scan would quickly jump through HTTP Crawler, Visual Recon, and Port Scanning without giving me any results, but I knew this particular subdomain should have had some results, so I dug into the code and found the following:

initiate_scan is called with a default parameter imported_subdomains=None . Early in the function, there's a check to see whether the subdomain_discovery task is enabled or not: https://github.com/yogeshojha/rengine/blob/27d6ec5827a51fd74e3ab97a5cef38fc7f5d9168/web/reNgine/tasks.py#L147 ... some extra code here that doesn't pertain to this use-case ... https://github.com/yogeshojha/rengine/blob/27d6ec5827a51fd74e3ab97a5cef38fc7f5d9168/web/reNgine/tasks.py#L157-L158

In skip_subdomain_scan, the target is written into target_domain.txt which is then cat'd into subdomain_collection.txt. However, from_imported.txt is also cat'd into subdomain_collection.txt, overwriting the value that came from target_domain.txt as you can see below. https://github.com/yogeshojha/rengine/blob/27d6ec5827a51fd74e3ab97a5cef38fc7f5d9168/web/reNgine/tasks.py#L294-L298

Simply appending from_imported.txt to subdomain_collection.txt instead of overwriting it as shown below will fix the issue. 'cat {0}/from_imported.txt >> {0}/subdomain_collection.txt'.format(results_dir))

Steps to Reproduce

  1. Provide one target sub-domain to reNgine
  2. Create a custom Scan Engine to perform: Screenshot, Port Scan, Fetch URLs, and Vulnerability Scan
  3. Run a scan against the subdomain with NO optional subdomains provided

Any other relevant information. For example, why do you consider this a bug and what did you expect to happen instead? I expect the scan to perform the desired functions on the target domain.

I have confirmed that this issue can be reproduced as described on a latest version/pull of reNgine: yes, I'm using a pull from 30Dec21.

Technical details

Ubuntu 20.04.3 LTS Docker version 20.10.12, build e91ed57

quantumburnz avatar Jan 21 '22 21:01 quantumburnz

👋 Hi @quantumburnz, Issues is only for reporting a bug/feature request. Please read documentation before raising an issue https://rengine.wiki For very limited support, questions, and discussions, please join reNgine Discord channel: https://discord.gg/azv6fzhNCE Please include all the requested and relevant information when opening a bug report. Improper reports will be closed without any response.

github-actions[bot] avatar Jan 21 '22 21:01 github-actions[bot]

This is somewhat of a duplicate issue already raised in issue #516, granted, with a little more detail.

quantumburnz avatar Jan 24 '22 17:01 quantumburnz

Fixed by 2.0 version with @ocervell PR https://github.com/yogeshojha/rengine/pull/742 https://rengine.wiki/changelog/#200

psyray avatar Nov 17 '23 17:11 psyray