search

blacklanternsecurity / bbot

A recursive internet scanner for hackers.
https://www.blacklanternsecurity.com/bbot/
GNU General Public License v3.0
4.19k stars 380 forks source link

Gowitness Didn't Run #1267

Closed amiremami closed 1 month ago

amiremami commented 3 months ago

Gowitness module didn't run and didn't produce any screenshots.

debug.log output.json

amiremami commented 3 months ago

It seems because of using proxy, gowitness is not running.

TheTechromancer commented 3 months ago

The issue appears to be with your proxy:

Screenshot_20240416-080649.png

This indicates the proxy isn't accepting connections.

amiremami commented 3 months ago

Hey @TheTechromancer thanks a lot, they said they fixed it, I don't get anymore connection refused in debug.log , however, still don't get any screenshots, is this still a proxy issue?

debug.log output.json

TheTechromancer commented 3 months ago

Hmm, that's strange. I see the URLs in there at least. Can you run the scan with -d?

amiremami commented 3 months ago

Here you are:

debug.log output.json

TheTechromancer commented 3 months ago 
2024-04-16 17:35:24,834 [DEBUG] bbot.modules.gowitness base.py:1214 Not accepting URL("https://myaccounting.it/", module=httpx, tags={'dir', 'in-scope', 'status-301'}) because it did not meet custom filter criteria: URL is a redirect
2024-04-16 17:35:26,532 [DEBUG] bbot.modules.gowitness base.py:1214 Not accepting URL("http://myaccounting.it/", module=httpx, tags={'dir', 'in-scope', 'status-301'}) because it did not meet custom filter criteria: URL is a redirect
2024-04-16 17:35:35,441 [DEBUG] bbot.modules.gowitness base.py:1214 Not accepting URL("http://www.myaccounting.it/", module=httpx, tags={'dir', 'in-scope', 'status-301'}) because it did not meet custom filter criteria: URL is a redirect
2024-04-16 17:35:35,442 [DEBUG] bbot.modules.gowitness base.py:1214 Not accepting URL("http://mx.myaccounting.it/", module=httpx, tags={'status-302', 'http-title-302-found', 'in-scope', 'dir'}) because it did not meet custom filter criteria: URL is a redirect
2024-04-16 17:35:44,460 [DEBUG] bbot.modules.gowitness base.py:1214 Not accepting URL("http://load.gtm.myaccounting.it/", module=httpx, tags={'dir', 'in-scope', 'http-title-301-moved-permanently', 'status-301'}) because it did not meet custom filter criteria: URL is a redirect
2024-04-16 17:35:48,500 [DEBUG] bbot.modules.gowitness base.py:1214 Not accepting URL("https://www.areaclienti.myaccounting.it/", module=httpx, tags={'status-302', 'in-scope', 'dir'}) because it did not meet custom filter criteria: URL is a redirect
2024-04-16 17:35:48,501 [DEBUG] bbot.modules.gowitness base.py:1214 Not accepting URL("https://areaclienti.myaccounting.it/", module=httpx, tags={'dir', 'in-scope', 'status-301'}) because it did not meet custom filter criteria: URL is a redirect
2024-04-16 17:35:49,807 [DEBUG] bbot.modules.gowitness base.py:1214 Not accepting URL("http://www.areaclienti.myaccounting.it/", module=httpx, tags={'dir', 'in-scope', 'status-301'}) because it did not meet custom filter criteria: URL is a redirect
2024-04-16 17:35:49,955 [DEBUG] bbot.modules.gowitness base.py:1214 Not accepting URL("http://areaclienti.myaccounting.it/", module=httpx, tags={'dir', 'in-scope', 'status-301'}) because it did not meet custom filter criteria: URL is a redirect
2024-04-16 17:35:59,747 [DEBUG] bbot.modules.gowitness base.py:1214 Not accepting URL("https://www.areaclienti.myaccounting.it/area-clienti/", module=httpx, tags={'dir', 'in-scope', 'status-301'}) because it did not meet custom filter criteria: URL is a redirect

Based on this it looks like due to the proxy, httpx is missing some of the https URLs. This is probably not the proxy's fault; this is a known issue with httpx. We have a very old bug open for this: https://github.com/blacklanternsecurity/bbot/issues/35.

