From 0ddb093a27b240936ca7bcd3205ba61ea3eb4763 Mon Sep 17 00:00:00 2001 From: TheTechromancer Date: Mon, 27 Nov 2023 14:17:39 -0500 Subject: [PATCH] updated module flags, removed png from extension list --- bbot/core/event/base.py | 11 +++++++++++ bbot/modules/dehashed.py | 2 +- bbot/modules/filedownload.py | 3 +-- bbot/modules/hunt.py | 2 +- bbot/test/test_step_1/test_modules_basic.py | 3 +++ .../test_step_2/module_tests/test_module_dehashed.py | 7 +++++-- 6 files changed, 22 insertions(+), 6 deletions(-) diff --git a/bbot/core/event/base.py b/bbot/core/event/base.py index 57d2108a8..c2e2bee22 100644 --- a/bbot/core/event/base.py +++ b/bbot/core/event/base.py @@ -1091,6 +1091,17 @@ class HASHED_PASSWORD(BaseEvent): class USERNAME(BaseEvent): _always_emit = True + def __new__(cls, data, *args, **kwargs): + # if the data is an email, emit as an email instead + if validators.soft_validate(data, "email"): + log.critical(f"{data} is an email") + tags = set(kwargs.get("tags", [])) + # add affiliate tag so the event is always emitted regardless of scope distance + tags.add("affiliate") + kwargs["tags"] = tags + return EMAIL_ADDRESS(data, *args, **kwargs) + return super().__new__(cls) + class SOCIAL(DictEvent): _always_emit = True diff --git a/bbot/modules/dehashed.py b/bbot/modules/dehashed.py index 113652490..a09de454e 100644 --- a/bbot/modules/dehashed.py +++ b/bbot/modules/dehashed.py @@ -6,7 +6,7 @@ class dehashed(credential_leak): watched_events = ["DNS_NAME"] produced_events = ["PASSWORD", "HASHED_PASSWORD", "USERNAME"] - flags = ["passive"] + flags = ["passive", "safe", "email-enum"] meta = {"description": "Execute queries against dehashed.com for exposed credentials", "auth_required": True} options = {"username": "", "api_key": ""} options_desc = {"username": "Email Address associated with your API key", "api_key": "DeHashed API Key"} diff --git a/bbot/modules/filedownload.py b/bbot/modules/filedownload.py index 4b43e2834..2f0c26c59 100644 --- a/bbot/modules/filedownload.py +++ b/bbot/modules/filedownload.py @@ -14,7 +14,7 @@ class filedownload(BaseModule): watched_events = ["URL_UNVERIFIED", "HTTP_RESPONSE"] produced_events = [] - flags = ["active", "safe"] + flags = ["active", "safe", "web-basic"] meta = {"description": "Download common filetypes such as PDF, DOCX, PPTX, etc."} options = { "extensions": [ @@ -46,7 +46,6 @@ class filedownload(BaseModule): "odt", # OpenDocument Text (LibreOffice, OpenOffice) "pdf", # Adobe Portable Document Format "pem", # Privacy Enhanced Mail (SSL certificate) - "png", # Portable Network Graphics Image "pps", # Microsoft PowerPoint Slideshow (Old Format) "ppsx", # Microsoft PowerPoint Slideshow "ppt", # Microsoft PowerPoint Presentation (Old Format) diff --git a/bbot/modules/hunt.py b/bbot/modules/hunt.py index 7cc2e06dc..0ccf0391b 100644 --- a/bbot/modules/hunt.py +++ b/bbot/modules/hunt.py @@ -274,7 +274,7 @@ class hunt(BaseModule): watched_events = ["HTTP_RESPONSE"] produced_events = ["FINDING"] - flags = ["active", "safe", "web-basic", "web-thorough"] + flags = ["active", "safe", "web-thorough"] meta = {"description": "Watch for commonly-exploitable HTTP parameters"} # accept all events regardless of scope distance scope_distance_modifier = None diff --git a/bbot/test/test_step_1/test_modules_basic.py b/bbot/test/test_step_1/test_modules_basic.py index 6f8b8870f..9870bf3da 100644 --- a/bbot/test/test_step_1/test_modules_basic.py +++ b/bbot/test/test_step_1/test_modules_basic.py @@ -125,6 +125,9 @@ async def test_modules_basic(scan, helpers, events, bbot_config, bbot_scanner, h assert ("active" in flags and not "passive" in flags) or ( not "active" in flags and "passive" in flags ), f'module "{module_name}" must have either "active" or "passive" flag' + assert ("safe" in flags and not "aggressive" in flags) or ( + not "safe" in flags and "aggressive" in flags + ), f'module "{module_name}" must have either "safe" or "aggressive" flag' assert preloaded.get("meta", {}).get("description", ""), f"{module_name} must have a description" # attribute checks diff --git a/bbot/test/test_step_2/module_tests/test_module_dehashed.py b/bbot/test/test_step_2/module_tests/test_module_dehashed.py index 767884bd5..f36ddb0ca 100644 --- a/bbot/test/test_step_2/module_tests/test_module_dehashed.py +++ b/bbot/test/test_step_2/module_tests/test_module_dehashed.py @@ -7,7 +7,7 @@ "id": "4363462346", "email": "bob@blacklanternsecurity.com", "ip_address": "", - "username": "", + "username": "bob@bob.com", "password": "", "hashed_password": "$2a$12$pVmwJ7pXEr3mE.DmCCE4fOUDdeadbeefd2KuCy/tq1ZUFyEOH2bve", "name": "Bob Smith", @@ -46,8 +46,11 @@ async def setup_before_prep(self, module_test): ) def check(self, module_test, events): - assert len(events) == 7 + for e in events: + module_test.log.critical(e) + assert len(events) == 8 assert 1 == len([e for e in events if e.type == "EMAIL_ADDRESS" and e.data == "bob@blacklanternsecurity.com"]) + assert 1 == len([e for e in events if e.type == "EMAIL_ADDRESS" and e.data == "bob@bob.com" and e.scope_distance == 1 and "affiliate" in e.tags] and e.source.data == "bob@blacklanternsecurity.com") assert 1 == len([e for e in events if e.type == "EMAIL_ADDRESS" and e.data == "tim@blacklanternsecurity.com"]) assert 1 == len( [