From 1655bc7add5d95a7476879dcef4702c3deca6955 Mon Sep 17 00:00:00 2001 From: TheTechromancer Date: Tue, 17 Oct 2023 18:21:15 -0400 Subject: [PATCH] add microsoft on-prem subdomains --- bbot/modules/base.py | 5 +- bbot/modules/massdns.py | 10 ++- bbot/wordlists/ms_on_prem_subdomains.txt | 101 +++++++++++++++++++++++ 3 files changed, 110 insertions(+), 6 deletions(-) create mode 100644 bbot/wordlists/ms_on_prem_subdomains.txt diff --git a/bbot/modules/base.py b/bbot/modules/base.py index 65731d7fa..9101c800a 100644 --- a/bbot/modules/base.py +++ b/bbot/modules/base.py @@ -5,8 +5,8 @@ from contextlib import suppress from ..core.helpers.misc import get_size # noqa +from ..core.errors import ValidationError from ..core.helpers.async_helpers import TaskCounter -from ..core.errors import ValidationError, WordlistError class BaseModule: @@ -527,9 +527,6 @@ async def _setup(self): self.debug(f"Finished setting up module {self.name}") except Exception as e: self.set_error_state() - # soft-fail if it's only a wordlist error - if isinstance(e, WordlistError): - status = None msg = f"{e}" self.trace() return self.name, status, str(msg) diff --git a/bbot/modules/massdns.py b/bbot/modules/massdns.py index 7e4331f5b..bb28f045f 100644 --- a/bbot/modules/massdns.py +++ b/bbot/modules/massdns.py @@ -74,6 +74,12 @@ async def setup(self): self.mutations_tried = set() self.source_events = self.helpers.make_target() self.subdomain_file = await self.helpers.wordlist(self.config.get("wordlist")) + self.subdomain_list = set(self.helpers.read_file(self.subdomain_file)) + + ms_on_prem_string_file = self.helpers.wordlist_dir / "ms_on_prem_subdomains.txt" + ms_on_prem_strings = set(self.helpers.read_file(ms_on_prem_string_file)) + self.subdomain_list.update(ms_on_prem_strings) + self.max_resolvers = self.config.get("max_resolvers", 1000) self.max_mutations = self.config.get("max_mutations", 500) nameservers_url = ( @@ -104,7 +110,7 @@ async def handle_event(self, event): self.source_events.add_target(event) self.info(f"Brute-forcing subdomains for {query} (source: {event.data})") - for hostname in await self.massdns(query, self.helpers.read_file(self.subdomain_file)): + for hostname in await self.massdns(query, self.subdomain_list): self.emit_result(hostname, event, query) def abort_if(self, event): @@ -278,7 +284,7 @@ async def _massdns(self, domain, subdomains): hosts_yielded.add(hostname_hash) yield hostname, data, rdtype - async def finish(self): + async def sfinish(self): found = sorted(self.found.items(), key=lambda x: len(x[-1]), reverse=True) # if we have a lot of rounds to make, don't try mutations on less-populated domains trimmed_found = [] diff --git a/bbot/wordlists/ms_on_prem_subdomains.txt b/bbot/wordlists/ms_on_prem_subdomains.txt new file mode 100644 index 000000000..b323e4605 --- /dev/null +++ b/bbot/wordlists/ms_on_prem_subdomains.txt @@ -0,0 +1,101 @@ +adfs +adfs01 +adfs02 +adfs1 +adfs2 +adfs3 +adfsproxy +adfstest +auth +fed +federate +federated +federation +federationfs +fs +fs1 +fs2 +fs3 +fs4 +gateway +login +portal +saml +sso +sts +wap +webmail +owa +hybrid +hybrid-cloud +email +outlook +exchange +mail2 +webmail2 +mail1 +mailbox +mail01 +mailman +mailgate +mailbackup +mail3 +webmail1 +webmail3 +mailing +mailserver +mailhost +mailer +mailadmin +imap +pop3 +post +post1 +post2 +mail +remote +desktop +desktop1 +desktop2 +desktops +extranet +mydesktop +ra +rdesktop +rdgate +rdp +rdpweb +rds +rdsh +rdweb +remote01 +remote02 +remote1 +remote2 +remote3 +remote4 +remoteapp +remoteapps +remotedesktop +remotegateway +tsweb +vdesktop +vdi +dialin +meet +lync +lyncweb +sip +skype +sfbweb +scheduler +lyncext +lyncdiscoverinternal +access +lyncaccess01 +lyncaccess +lync10 +wac +_sipinternaltls +uc +lyncdiscover