Interactsh Errors - Githubissues

Sh4d0wHunt3rX commented 9 months ago

Describe the bug In the middle of the scan, bbot returns errors from different modules and it can't complete the scan. Since 3 days ago, couldn't finish any scan on tesla.com

BBOT Command bbot -f passive subdomain-enum web-thorough cloud-enum -m gowitness fingerprintx wafw00f bypass403 -em smuggler azure_realm, azure_tenant bucket_amazon bucket_azure bucket_digitalocean bucket_file_enum bucket_firebase bucket_google -t tesla.com -om asset_inventory emails json | jq

OS, BBOT Installation Method + Version OS: Linux Ubuntu, Installation method: pipx install --pip-args '\--pre' bbot, BBOT version: v1.1.6.2772rc

BBOT Config Default

Screenshots

debug.log

I already reported this problem, just wanted to archive it here too : )

TheTechromancer commented 9 months ago

Thanks @amiremami, I am working on this one.

TheTechromancer commented 9 months ago

I'm having trouble reproducing this bug. I've run the bbot command twice, and both times it finished in about one hour without any warnings/errors. Unfortunately it's hard to tell from the debug.log alone exactly what went wrong. @amiremami is it possible you're being blocked/ratelimited by your provider?

TheTechromancer commented 9 months ago

According to debug.log, this was the last web error to happen before the bug triggered:

2024-02-02 10:00:29,840 [TRACE] bbot.core.helpers.web web.py:603 Error with request to URL: https://internetdb.shodan.io/40.99.201.216: Server disconnected without sending a response.
2024-02-02 10:00:29,841 [TRACE] bbot.core.helpers.web web.py:604 Traceback (most recent call last):
  File "/root/.local/pipx/venvs/bbot/lib/python3.10/site-packages/httpx/_transports/default.py", line 67, in map_httpcore_exceptions
    yield
  File "/root/.local/pipx/venvs/bbot/lib/python3.10/site-packages/httpx/_transports/default.py", line 371, in handle_async_request
    resp = await self._pool.handle_async_request(req)
  File "/root/.local/pipx/venvs/bbot/lib/python3.10/site-packages/httpcore/_async/connection_pool.py", line 268, in handle_async_request
    raise exc
  File "/root/.local/pipx/venvs/bbot/lib/python3.10/site-packages/httpcore/_async/connection_pool.py", line 251, in handle_async_request
    response = await connection.handle_async_request(request)
  File "/root/.local/pipx/venvs/bbot/lib/python3.10/site-packages/httpcore/_async/connection.py", line 103, in handle_async_request
    return await self._connection.handle_async_request(request)
  File "/root/.local/pipx/venvs/bbot/lib/python3.10/site-packages/httpcore/_async/http11.py", line 133, in handle_async_request
    raise exc
  File "/root/.local/pipx/venvs/bbot/lib/python3.10/site-packages/httpcore/_async/http11.py", line 111, in handle_async_request
    ) = await self._receive_response_headers(**kwargs)
  File "/root/.local/pipx/venvs/bbot/lib/python3.10/site-packages/httpcore/_async/http11.py", line 176, in _receive_response_headers
    event = await self._receive_event(timeout=timeout)
  File "/root/.local/pipx/venvs/bbot/lib/python3.10/site-packages/httpcore/_async/http11.py", line 226, in _receive_event
    raise RemoteProtocolError(msg)
httpcore.RemoteProtocolError: Server disconnected without sending a response.

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/root/.local/pipx/venvs/bbot/lib/python3.10/site-packages/bbot/core/helpers/web.py", line 593, in _acatch
    yield
  File "/root/.local/pipx/venvs/bbot/lib/python3.10/site-packages/bbot/core/helpers/web.py", line 228, in request
    response = await client.request(*args, **kwargs)
  File "/root/.local/pipx/venvs/bbot/lib/python3.10/site-packages/bbot/core/helpers/web.py", line 86, in request
    return await super().request(*args, **kwargs)
  File "/root/.local/pipx/venvs/bbot/lib/python3.10/site-packages/httpx/_client.py", line 1559, in request
    return await self.send(request, auth=auth, follow_redirects=follow_redirects)
  File "/root/.local/pipx/venvs/bbot/lib/python3.10/site-packages/httpx/_client.py", line 1646, in send
    response = await self._send_handling_auth(
  File "/root/.local/pipx/venvs/bbot/lib/python3.10/site-packages/httpx/_client.py", line 1674, in _send_handling_auth
    response = await self._send_handling_redirects(
  File "/root/.local/pipx/venvs/bbot/lib/python3.10/site-packages/httpx/_client.py", line 1711, in _send_handling_redirects
    response = await self._send_single_request(request)
  File "/root/.local/pipx/venvs/bbot/lib/python3.10/site-packages/httpx/_client.py", line 1748, in _send_single_request
    response = await transport.handle_async_request(request)
  File "/root/.local/pipx/venvs/bbot/lib/python3.10/site-packages/httpx/_transports/default.py", line 370, in handle_async_request
    with map_httpcore_exceptions():
  File "/usr/lib/python3.10/contextlib.py", line 153, in __exit__
    self.gen.throw(typ, value, traceback)
  File "/root/.local/pipx/venvs/bbot/lib/python3.10/site-packages/httpx/_transports/default.py", line 84, in map_httpcore_exceptions
    raise mapped_exc(message) from exc
httpx.RemoteProtocolError: Server disconnected without sending a response.

