search

blacklanternsecurity / bbot

A recursive internet scanner for hackers.
https://www.blacklanternsecurity.com/bbot/
GNU General Public License v3.0
4.2k stars 381 forks source link

Massdns is Falsely Classified as Passive Enumeration Method #888

Closed hkopp closed 8 months ago

hkopp commented 8 months ago

Describe the bug

When the passive modules for subdomain enumeration are executed, then massdns is also executed, as it counts as passive. However, massdns is not passive, as it sends traffic directly to the dns server of the target domain.

Expected behavior Massdns should not be executed, as it is not a passive enumeration method.

BBOT Command bbot -t evilcorp.com --flags subdomain-enum --require-flags passive

OS, BBOT Installation Method + Version OS: Fedora 38, Installation method: pip, BBOT version: 1.1.3

TheTechromancer commented 8 months ago

It's true that the DNS traffic will make its way to the target's nameserver; however it's not being sent directly. Massdns spreads its queries between public DNS servers such as 8.8.8.8 and 1.1.1.1, which then forward the queries along. DNS will typically make several hops before arriving at the authoritative nameserver.

This is a bit of a grey area but it's important to understand the distinction, because if you consider this to be not passive, then nearly every BBOT module will end up falling into that category due to the DNS lookups performed on every discovered host.

For the purpose of enumeration, we have chosen to classify DNS lookups as passive.

hkopp commented 8 months ago

Thank you for your swift response.

I see your point. I still disagree, as massdns may lead to large amounts of traffic and hence is also classified as "aggressive". Further, your argument would also be valid for TCP scans, as those are also not sent directly, but may pass several intermediate routers (albeit TCP and DNS are on a different OSI layer. Additionally, in TCP the sender IP is dragged along which is not the case with DNS.) I fully agree that it is a grey area.

My workaround is to exclude the massdns module using '--exclude-modules massdns' and use all the other passive modules. In my current use case i care if large amounts of DNS traffic hit the server of my target. IP lookups of domains that exist are okay and not suspicious, but bruteforcing large wordlist of dns entries are highly suspicious.