Discover Common On-Prem Microsoft Stuff (RDP, ADFS, OWA, etc.)

bbot/modules/base.py

@@ -5,8 +5,8 @@
 from contextlib import suppress
 
 from ..core.helpers.misc import get_size  # noqa
+from ..core.errors import ValidationError
 from ..core.helpers.async_helpers import TaskCounter
-from ..core.errors import ValidationError, WordlistError
 
 
 class BaseModule:
@@ -527,9 +527,6 @@ async def _setup(self):
             self.debug(f"Finished setting up module {self.name}")
         except Exception as e:
             self.set_error_state()
-            # soft-fail if it's only a wordlist error
-            if isinstance(e, WordlistError):
-                status = None
             msg = f"{e}"
             self.trace()
         return self.name, status, str(msg)

bbot/modules/massdns.py

@@ -74,6 +74,12 @@ async def setup(self):
         self.mutations_tried = set()
         self.source_events = self.helpers.make_target()
         self.subdomain_file = await self.helpers.wordlist(self.config.get("wordlist"))
+        self.subdomain_list = set(self.helpers.read_file(self.subdomain_file))
+
+        ms_on_prem_string_file = self.helpers.wordlist_dir / "ms_on_prem_subdomains.txt"
+        ms_on_prem_strings = set(self.helpers.read_file(ms_on_prem_string_file))
+        self.subdomain_list.update(ms_on_prem_strings)
+
         self.max_resolvers = self.config.get("max_resolvers", 1000)
         self.max_mutations = self.config.get("max_mutations", 500)
         nameservers_url = (
@@ -104,7 +110,7 @@ async def handle_event(self, event):
         self.source_events.add_target(event)
 
         self.info(f"Brute-forcing subdomains for {query} (source: {event.data})")
-        for hostname in await self.massdns(query, self.helpers.read_file(self.subdomain_file)):
+        for hostname in await self.massdns(query, self.subdomain_list):
             self.emit_result(hostname, event, query)
 
     def abort_if(self, event):

bbot/test/test_step_1/test_modules_basic.py

@@ -82,6 +82,7 @@ async def test_modules_basic(scan, helpers, events, bbot_config, bbot_scanner, h
         modules=list(set(available_modules + available_internal_modules)),
         output_modules=list(available_output_modules),
         config=bbot_config,
+        force_start=True,
     )
     scan2.helpers.dns.fallback_nameservers_file = fallback_nameservers
     await scan2.load_modules()
@@ -174,9 +175,9 @@ async def test_modules_basic_perhostonly(scan, helpers, events, bbot_config, bbo
         "evilcorp.com",
         modules=list(set(available_modules + available_internal_modules)),
         config=bbot_config,
+        force_start=True,
     )
 
-    await per_host_scan.load_modules()
     await per_host_scan.setup_modules()
     per_host_scan.status = "RUNNING"
 
@@ -214,6 +215,7 @@ async def test_modules_basic_perdomainonly(scan, helpers, events, bbot_config, b
         "evilcorp.com",
         modules=list(set(available_modules + available_internal_modules)),
         config=bbot_config,
+        force_start=True,
     )
 
     await per_domain_scan.load_modules()

bbot/wordlists/ms_on_prem_subdomains.txt

@@ -0,0 +1,101 @@
+adfs
+adfs01
+adfs02
+adfs1
+adfs2
+adfs3
+adfsproxy
+adfstest
+auth
+fed
+federate
+federated
+federation
+federationfs
+fs
+fs1
+fs2
+fs3
+fs4
+gateway
+login
+portal
+saml
+sso
+sts
+wap
+webmail
+owa
+hybrid
+hybrid-cloud
+email
+outlook
+exchange
+mail2
+webmail2
+mail1
+mailbox
+mail01
+mailman
+mailgate
+mailbackup
+mail3
+webmail1
+webmail3
+mailing
+mailserver
+mailhost
+mailer
+mailadmin
+imap
+pop3
+post
+post1
+post2
+mail
+remote
+desktop
+desktop1
+desktop2
+desktops
+extranet
+mydesktop
+ra
+rdesktop
+rdgate
+rdp
+rdpweb
+rds
+rdsh
+rdweb
+remote01
+remote02
+remote1
+remote2
+remote3
+remote4
+remoteapp
+remoteapps
+remotedesktop
+remotegateway
+tsweb
+vdesktop
+vdi
+dialin
+meet
+lync
+lyncweb
+sip
+skype
+sfbweb
+scheduler
+lyncext
+lyncdiscoverinternal
+access
+lyncaccess01
+lyncaccess
+lync10
+wac
+_sipinternaltls
+uc
+lyncdiscover