search

blacklanternsecurity / bbot

A recursive internet scanner for hackers.
https://www.blacklanternsecurity.com/bbot/
GNU General Public License v3.0
4.43k stars 396 forks source link

passive sub enum flag isn't working..? #1620

Closed marcelo321 closed 4 weeks ago

marcelo321 commented 1 month ago

hi there!

So I am running this command:

bbot --targets test -f subdomain-enum -s -y -o out -rf passive

but in the middle of the scan I start seeing (not sure if it is because I pressed enter or not):

[INFO] golden_dawn: Modules running (incoming:processing:outgoing) subdomaincenter(8,025:1:1), massdns(7,803:1:0), dnscommonsrv(0:1:0), subdomains(1:0:0), speculate(1:0:0)
[INFO] golden_dawn: Events produced so far: DNS_NAME: 7742, IP_ADDRESS: 1025, ASN: 168, CODE_REPOSITORY: 165, TECHNOLOGY: 103, SOCIAL: 16, FINDING: 9, ORG_STUB: 2, SCAN: 1, AZURE_TENANT: 1
[INFO] golden_dawn: 1 events in queue (DNS_NAME: 1)
[VERB] massdns: Resolving batch of 2 results
[INFO] massdns: Brute-forcing subdomains for test04.stage.paypal.com (source: www.test04.stage.paypal.com)
[VERB] massdns: Testing 50 canaries against test04.stage.paypal.com
[VERB] run: massdns -r /root/.bbot/cache/25152d64f6205b681a2b170969063ff7030fd01c -s 1000 -t A -o J -q
[VERB] run: massdns -r /root/.bbot/cache/25152d64f6205b681a2b170969063ff7030fd01c -s 1000 -t A -o J -q
[VERB] massdns: Resolving batch of 2 results
[INFO] massdns: Brute-forcing subdomains for stage2std072.stage.paypal.com (source: www.stage2std072.stage.paypal.com)
[VERB] massdns: Testing 50 canaries against stage2std072.stage.paypal.com

using massdns is not really passive at all, if bruteforcing is being conducted then it's active enumeration.

also as a side comment, -s flag just partially "silents" the output, a lot is being output even with the flag.

TheTechromancer commented 1 month ago

We consider massdns to be passive because it's only performing DNS lookups, which don't directly touch the target infrastructure. If you want to exclude it, you can do -em massdns. Or exclude aggressive modules with -ef aggressive.

TheTechromancer commented 4 weeks ago

After some consideration, I've decided to reclassify these modules as 'active`. The passive flag has also caused some confusion in the past, so I think this makes the most sense.

https://github.com/blacklanternsecurity/bbot/pull/1649