search

blacklanternsecurity / bbot

A recursive internet scanner for hackers.
https://www.blacklanternsecurity.com/bbot/
GNU General Public License v3.0
4.1k stars 374 forks source link

Event Discovery Context #1352

Closed TheTechromancer closed 1 month ago

TheTechromancer commented 2 months ago

It's occurred to me, while pondering @domwhewell-sage's new secrets-looting module family, that BBOT could benefit a lot from having a discovery_context field on every event. This attribute would be a brief but mandatory description of how the event was discovered. By this I mean any relevant details/circumstances around the event's discovery. For example, a URL event's discovery context might be, "extracted from http body using fulluri regex". For a DNS_NAME it might be "speculated from its DNS parent", or "returned by the /subdomains endpoint of the securitytrails API".

In the graph, this attribute would be attached to the relationship, enriching the discovery chain and making it easier to follow. Also I think having this feature would simplify debugging.

We could automatically flatten this chain and attach it to each event like so: 

{
  "type": "DNS_NAME",
  "data": "www-test.evilcorp.com",
  "discovery_chain": "TARGET seeded scan with DNS_NAME evilcorp.com --> shodan_dns discovered DNS_NAME www.evilcorp.com from subdomains API with query: evilcorp.com --> nmap discovered OPEN_TCP_PORT www.evilcorp.com:443 via port scan --> httpx returned HTTP_RESPONSE from https://www.evilcorp.com --> excavate extracted URL_UNVERIFIED https://www-test.evilcorp.com from HTTP body via fulluri regex --> derived DNS_NAME www-test.evilcorp.com from URL"
}
TheTechromancer commented 1 month ago

Added in https://github.com/blacklanternsecurity/bbot/pull/1383.