We really need to replace this tool with something decent.

It's hard to tell but there may also be an issue with redirections. There are some pretty long redirect chains here, like http://areaclienti.myaccounting.it/ --> https://areaclienti.myaccounting.it/ --> https://www.areaclienti.myaccounting.it/ --> https://www.areaclienti.myaccounting.it/area-clienti/login/?redirect=https%3A%2F%2Fwww.areaclienti.myaccounting.it%2F.

TheTechromancer commented 3 months ago

The following URLs did pass post-check, so they were processed by gowitness. It's unclear why there were no screenshots for them:

2024-04-16 17:35:28,511 [DEBUG] bbot.modules.gowitness base.py:1214 URL("https://www.myaccounting.it/", module=httpx, tags={'status-200', 'dir', 'in-scope', 'http-title-myaccounting-it-studio-di-cont'}) passed post-check
2024-04-16 17:35:42,264 [DEBUG] bbot.modules.gowitness base.py:1214 URL("https://load.gtm.myaccounting.it/", module=httpx, tags={'status-400', 'in-scope', 'dir'}) passed post-check
2024-04-16 17:35:45,597 [DEBUG] bbot.modules.gowitness base.py:1214 URL("https://gtm.myaccounting.it:80/", module=httpx, tags={'dir', 'in-scope', 'status-404'}) passed post-check
2024-04-16 17:35:47,052 [DEBUG] bbot.modules.gowitness base.py:1214 URL("https://gtm.myaccounting.it/", module=httpx, tags={'status-400', 'in-scope', 'dir'}) passed post-check
2024-04-16 17:35:53,645 [DEBUG] bbot.modules.gowitness base.py:1214 URL("https://www.areaclienti.myaccounting.it/area-clienti/login/", module=httpx, tags={'in-scope', 'http-title-login-myaccounting-it', 'status-200', 'login-page', 'dir'}) passed post-check

I'd recommend running gowitness manually to see if it spits out any errors:

/root/.bbot/tools/gowitness --chrome-path /root/.bbot/tools/chrome-linux/chrome --db-path /root/.bbot/scans/cheeky_snape/gowitness/gowitness.sqlite3 --screenshot-path /root/.bbot/scans/cheeky_snape/gowitness/screenshots --user-agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Edg/119.0.2151.97' --proxy socks5://14ac7cb2f8d2c:4e90f0e479@91.190.191.94:12324 --resolution-x 1440 --resolution-y 900 file -f - --threads 4
amiremami commented 3 months ago

Thanks. I don't think it's because of redirections, Because it's not possible to get screenshots from any site.

Nothing printed here: image

TheTechromancer commented 3 months ago

You need to pipe the urls into it.

amiremami commented 3 months ago

Sorry,

image image image

TheTechromancer commented 3 months ago

Seems to be another issue with the proxy. It might be worth trying a basic curl to verify a basic web request works through the proxy.

amiremami commented 3 months ago

I used these commands and it seems works fine:

curl -x socks5://14ac7cb2f8d2c:4e90f0e479@91.190.191.94:12324 https://www.myaccounting.it/
curl -x socks5://14ac7cb2f8d2c:4e90f0e479@91.190.191.94:12324 davcrkdidfhlhgvabwxp2nmjt0mkbpti9.oast.fun

image image

TheTechromancer commented 3 months ago

Ah okay. Apparently the issue is that chromium doesn't support socks5 auth: https://github.com/puppeteer/puppeteer/issues/1074

amiremami commented 3 months ago

Thanks a lot. 🙏 I also tried http auth but didn't work.

bbot -t tesla.com -m httpx gowitness -c http_proxy=http://14ac7cb2f8d2c:4e90f0e479@91.190.191.94:12323

So, I guess there is no solution for this. I will run gowitness in separate scan without proxy.

TheTechromancer commented 3 months ago

I'm hoping this will get solved when we replace gowitness with playwright.

TheTechromancer commented 1 month ago

Closing this one. Please follow here https://github.com/blacklanternsecurity/bbot/discussions/698 for updates on the webscreenshot rewrite.