f

carlospolop · carlospolop · commit 29d65a63867f · 2026-02-26T18:43:11.000+01:00
diff --git a/.github/workflows/auto_merge_approved_prs.yml b/.github/workflows/auto_merge_approved_prs.yml
@@ -37,8 +37,38 @@ jobs:
       - name: Check for running workflows
         id: check_workflows
         run: |
+          gh_with_retry() {
+            local max_attempts=5
+            local base_sleep_seconds=2
+            local attempt=1
+            local stderr_file
+            stderr_file=$(mktemp)
+
+            while true; do
+              if gh "$@" 2>"$stderr_file"; then
+                rm -f "$stderr_file"
+                return 0
+              fi
+
+              local exit_code=$?
+              if [ "$attempt" -ge "$max_attempts" ]; then
+                echo "gh command failed after $max_attempts attempts: gh $*" >&2
+                cat "$stderr_file" >&2
+                rm -f "$stderr_file"
+                return "$exit_code"
+              fi
+
+              local sleep_for=$((base_sleep_seconds * attempt))
+              echo "gh command failed (attempt $attempt/$max_attempts): gh $*" >&2
+              cat "$stderr_file" >&2
+              echo "Retrying in ${sleep_for}s..." >&2
+              sleep "$sleep_for"
+              attempt=$((attempt + 1))
+            done
+          }
+
           # Get all running workflows except this one
-          running_workflows=$(gh run list --status in_progress --json workflowName,name --repo "$GITHUB_REPOSITORY" --jq '.[].name' | grep -v "Auto Merge Approved PRs" | wc -l)
+          running_workflows=$(gh_with_retry run list --status in_progress --json workflowName,name --repo "$GITHUB_REPOSITORY" --jq '.[].name' | grep -v "Auto Merge Approved PRs" | wc -l)
           echo "running_workflows=$running_workflows" >> $GITHUB_OUTPUT
           
           if [ "$running_workflows" -gt 0 ]; then
@@ -54,14 +84,44 @@ jobs:
       - name: Find and merge approved PRs
         if: steps.check_workflows.outputs.should_continue == 'true'
         run: |
+          gh_with_retry() {
+            local max_attempts=5
+            local base_sleep_seconds=2
+            local attempt=1
+            local stderr_file
+            stderr_file=$(mktemp)
+
+            while true; do
+              if gh "$@" 2>"$stderr_file"; then
+                rm -f "$stderr_file"
+                return 0
+              fi
+
+              local exit_code=$?
+              if [ "$attempt" -ge "$max_attempts" ]; then
+                echo "gh command failed after $max_attempts attempts: gh $*" >&2
+                cat "$stderr_file" >&2
+                rm -f "$stderr_file"
+                return "$exit_code"
+              fi
+
+              local sleep_for=$((base_sleep_seconds * attempt))
+              echo "gh command failed (attempt $attempt/$max_attempts): gh $*" >&2
+              cat "$stderr_file" >&2
+              echo "Retrying in ${sleep_for}s..." >&2
+              sleep "$sleep_for"
+              attempt=$((attempt + 1))
+            done
+          }
+
           authorized_user="carlospolop"
           max_merges=2
 
           echo "Authorized user: $authorized_user"
           echo "Looking for PRs with exact comment 'merge' from $authorized_user..."
 
           # Get all open PRs
-          prs=$(gh pr list --state open --json number,title,url,author --repo "$GITHUB_REPOSITORY")
+          prs=$(gh_with_retry pr list --state open --json number,title,url,author --repo "$GITHUB_REPOSITORY")
 
           if [ "$prs" = "[]" ]; then
             echo "No open PRs found."
@@ -98,7 +158,10 @@ jobs:
             has_merge_comment=false
             if [ "$eligible_by_title" != true ]; then
               # Get all comments for this PR
-              comments=$(gh pr view "$pr_number" --json comments --jq '.comments[]' --repo "$GITHUB_REPOSITORY")
+              if ! comments=$(gh_with_retry pr view "$pr_number" --json comments --jq '.comments[]' --repo "$GITHUB_REPOSITORY"); then
+                echo "Failed to fetch comments for PR #$pr_number after retries. Skipping PR."
+                continue
+              fi
 
               # Print all comment authors for debugging
               echo "Comments in PR #$pr_number:"
@@ -123,15 +186,21 @@ jobs:
               echo "Attempting to merge PR #$pr_number..."
 
