From b77a02203852014cbb61f6f446014b229075aa5d Mon Sep 17 00:00:00 2001 From: liquidsec Date: Mon, 16 Sep 2024 13:11:31 -0400 Subject: [PATCH] baddns direct initial storage bucket / cloudflare --- bbot/modules/baddns.py | 2 +- bbot/modules/baddns_direct.py | 62 +++++++++++++++++++++-------------- bbot/modules/baddns_zone.py | 2 +- 3 files changed, 40 insertions(+), 26 deletions(-) diff --git a/bbot/modules/baddns.py b/bbot/modules/baddns.py index ef77f11e7..d35a16bf8 100644 --- a/bbot/modules/baddns.py +++ b/bbot/modules/baddns.py @@ -22,7 +22,7 @@ class baddns(BaseModule): "enabled_submodules": "A list of submodules to enable. Empty list (default) enables CNAME, TXT and MX Only", } module_threads = 8 - deps_pip = ["baddns~=1.1.815"] + deps_pip = ["baddns~=1.1.839"] def select_modules(self): selected_submodules = [] diff --git a/bbot/modules/baddns_direct.py b/bbot/modules/baddns_direct.py index 50e3d22dc..36e4641f0 100644 --- a/bbot/modules/baddns_direct.py +++ b/bbot/modules/baddns_direct.py @@ -6,8 +6,9 @@ import asyncio import logging + class baddns_direct(BaseModule): - watched_events = ["STORAGE_BUCKET"] + watched_events = ["URL", "STORAGE_BUCKET"] produced_events = ["FINDING", "VULNERABILITY"] flags = ["active", "safe", "subdomain-enum", "baddns", "cloud-enum"] meta = { @@ -40,37 +41,50 @@ def select_modules(self): selected_modules.append(m) return selected_modules - async def handle_event(self, event): - - self.critical("HANDLE EVENT") - parsed_url = urlparse(event.data["url"]) - domain = parsed_url.netloc - - self.critical(domain) - - - - CNAME_direct_module = self.select_modules()[0] + self.critical(event.type) + CNAME_direct_module = self.select_modules()[0] kwargs = { "http_client_class": self.scan.helpers.web.AsyncClient, "dns_client": self.scan.helpers.dns.resolver, "custom_nameservers": self.custom_nameservers, "signatures": self.signatures, + "direct_mode": True, } - CNAME_direct_instance = CNAME_direct_module(domain, **kwargs) - await CNAME_direct_instance.dispatch() - print(CNAME_direct_instance) - results = CNAME_direct_instance.analyze() - self.hugewarning(results) - if results and len(results) > 0: - for r in results: - r_dict = r.to_dict() - self.critical(r_dict) + CNAME_direct_instance = CNAME_direct_module(event.host, **kwargs) + if await CNAME_direct_instance.dispatch(): + results = CNAME_direct_instance.analyze() + if results and len(results) > 0: + for r in results: + r_dict = r.to_dict() + + data = { + "description": f"Possible [{r_dict['signature']}] via direct BadDNS analysis. Indicator: [{r_dict['indicator']}] Trigger: [{r_dict['trigger']}] baddns Module: [{r_dict['module']}]", + "host": str(event.host), + } + + await self.emit_event( + data, + "FINDING", + event, + tags=[f"baddns-{CNAME_direct_module.name.lower()}"], + context=f'{{module}}\'s "{r_dict["module"]}" module found {{event.type}}: {r_dict["description"]}', + ) async def filter_event(self, event): - if event.type == "STORAGE_BUCKET" and str(event.module).startswith("bucket_"): - self.critical("KILLED BUCKET") - return False + if event.type == "STORAGE_BUCKET": + if str(event.module).startswith("bucket_"): + return False + if event.type == "URL": + if event.scope_distance > 0: + self.critical( + f"Rejecting {event.host} due to not being in scope (scope distance: {str(event.scope_distance)})" + ) + return False + if "cdn-cloudflare" not in event.tags: + self.critical(f"Rejecting {event.host} due to not being behind CloudFlare") + return False + if "status-200" in event.tags or "status-301" in event.tags: + self.critical(f"Rejecting {event.host} due to lack of non-standard status code") return True diff --git a/bbot/modules/baddns_zone.py b/bbot/modules/baddns_zone.py index a356f61b3..d242fdaab 100644 --- a/bbot/modules/baddns_zone.py +++ b/bbot/modules/baddns_zone.py @@ -17,7 +17,7 @@ class baddns_zone(baddns_module): "only_high_confidence": "Do not emit low-confidence or generic detections", } module_threads = 8 - deps_pip = ["baddns~=1.1.815"] + deps_pip = ["baddns~=1.1.839"] def select_modules(self): selected_modules = []