bbot 2.1.0.4959rc0__tar.gz → 2.1.0.5028rc0__tar.gz

{bbot-2.1.0.4959rc0 → bbot-2.1.0.5028rc0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: bbot
-Version: 2.1.0.4959rc0
+Version: 2.1.0.5028rc0
 Summary: OSINT automation for hackers.
 Home-page: https://github.com/blacklanternsecurity/bbot
 License: GPL-3.0
@@ -14,6 +14,7 @@ Classifier: Programming Language :: Python :: 3.9
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
 Classifier: Topic :: Security
 Requires-Dist: ansible (>=7.3,<9.0)
 Requires-Dist: ansible-runner (>=2.3.2,<3.0.0)

{bbot-2.1.0.4959rc0 → bbot-2.1.0.5028rc0}/bbot/__init__.py

@@ -1,4 +1,4 @@
 # version placeholder (replaced by poetry-dynamic-versioning)
-__version__ = "v2.1.0.4959rc"
+__version__ = "v2.1.0.5028rc"
 
 from .scanner import Scanner, Preset

{bbot-2.1.0.4959rc0 → bbot-2.1.0.5028rc0}/bbot/core/event/base.py

@@ -25,6 +25,7 @@ from bbot.core.helpers import (
     is_domain,
     is_subdomain,
     is_ip,
+    is_ip_type,
     is_ptr,
     is_uri,
     url_depth,
@@ -157,7 +158,7 @@ class BaseEvent:
         Raises:
             ValidationError: If either `scan` or `parent` are not specified and `_dummy` is False.
         """
-        self.uuid = uuid.uuid4()
+        self._uuid = uuid.uuid4()
         self._id = None
         self._hash = None
         self._data = None
@@ -352,6 +353,12 @@ class BaseEvent:
                 return 80
         return self._port
 
+    @property
+    def netloc(self):
+        if self.host and is_ip_type(self.host, network=False):
+            return make_netloc(self.host, self.port)
+        return None
+
     @property
     def host_stem(self):
         """
@@ -440,11 +447,6 @@ class BaseEvent:
         no_host_information = not bool(self.host)
         return self._always_emit or always_emit_tags or no_host_information
 
-    @property
-    def quick_emit(self):
-        no_host_information = not bool(self.host)
-        return self._quick_emit or no_host_information
-
     @property
     def id(self):
         """
@@ -454,6 +456,13 @@ class BaseEvent:
             self._id = f"{self.type}:{self.data_hash.hex()}"
         return self._id
 
+    @property
+    def uuid(self):
+        """
+        A universally unique identifier for the event
+        """
+        return f"{self.type}:{self._uuid}"
+
     @property
     def data_hash(self):
         """
@@ -746,7 +755,7 @@ class BaseEvent:
         """
         j = dict()
         # type, ID, scope description
-        for i in ("type", "id", "uuid", "scope_description"):
+        for i in ("type", "id", "uuid", "scope_description", "netloc"):
             v = getattr(self, i, "")
             if v:
                 j.update({i: str(v)})
@@ -765,6 +774,8 @@ class BaseEvent:
             j["host"] = str(self.host)
             j["resolved_hosts"] = sorted(str(h) for h in self.resolved_hosts)
             j["dns_children"] = {k: list(v) for k, v in self.dns_children.items()}
+        if isinstance(self.port, int):
+            j["port"] = self.port
         # web spider distance
         web_spider_distance = getattr(self, "web_spider_distance", None)
         if web_spider_distance is not None:
@@ -1537,6 +1548,13 @@ class RAW_DNS_RECORD(DictHostEvent, DnsEvent):
     _always_emit_tags = ["target"]
 
 
+class MOBILE_APP(DictEvent):
+    _always_emit = True
+
+    def _pretty_string(self):
+        return self.data["url"]
+
+
 def make_event(
     data,
     event_type=None,
@@ -1707,7 +1725,7 @@ def event_from_json(j, siem_friendly=False):
         event = make_event(**kwargs)
         event_uuid = j.get("uuid", None)
         if event_uuid is not None:
-            event.uuid = uuid.UUID(event_uuid)
+            event._uuid = uuid.UUID(event_uuid.split(":")[-1])
 
         resolved_hosts = j.get("resolved_hosts", [])
         event._resolved_hosts = set(resolved_hosts)
@@ -1719,7 +1737,8 @@ def event_from_json(j, siem_friendly=False):
             event._parent_id = parent_id
         parent_uuid = j.get("parent_uuid", None)
         if parent_uuid is not None:
-            event._parent_uuid = uuid.UUID(parent_uuid)
+            parent_type, parent_uuid = parent_uuid.split(":", 1)
+            event._parent_uuid = parent_type + ":" + str(uuid.UUID(parent_uuid))
         return event
     except KeyError as e:
         raise ValidationError(f"Event missing required field: {e}")

