Warn if cloud domain exists in target list

[felipewarrener]

Description Currently, the only thing I've found I can adjust in the middle of a scan is the modules in use, that is, killing a module with kill module.

I think one of the biggest risks when using a recursive tool like this is accidentally having bad entries in the seed data. In my case, I was 5 hours into a scan before realising I had amazonaws.com in my seed data from some automation I have.

It would be handy to be able to run 'kill-seed' or 'kill-job' and just be able to adjust the queue in general in real-time. As this could save hours of re-running the tool.

[TheTechromancer]

This is difficult to do, since even seconds after the scan starts, new events are spawned from the targets and enqueued with the modules.

To remove a target mid-scan, you would not only need to remove it from the target object, but retroactively inspect every module queue and remove any events related to that target.

It's our next big goal to make an interactive CLI for BBOT that has much richer functionality, especially for interacting with live scans. This might be a good feature request for that tool.

[felipewarrener]

@TheTechromancer fair enough, I did not consider that, it would be a lot of overhead. In the meantime there could be a quick scan of seed DNS names at the start that notifies the user that they have put in a seed domain likely to have a massive enumeration space (AWS, azure, WAFs, CDNs) but this responsibility probably falls outside of the scope of bbot to be honest! It's great to here that a more interactive tool is planned.

[TheTechromancer]

That's not a bad idea. I actually think that would be a good feature to have.

BBOT already has builtin functionality to check whether a domain belongs to a cloud provider. So this would be an easy add.

[felipewarrener]

Awesome, I think you're right, one wrong domain and you're looking at infinite recursion which could cost people serious money depending on their setup. In my case, today I found that I had the following huge apex domains in my seeds by accident, leading to 5 hours wasted in my scan and a lot of VPS bandwidth used:

gstatic.com akamaitechnologies.com google.com awscloud.com awsdns.co.uk

Maybe can start with a small list and let people PR more obscure ones into the list over time.

[TheTechromancer]

Feature added in https://github.com/blacklanternsecurity/bbot/pull/1461.

@felipewarrener FYI, we keep track of cloud domains in a separate repo: cloudcheck. Currently we're keeping manual track of these cloud domains; however it's on our TODO to automate this, maybe to pull from a community list.

If you run into domains that aren't detected properly, please let us know on the cloudcheck repo. Or if you're interested in working on it yourself we would love to have your help!