               # Get PR details including head branch
-              pr_details=$(gh pr view "$pr_number" --json headRefName,baseRefName --repo "$GITHUB_REPOSITORY")
+              if ! pr_details=$(gh_with_retry pr view "$pr_number" --json headRefName,baseRefName --repo "$GITHUB_REPOSITORY"); then
+                echo "Failed to fetch details for PR #$pr_number after retries. Skipping PR."
+                continue
+              fi
               head_branch=$(echo "$pr_details" | jq -r '.headRefName')
               base_branch=$(echo "$pr_details" | jq -r '.baseRefName')
 
               # --- Polling for non-UNKNOWN mergeable status ---
               max_retries=10
               retry=0
               while true; do
-                pr_mergeable=$(gh pr view "$pr_number" --json mergeable --jq '.mergeable' --repo "$GITHUB_REPOSITORY")
+                if ! pr_mergeable=$(gh_with_retry pr view "$pr_number" --json mergeable --jq '.mergeable' --repo "$GITHUB_REPOSITORY"); then
+                  echo "Failed to fetch mergeable status for PR #$pr_number after retries."
+                  pr_mergeable="UNKNOWN"
+                fi
                 if [ "$pr_mergeable" != "UNKNOWN" ]; then
                   break
                 fi
diff --git a/src/network-services-pentesting/pentesting-dns.md b/src/network-services-pentesting/pentesting-dns.md
@@ -183,6 +183,140 @@ dig google.com A @<IP>
 
 ![](<../images/image (146).png>)
 
+### DNS Auditor checks (HackTricks tools)
+
+The HackTricks Domain/DNS auditor was expanded with extra DNS/certificate checks.  
+Use this as a quick manual reference for verification and abuse paths.
+
+#### NS delegation integrity / lame delegation
+
+**What it checks**
+- Delegated NS hostnames resolve to IPs
+- Delegated NSs answer authoritatively for the zone
+- SOA serial consistency across authoritative NSs
+
+**How to check**
+```bash
+dig example.com NS +short
+for ns in $(dig +short example.com NS); do dig @${ns%?} example.com SOA +short; done
+```
+
+**Impact**
+- Intermittent or full DNS outages
+- Stale records depending on which NS a resolver hits
+
+**Attacker abuse**
+- Exploit lame/out-of-sync delegation to increase reliability of cache-poisoning windows and selective traffic disruption.
+
+#### HTTPS/SVCB modern records
+
+**What it checks**
+- Presence/absence of `HTTPS` and `SVCB` records on apex and `www`
+
+**How to check**
+```bash
+dig example.com HTTPS +short
+dig example.com SVCB +short
+dig www.example.com HTTPS +short
+dig www.example.com SVCB +short
+```
+
+**Impact**
+- Mostly hardening/operational maturity gap (less protocol steering, less explicit service binding)
+
+**Attacker abuse**
+- Not usually direct exploitation, but can reduce defensive control over client connection behavior.
+
+#### DNS EDNS + TCP fallback resilience
+
+**What it checks**
+- Truncation handling and TCP fallback viability for large DNS/DNSSEC answers
+
+**How to check**
+```bash
+dig example.com DNSKEY +dnssec +bufsize=1232
+dig example.com DNSKEY +dnssec +tcp
+```
+
+**Impact**
+- DNSSEC breakage, intermittent resolution failures behind specific networks/firewalls
+
+**Attacker abuse**
+- Trigger degraded availability by forcing large responses where TCP/53 is blocked or broken.
+
+#### DNSSEC lifecycle (CDS/CDNSKEY + DS consistency)
+
+**What it checks**
+- Presence of rollover signaling records (`CDS`, `CDNSKEY`)
+- Parent/child key-tag consistency (`DS` vs `CDS`)
+
+**How to check**
+```bash
+dig example.com DS +short
+dig example.com CDS +short
+dig example.com CDNSKEY +short
+```
+
+**Impact**
+- Broken key rollover -> validation failures / SERVFAIL for validating resolvers
+
+**Attacker abuse**
+- Abuse mis-rolled states to create denial-of-service conditions for DNSSEC-validating clients.
+
+#### DNSSEC negative trust validation (NXDOMAIN proofs)
+
+**What it checks**
+- For signed zones, whether random NXDOMAIN responses are validated and carry denial-of-existence evidence
+
+**How to check**
+```bash
+dig @8.8.8.8 _random-does-not-exist.example.com A +dnssec
+dig @8.8.8.8 _random-does-not-exist.example.com A +dnssec +multi
+```
+
+**Impact**
+- Broken denial-of-existence behavior can indicate chain/signer inconsistencies
+
+**Attacker abuse**
+- Increase probability of resolver-side failure states during targeted DNSSEC disruption attempts.
+
+#### Very low TTL on critical records
+
+**What it checks**
+- Low/very-low TTLs on `A`, `AAAA`, `MX`, `NS`
+
+**How to check**
+```bash
+dig example.com A +ttlid
+dig example.com AAAA +ttlid
+dig example.com MX +ttlid
+dig example.com NS +ttlid
+```
+
+**Impact**
+- Faster global propagation of accidental or malicious DNS changes
+
+**Attacker abuse**
+- If attacker gets brief write access to DNS, low TTL accelerates malicious redirection rollout.
+
+#### CAA policy quality + CT correlation
+
+**What it checks**
+- `issue` / `issuewild` breadth and over-permissive CA authorization
+- Whether observed CT issuers are consistent with CAA intent (heuristic)
+
+**How to check**
+```bash
+dig example.com CAA +short
+curl -s "https://crt.sh/?q=%25.example.com&output=json" | head
+```
+
+**Impact**
+- Overly broad or inconsistent issuance policy increases cert abuse surface
+
+**Attacker abuse**
+- Mis-scoped CAA can make unauthorized/abusive cert issuance easier after CA/process compromise.
+
 