This might help us reproduce the issue.

stryker2k2 commented 6 months ago

I am looking at this right now. I started the same Tesla scan 1h 25m ago. Although the scan hasn't "crashed", it is taking an awefully long time.

I am currently running it on our bbot@stable branch. I will test it on the bbot@dev branch before tinkering with things.

But I am noticing that both ASN and INTERACTSH both get worn out after awhile. At the end of amiremami's log, ASN had 4,800+ incoming events to parse and only successfully completed 9. In my current BBOT@Stable tesla.com scan, everything is done... everything except asn(2,434:1:0) with produced so far: ... ASN: 72

The INTERACTSH error message pops up every 10 seconds... which correlates to the poll_interval in interactsh.py. I'm interested to see why it can't reach the interactsh server. Since it is an internal module, I don't think we post how many events it has left to process in the log (maybe with -d -v).

So, although I didn't replicate the crash... I did replicate the massive amount of ASN and INTERACTSH errors. These will keep this BBOT Scan going for decades.

htop on Ubuntu VM looks great. 3.5G/7G RAM and 8 CPUs at 3% usage (as of right now, at the very end of the scan)

I'm going to jump over to BBOT@Dev and see if those issues are present there as well.

Sh4d0wHunt3rX commented 6 months ago

@stryker2k2 Thanks for this. Not sure with which modules you tested, however, I did a small test a while ago and I suspected the interactsh errors are coming from one of the web-through modules, probably Telerik. But I'm not sure, maybe I'm wrong. Since I'm not running web-through modules anymore, I'm not getting those errors again. But I have not scanned Tesla a long time. Don't think it was target specific though.

stryker2k2 commented 6 months ago

Gotcha. Yeah, I'm getting the same errors on other targets as well. I do know that dotnetnuke and generic_ssrf both use interactsh. And, as far as I know, they are the only ones.

I'm doing some testing now. The error is thrown when interactsh doesn't get a response back from its GET Request to the server instance that it just asked (through API) for the Interactsh Team to spin up remotely. My thought process, as of right now, is that our interactsh module is asking for it too soon before they can spin it up.

stryker2k2 commented 6 months ago

Pull Request for Interactsh: Try Interactsh 5 Times before throwing Exception

Sh4d0wHunt3rX commented 6 months ago

Wow, you fixed it? Thanks man!

stryker2k2 commented 6 months ago

I think I fixed it. I've submitted it to be merged in with a dev 'bbot-2.0' branch. But... yes? I'd love to see you take it for a spin it once you get your hands on it.

aconite33 commented 5 months ago

Is this reproducible? Has this issue been confirmed fixed?

stryker2k2 commented 5 months ago

This is what I've been able to reproduce:

BBOT Command bbot -f passive subdomain-enum web-thorough cloud-enum -m gowitness fingerprintx wafw00f bypass403 -em smuggler azure_realm, azure_tenant bucket_amazon bucket_azure bucket_digitalocean bucket_file_enum bucket_firebase bucket_google -t tesla.com -om asset_inventory emails json

BBOT Dev Branch Latest Commit: 41a75a3c227c4f78303ca6a1c0cb6c6759670602

Environment: poetry (poetry run bbot ...)

Network: Both VPN and No VPN

VMware Workstation 17 Pro Ubuntu 22.04 Desktop 4GB RAM 2 CPU / Processor Cores NAT -> pfSense -> ISP

TheTechromancer commented 5 months ago

Okay nice. The next step will be to put BBOT through a proxy and inspect the requests that are failing.

stryker2k2 commented 5 months ago

Roger that.

Until then, I'm tinkering around in Wireshark. I've noted down the IP Addresses of all the OAST websites based on the DNS replies in Wireshark and made a filter. Then I ran BBOT.

