From 6cee78f3a83c3ff5804df8e3c0c902397642c35a Mon Sep 17 00:00:00 2001
From: TheTechromancer <thetechromancer@protonmail.com>
Date: Sat, 3 Feb 2024 22:09:59 -0500
Subject: [PATCH] limit massdns brute force depth

---
 bbot/core/helpers/misc.py             | 17 +++++++++++++++++
 bbot/modules/internetdb.py            |  3 +--
 bbot/modules/massdns.py               | 16 +++++++++++++++-
 bbot/test/test_step_1/test_helpers.py |  6 ++++++
 4 files changed, 39 insertions(+), 3 deletions(-)

diff --git a/bbot/core/helpers/misc.py b/bbot/core/helpers/misc.py
index 43fd0595f1..aa3b645e07 100644
--- a/bbot/core/helpers/misc.py
+++ b/bbot/core/helpers/misc.py
@@ -337,6 +337,23 @@ def domain_parents(d, include_self=False):
         break
 
 
+def subdomain_depth(d):
+    """
+    Calculate the depth of subdomains within a given domain name.
+
+    Args:
+        d (str): The domain name to analyze.
+
+    Returns:
+        int: The depth of the subdomain. For example, a hostname "5.4.3.2.1.evilcorp.com"
+        has a subdomain depth of 5.
+    """
+    subdomain, domain = split_domain(d)
+    if not subdomain:
+        return 0
+    return subdomain.count(".") + 1
+
+
 def parent_url(u):
     """
     Retrieve the parent URL of a given URL.
diff --git a/bbot/modules/internetdb.py b/bbot/modules/internetdb.py
index b3e98b9fca..cc6bde5758 100644
--- a/bbot/modules/internetdb.py
+++ b/bbot/modules/internetdb.py
@@ -40,8 +40,7 @@ class internetdb(BaseModule):
     flags = ["passive", "safe", "portscan", "subdomain-enum"]
     meta = {"description": "Query Shodan's InternetDB for open ports, hostnames, technologies, and vulnerabilities"}
 
-    # limit outgoing queue size to help avoid rate limiting
-    _qsize = 100
+    _qsize = 500
 
     base_url = "https://internetdb.shodan.io"
 
diff --git a/bbot/modules/massdns.py b/bbot/modules/massdns.py
index 1bce928def..ab913128d7 100644
--- a/bbot/modules/massdns.py
+++ b/bbot/modules/massdns.py
@@ -30,11 +30,13 @@ class massdns(subdomain_enum):
         "wordlist": "https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/subdomains-top1million-5000.txt",
         "max_resolvers": 1000,
         "max_mutations": 500,
+        "max_depth": 5,
     }
     options_desc = {
         "wordlist": "Subdomain wordlist URL",
         "max_resolvers": "Number of concurrent massdns resolvers",
         "max_mutations": "Max number of smart mutations per subdomain",
+        "max_depth": "How many subdomains deep to brute force, i.e. 5.4.3.2.1.evilcorp.com",
     }
     subdomain_file = None
     deps_ansible = [
@@ -90,6 +92,7 @@ async def setup(self):
 
         self.max_resolvers = self.config.get("max_resolvers", 1000)
         self.max_mutations = self.config.get("max_mutations", 500)
+        self.max_depth = max(1, self.config.get("max_depth", 5))
         nameservers_url = (
             "https://raw.githubusercontent.com/blacklanternsecurity/public-dns-servers/master/nameservers.txt"
         )
@@ -107,6 +110,18 @@ async def setup(self):
     async def filter_event(self, event):
         query = self.make_query(event)
         eligible, reason = await self.eligible_for_enumeration(event)
+
+        # limit brute force depth
+        subdomain_depth = self.helpers.subdomain_depth(query) + 1
+        if subdomain_depth > self.max_depth:
+            eligible = False
+            reason = f"subdomain depth of *.{event.data} ({subdomain_depth}) > max_depth ({self.max_depth})"
+
+        # don't brute-force things that look like autogenerated PTRs
+        if self.helpers.is_ptr(query):
+            eligible = False
+            reason = f'"{query}" looks like an autogenerated PTR'
+
         if eligible:
             self.add_found(event)
         # reject if already processed
@@ -130,7 +145,6 @@ def abort_if(self, event):
         if "wildcard" in event.tags:
             return True, "event is a wildcard"
         if "unresolved" in event.tags:
-            self.critical(f"{event} IS UNRESOLVED")
             return True, "event is unresolved"
         return False, ""
 
diff --git a/bbot/test/test_step_1/test_helpers.py b/bbot/test/test_step_1/test_helpers.py
index a078110ce3..c8045e5958 100644
--- a/bbot/test/test_step_1/test_helpers.py
+++ b/bbot/test/test_step_1/test_helpers.py
@@ -182,6 +182,12 @@ async def test_helpers_misc(helpers, scan, bbot_scanner, bbot_config, bbot_https
     assert helpers.split_domain("192.168.0.1") == ("", "192.168.0.1")
     assert helpers.split_domain("dead::beef") == ("", "dead::beef")
 
+    assert helpers.subdomain_depth("a.s.d.f.evilcorp.co.uk") == 4
+    assert helpers.subdomain_depth("a.s.d.f.evilcorp.com") == 4
+    assert helpers.subdomain_depth("evilcorp.com") == 0
+    assert helpers.subdomain_depth("a.evilcorp.com") == 1
+    assert helpers.subdomain_depth("a.s.d.f.evilcorp.notreal") == 4
+
     assert helpers.split_host_port("https://evilcorp.co.uk") == ("evilcorp.co.uk", 443)
     assert helpers.split_host_port("http://evilcorp.co.uk:666") == ("evilcorp.co.uk", 666)
     assert helpers.split_host_port("evilcorp.co.uk:666") == ("evilcorp.co.uk", 666)