 ### Mail to nonexistent account
 
@@ -267,4 +401,3 @@ Entry_6:
 {{#include ../banners/hacktricks-training.md}}
 
 
-
diff --git a/src/network-services-pentesting/pentesting-smtp/README.md b/src/network-services-pentesting/pentesting-smtp/README.md
@@ -389,6 +389,120 @@ _dmarc.bing.com.	3600	IN	TXT	"v=DMARC1; p=none; pct=100; rua=mailto:BingEmailDMA
 | adkim    | Alignment mode for DKIM                       | adkim=s                         |
 | aspf     | Alignment mode for SPF                        | aspf=r                          |
 
+### Extra email hardening checks (HackTricks DNS/Domain auditor)
+
+The HackTricks Domain/DNS auditor now includes extra SMTP/email-control checks.  
+Use this to manually validate findings and explain impact in reports.
+
+#### DMARC alignment hardening (`adkim`, `aspf`, `fo`)
+
+**What it checks**
+- Strict alignment (`adkim=s`, `aspf=s`)
+- Presence of forensic policy (`fo=...`)
+
+**How to check**
+```bash
+dig _dmarc.example.com TXT +short
+```
+
+**Impact**
+- Relaxed alignment or missing forensic controls can reduce spoofing resistance and forensic visibility.
+
+**Attacker abuse**
+- Attackers can craft borderline-aligned campaigns that pass weaker DMARC configurations more often.
+
+#### MX STARTTLS transport security
+
+**What it checks**
+- Whether MXs advertise `STARTTLS`
+- Whether STARTTLS negotiation works and certificates validate
+
+**How to check**
+```bash
+dig MX example.com +short
+openssl s_client -starttls smtp -connect mx1.example.com:25 -servername mx1.example.com
+```
+
+**Impact**
+- Missing/broken STARTTLS increases plaintext transport exposure and downgrade risk.
+
+**Attacker abuse**
+- Active network attackers can intercept/modify SMTP traffic more easily if STARTTLS is absent or misconfigured.
+
+#### MTA-STS policy consistency
+
+**What it checks**
+- `_mta-sts` TXT exists and policy file is reachable
+- Policy fields (`version`, `mode`, `max_age`) are valid
+- `mx:` patterns actually match active MX hosts
+
+**How to check**
+```bash
+dig TXT _mta-sts.example.com +short
+curl -i https://mta-sts.example.com/.well-known/mta-sts.txt
+dig MX example.com +short
+```
+
+**Impact**
+- Broken or inconsistent policy gives a false sense of protection and weakens SMTP TLS enforcement.
+
+**Attacker abuse**
+- Downgrade/MITM opportunities increase when policy hosts or MX matching are misconfigured.
+
+#### TLS-RPT destination validation
+
+**What it checks**
+- `rua=` exists and uses valid `mailto:` or `https:` destinations
+- Basic reachability hints of report destinations
+
+**How to check**
+```bash
+dig TXT _smtp._tls.example.com +short
+```
+
+**Impact**
+- Broken report sinks = no visibility into SMTP TLS failures.
+
+**Attacker abuse**
+- TLS downgrade and delivery issues can remain unnoticed longer.
+
+#### BIMI full validation (logo + VMC URL)
+
+**What it checks**
+- `l=` logo URL reachable and actually serves SVG content
+- `a=` VMC URL uses HTTPS and is reachable
+
+**How to check**
+```bash
+dig TXT default._bimi.example.com +short
+curl -I https://logo.example.com/brand.svg
+curl -I https://example.com/vmc.pem
+```
+
+**Impact**
+- Brand-trust controls can silently fail, reducing anti-phishing posture in supporting clients.
+
+**Attacker abuse**
+- Poorly validated BIMI deployments can be leveraged in social engineering narratives around "trusted sender" expectations.
+
+#### Email service exposure / autodiscover over HTTP
+
+**What it checks**
+- Presence of common email service subdomains (`autodiscover`, `imap`, `pop`, `smtp`, `mail`, `webmail`)
+- Whether autodiscover endpoint is reachable over plaintext HTTP
+
+**How to check**
+```bash
+for h in autodiscover imap pop smtp mail webmail; do dig +short ${h}.example.com A; done
+curl -i http://autodiscover.example.com/autodiscover/autodiscover.xml
+```
+
+**Impact**
+- Increases exposed attack surface and can enable weak-client/legacy downgrade paths.
+
+**Attacker abuse**
+- Autodiscover abuse and credential-harvest workflows become easier when plaintext or weak redirects are accepted.
+
 ### **What about Subdomains?**
 
 **From** [**here**](https://serverfault.com/questions/322949/do-spf-records-for-primary-domain-apply-to-subdomains)**.**\
@@ -630,4 +744,3 @@ Entry_8:
 ```
 
 {{#include ../../banners/hacktricks-training.md}}
-