Everything seemed to be going well. Interactsh registered just fine and even performed multiple poll_loops. Everything looked amazing... until it didn't.

Screenshot 2024-06-14 164831

Screenshot 2024-06-14 164935

These are screenshots of when Interactsh started to fail.

I don't quite know what the answer is just yet.

TheTechromancer commented 5 months ago

Proxying BBOT should be as easy as:

-c http_proxy=http://127.0.0.1:8080

stryker2k2 commented 5 months ago

Unable

poetry run bbot -f passive subdomain-enum web-thorough cloud-enum -m gowitness fingerprintx wafw00f bypass403 -em smuggler azure_realm, azure_tenant bucket_amazon bucket_azure bucket_digitalocean bucket_file_enum bucket_firebase bucket_google -t tesla.com -om asset_inventory emails json -c http_proxy=http://127.0.0.1:8080

[INFO] Registering with interact.sh server: oast.fun
[INFO] Registering with interact.sh server: oast.site
[INFO] Registering with interact.sh server: oast.fun
[INFO] Registering with interact.sh server: oast.pro
[INFO] Registering with interact.sh server: oast.fun
[INFO] Registering with interact.sh server: oast.pro
[INFO] Registering with interact.sh server: oast.me
[INFO] Registering with interact.sh server: oast.online
[INFO] Registering with interact.sh server: oast.site
[INFO] Registering with interact.sh server: oast.site
[INFO] Registering with interact.sh server: oast.pro
[INFO] Registering with interact.sh server: oast.me
[WARN] dotnetnuke: Interactsh failure: Failed to register with an interactsh server
[WARN] generic_ssrf: Interactsh failure: Failed to register with an interactsh server
[WARN] Setup hard-failed for generic_ssrf: hard-fail
[WARN] generic_ssrf: Setting error state
[WARN] host_header: Interactsh failure: Failed to register with an interactsh server
[WARN] Setup hard-failed for host_header: hard-fail
[WARN] host_header: Setting error state
[ERRR] Setup hard-failed for 2 modules (generic_ssrf,host_header) (--force to run module anyway)

TheTechromancer commented 5 months ago

What are you using for your proxy?

aconite33 commented 5 months ago

Until we can replicate the crash, I'm going to close this as we can replicate it.

If this can be replicated, we can reopen it and address.

Sh4d0wHunt3rX commented 4 months ago

After some months, I started to use web-through modules, This issue happened on my first attempt to use these modules in the first 5 minutes of the scan.

debug.log

TheTechromancer commented 4 months ago

@amiremami which branch of BBOT are you using?

Sh4d0wHunt3rX commented 4 months ago

I'm still using dev v1.1.9.3453rc

TheTechromancer commented 4 months ago

@stryker2k2 Amir's command:

bbot -t t-mobile.com -m affiliates anubisdb asn baddns baddns_zone badsecrets bevigil binaryedge builtwith c99 censys certspotter chaos columbus crobat crt digitorus dnscommonsrv dnsdumpster filedownload fingerprintx fullhunt git gowitness hackertarget httpx internetdb ipneighbor leakix massdns myssl nmap oauth otx passivetotal postman rapiddns riddler robots securitytrails secretsdb shodan_dns sitedossier sslcert subdomaincenter sublist3r threatminer urlscan viewdns virustotal wafw00f wappalyzer wayback zoomeye hunt paramminer_headers dastardly nuclei vhost ffuf bypass403 wpscan ajaxpro dotnetnuke generic_ssrf host_header iis_shortnames ntlm smuggler telerik url_manipulation -om asset_inventory subdomains -c omit_event_types=[DNS_NAME_UNRESOLVED,URL_UNVERIFIED] url_extension_httpx_only=[] -y --allow-deadly

TheTechromancer commented 4 months ago

Interactsh errors still happening in BBOT 2.0:

output.json.gz debug.log.gz

Notice the blank headers in the request. Could that be the reason?

Sh4d0wHunt3rX commented 4 months ago

Two new errors I noticed here, socket operation on non socket.

aconite33 commented 2 months ago

@Sh4d0wHunt3rX Have you seen this issue recently? We are unable to recreate it on our side and I'm going to close it unless you've seen more issues.

Sh4d0wHunt3rX commented 2 months ago

Hey @aconite33 thanks. I was getting this, 100% of the times that I was using these modules that use interact.sh, dotnetnuke, generic_ssrf, host_header and telerik I suppose. Even on a fresh server. I thought the problem was that there was no clue in the debug log? However, as it's long time I'm not using these modules, I don't get the error. But if no one else reported this, feel free to close it if you want to 🙏

blacklanternsecurity / bbot

Interactsh Errors #1053