Open mavensecurity opened 4 years ago
Unable to reproduce (see output). Some context, did you try running the module multiple times from recon? 403 seems like a weird error to throw here, like you need a key or something, and if it was hitting a rate limit, you should get a 429. I also see your mocking a windows 10 user agent. That shouldn't matter at all, but did you try with the normal UA and it not work?
[recon-ng][default] > modules load threatminer
[*] Analytics disabled.
[recon-ng][default][threatminer] > options set SOURCE vwrm.com
SOURCE => vwrm.com
[recon-ng][default][threatminer] > run
--------
VWRM.COM
--------
[*] ========================= REQUEST =========================
url: https://api.threatminer.org/v2/domain.php?rt=5&q=vwrm.com
method: GET /v2/domain.php?rt=5&q=vwrm.com
header: User-Agent: Recon-ng/v5
header: Accept-Encoding: gzip, deflate
header: Accept: */*
header: Connection: keep-alive
[*] ========================= RESPONSE =========================
status: 200 OK
header: Date: Fri, 08 Nov 2019 13:57:57 GMT
header: Content-Type: application/json; charset=utf-8
header: Transfer-Encoding: chunked
header: Connection: keep-alive
header: Set-Cookie: __cfduid=dfca5f54c2d81dc8f651d22cfdf6467851573221477; expires=Sat, 07-Nov-20 13:57:57 GMT; path=/; domain=.threatminer.org; HttpOnly
header: Access-Control-Allow-Origin: *
header: CF-Cache-Status: DYNAMIC
header: Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
header: Server: cloudflare
header: CF-RAY: 53280f1a2cfd23f4-IAD
header: Content-Encoding: gzip
body: b'{"status_code":"200","status_message":"Results found.","results":["www.vwrm.com","mail.vwrm.com"]}'
[*] DATABASE => /home/shade/.recon-ng/workspaces/default/data.db
[*] QUERY => INSERT INTO `hosts` (`host`, `module`) SELECT ?, ? WHERE NOT EXISTS(SELECT * FROM `hosts` WHERE `host`=?)
[*] VALUES => ('www.vwrm.com', 'threatminer', 'www.vwrm.com')
[*] [host] www.vwrm.com (<blank>)
[*] DATABASE => /home/shade/.recon-ng/workspaces/default/data.db
[*] QUERY => INSERT INTO `hosts` (`host`, `module`) SELECT ?, ? WHERE NOT EXISTS(SELECT * FROM `hosts` WHERE `host`=?)
[*] VALUES => ('mail.vwrm.com', 'threatminer', 'mail.vwrm.com')
[*] [host] mail.vwrm.com (<blank>)
-------
SUMMARY
-------
[*] 2 total (2 new) hosts found.
[*] DATABASE => /home/shade/.recon-ng/workspaces/default/data.db
[*] QUERY => INSERT OR REPLACE INTO dashboard (module, runs) VALUES ('recon/domains-hosts/threatminer', COALESCE((SELECT runs FROM dashboard WHERE module='recon/domains-hosts/threatminer')+1, 1))
I did not run multiple times. The USER-AGENT made no difference. I am still getting the error. curl and wget from the same system work fine, so it's not as if threatminer endpoint has banned our IP.
Maybe at least the module can be enhanced to not react so harshly to HTTP 403.
I am inside virtualenv in case that makes a difference.
$ pip check flasgger 0.9.3 has requirement jsonschema<3.0.0, but you have jsonschema 3.1.1.
Hmmm. A clue? So I fixed that:
$ pip uninstall jsonschema $ pip install 'jsonschema<3.0.0' $ pip check No broken requirements found.
But I still get the same 403 error.
¯_(ツ)_/¯ I'm out of ideas. So far other modules seem to work fine.
A 403 just really doesn't make any sense in this context. The module doesn't require a key, yet the application is saying unauthorized? That would mean they are using something else to determine authorization. User Agent? IP address? You tried changing the user agent, but perhaps they banned your IP, and are blanketing you with 403s. If that's the case, it's likely that the module dev never encountered that scenario and therefore never accounted for it. Just a guess.
PRs welcome for fixes.
I can use curl and wget fine from that same server to that same end point. So it's not the IP getting banned. Changing the User-Agent has no effect. With curl and wget its HTTP 200's all the way down. That module: 403. Dunno why. Next step might be to direct all module traffic via a MITM proxy to inspect all the things.
Just set the proxy global option in Recon-ng and inspect there. You can curl through a proxy as well.
Based on another broken module I found today, I think I know what is causing this. This server is behind Cloudflare and Cloudflare is triggering on requests coming from Recon-ng. If you view the error response in verbose mode or run it through a proxy, you'll see the 403 requesting you to answer a captcha. This could be an issue moving forward for a lot of things.
Module Name Which module is affected? https://github.com/lanmaster53/recon-ng-marketplace/blob/master/modules/recon/domains-hosts/threatminer.py
Bug Description [A clear and concise description of the bug.] Response is 403 Forbidden; response is not JSON so parser throws error.
Steps to Reproduce Steps to reproduce the behavior:
Expected Behavior [A clear and concise description of the expected behavior.]
Use curl to see that response should be 200 OK and small JSON:
Screenshots [If applicable, screenshots to help explain the problem.]
Additional Context [Any other context about the problem.]