search

blacklanternsecurity / bbot

A recursive internet scanner for hackers.
https://www.blacklanternsecurity.com/bbot/
GNU General Public License v3.0
4.1k stars 375 forks source link

dockerhub got `ORG_STUB("github", module=speculate, tags={'distance-1'})` #1346

Closed domwhewell-sage closed 2 months ago

domwhewell-sage commented 2 months ago

Describe the bug When running the dockerhub module using org:sage as a target, github gets raised as an in-scope org

Expected behavior Only in scope orgs should be accepted

BBOT Command bbot -t github-orgs.txt -m github_org, git_clone, dockerhub, docker_pull, trufflehog -om teams -y --name sage --debug

OS, BBOT Installation Method + Version 1.1.7.3277rc0

BBOT Config Attach your BBOT config (bbot --current-config).

Logs I think these are the relevant parts of the log

2024-05-03 07:24:09,618 [DEBUG] bbot.modules.internal.speculate base.py:1214 Finished handling DNS_NAME("github.com", module=host, tags={'a-wildcard-domain', 'in-scope', 'cname-wildcard-domain', 'cdn-github', 'resolved', 'domain', 'a-record', 'aaaa-wildcard-domain', 'wildcard-domain'})
2024-05-03 07:24:09,618 [DEBUG] bbot.scanner.manager manager.py:95 Module "speculate" raised ORG_STUB("github", module=speculate, tags={'distance-1'})
2024-05-03 07:24:09,618 [DEBUG] bbot.scanner.manager manager.py:98 Quick-emitting ORG_STUB("github", module=speculate, tags={'distance-1'})
2024-05-03 07:24:09,619 [DEBUG] bbot.modules.dockerhub base.py:1214 Queueing ORG_STUB("github", module=speculate, tags={'distance-1'}) because precheck succeeded
2024-05-03 07:24:09,619 [DEBUG] bbot.modules.github_org base.py:1214 Queueing ORG_STUB("github", module=speculate, tags={'distance-1'}) because precheck succeeded
2024-05-03 07:24:09,619 [DEBUG] bbot.modules.output.csv base.py:1214 Queueing ORG_STUB("github", module=speculate, tags={'distance-1'}) because precheck succeeded
2024-05-03 07:24:09,619 [DEBUG] bbot.modules.output.human base.py:1214 Queueing ORG_STUB("github", module=speculate, tags={'distance-1'}) because precheck succeeded
2024-05-03 07:24:09,619 [DEBUG] bbot.modules.output.json base.py:1214 Queueing ORG_STUB("github", module=speculate, tags={'distance-1'}) because precheck succeeded

https://gist.github.com/domwhewell-sage/495184d7136670b51da33731aeb2430a

TheTechromancer commented 2 months ago

It seems like somewhere in your target list there's a host of github.com.

domwhewell-sage commented 2 months ago

This was the target list https://gist.github.com/domwhewell-sage/f198f395e0cf07b29528a99ad210f9b0, I was wondering if its pulled github.com out from a URL and speculate has used that as a ORG_STUB. I cant remember if the scope_distance_modifier = 2 is relevant in these modules. Maybe thats the cause

TheTechromancer commented 2 months ago

Ah I think this is the culprit Screenshot_20240503-071128.png

CODE_REPOSITORY is inheriting a scope distance of 0 and speculate is turning it into a URL.

TheTechromancer commented 2 months ago

So... The real cause of this bug is that we set all targets' scope distance to 0 when the scan starts.

The fix for this is awkward because in BBOT 2.0, targets aren't blindly marked as in-scope anymore; so target ORGs become distance-1, which solves this issue.

I'm not sure what to do here since if we pushed a fix, we'd need to remember to unfix it when we merge 2.0.

TheTechromancer commented 2 months ago

Fixed in https://github.com/blacklanternsecurity/bbot/pull/1348.