Skip to content

Commit

Permalink
Merge pull request #1602 from blacklanternsecurity/better-dns-mutatio…
Browse files Browse the repository at this point in the history
…n-tracking

Better dnsbrute mutation tracking
  • Loading branch information
TheTechromancer authored Jul 30, 2024
2 parents 2e4d655 + d9f11d3 commit c64ecbc
Showing 1 changed file with 8 additions and 10 deletions.
18 changes: 8 additions & 10 deletions bbot/modules/dnsbrute_mutations.py
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ class dnsbrute_mutations(BaseModule):

async def setup(self):
self.found = {}
self.parent_events = self.helpers.make_target()
self.parent_events = {}
self.max_mutations = self.config.get("max_mutations", 500)
# 800M bits == 100MB bloom filter == 10M entries before false positives start emerging
self.mutations_tried = self.helpers.bloom_filter(800000000)
Expand All @@ -30,11 +30,8 @@ async def setup(self):

async def handle_event(self, event):
# here we don't brute-force, we just add the subdomain to our end-of-scan
self.add_found(event)

def add_found(self, event):
self.parent_events.add(event)
host = str(event.host)
self.parent_events[host] = event
if self.helpers.is_subdomain(host):
subdomain, domain = host.split(".", 1)
if not self.helpers.dns.brute.has_excessive_digits(subdomain):
Expand All @@ -43,6 +40,10 @@ def add_found(self, event):
except KeyError:
self.found[domain] = {subdomain}

def get_parent_event(self, subdomain):
parent_host = self.helpers.closest_match(subdomain, self.parent_events)
return self.parent_events[parent_host]

async def finish(self):
found = sorted(self.found.items(), key=lambda x: len(x[-1]), reverse=True)
# if we have a lot of rounds to make, don't try mutations on less-populated domains
Expand Down Expand Up @@ -119,18 +120,15 @@ def add_mutation(m):
self._mutation_run_counter[domain] = mutation_run = 1
self._mutation_run_counter[domain] += 1
for hostname in results:
parent_event = self.parent_events.get_host(hostname)
if parent_event is None:
self.warning(f"Could not correlate parent event from: {hostname}")
parent_event = self.scan.root_event
parent_event = self.get_parent_event(hostname)
mutation_run_ordinal = self.helpers.integer_to_ordinal(mutation_run)
await self.emit_event(
hostname,
"DNS_NAME",
parent=parent_event,
tags=[f"mutation-{mutation_run}"],
abort_if=self.abort_if,
context=f'{{module}} found a mutated subdomain of "{domain}" on its {mutation_run_ordinal} run: {{event.type}}: {{event.data}}',
context=f'{{module}} found a mutated subdomain of "{parent_event.host}" on its {mutation_run_ordinal} run: {{event.type}}: {{event.data}}',
)
if results:
continue
Expand Down

0 comments on commit c64ecbc

Please sign in to comment.