{bbot-2.1.0.4959rc0 → bbot-2.1.0.5028rc0}/bbot/core/helpers/misc.py

@@ -621,12 +621,13 @@ def is_ip(d, version=None):
     return False
 
 
-def is_ip_type(i):
+def is_ip_type(i, network=None):
     """
     Checks if the given object is an instance of an IPv4 or IPv6 type from the ipaddress module.
 
     Args:
         i (ipaddress._BaseV4 or ipaddress._BaseV6): The IP object to check.
+        network (bool, optional): Whether to restrict the check to network types (IPv4Network or IPv6Network). Defaults to False.
 
     Returns:
         bool: True if the object is an instance of ipaddress._BaseV4 or ipaddress._BaseV6, False otherwise.
@@ -639,6 +640,12 @@ def is_ip_type(i):
         >>> is_ip_type("192.168.1.0/24")
         False
     """
+    if network is not None:
+        is_network = ipaddress._BaseNetwork in i.__class__.__mro__
+        if network:
+            return is_network
+        else:
+            return not is_network
     return ipaddress._IPAddressBase in i.__class__.__mro__
 
 
@@ -1260,7 +1267,7 @@ def gen_numbers(n, padding=2):
     return results
 
 
-def make_netloc(host, port):
+def make_netloc(host, port=None):
     """Constructs a network location string from a given host and port.
 
     Args:
@@ -1289,7 +1296,7 @@ def make_netloc(host, port):
     if is_ip(host, version=6):
         host = f"[{host}]"
     if port is None:
-        return host
+        return str(host)
     return f"{host}:{port}"
 
 

{bbot-2.1.0.4959rc0 → bbot-2.1.0.5028rc0}/bbot/core/helpers/regexes.py

@@ -54,6 +54,9 @@ ptr_regex = re.compile(_ptr_regex)
 # uuid regex
 _uuid_regex = r"[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}"
 uuid_regex = re.compile(_uuid_regex, re.I)
+# event uuid regex
+_event_uuid_regex = r"[0-9A-Z_]+:[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}"
+event_uuid_regex = re.compile(_event_uuid_regex, re.I)
 
 _open_port_regexes = (
     _dns_name_regex + r":[0-9]{1,5}",

{bbot-2.1.0.4959rc0 → bbot-2.1.0.5028rc0}/bbot/core/helpers/web/web.py

@@ -1,4 +1,3 @@
-import re
 import logging
 import warnings
 from pathlib import Path
@@ -464,53 +463,6 @@ class WebHelper(EngineClient):
             log.debug(f"Error parsing beautifulsoup: {e}")
             return False
 
-    user_keywords = [re.compile(r, re.I) for r in ["user", "login", "email"]]
-    pass_keywords = [re.compile(r, re.I) for r in ["pass"]]
-
-    def is_login_page(self, html):
-        """
-        TODO: convert this into an excavate YARA rule
-
-        Determines if the provided HTML content contains a login page.
-
-        This function parses the HTML to search for forms with input fields typically used for
-        authentication. If it identifies password fields or a combination of username and password
-        fields, it returns True.
-
-        Args:
-            html (str): The HTML content to analyze.
-
-        Returns:
-            bool: True if the HTML contains a login page, otherwise False.
-
-        Examples:
-            >>> is_login_page('<form><input type="text" name="username"><input type="password" name="password"></form>')
-            True
-
-            >>> is_login_page('<form><input type="text" name="search"></form>')
-            False
-        """
-        try:
-            soup = BeautifulSoup(html, "html.parser")
-        except Exception as e:
-            log.debug(f"Error parsing html: {e}")
-            return False
-
-        forms = soup.find_all("form")
-
-        # first, check for obvious password fields
-        for form in forms:
-            if form.find_all("input", {"type": "password"}):
-                return True
-
-        # next, check for forms that have both a user-like and password-like field
-        for form in forms:
-            user_fields = sum(bool(form.find_all("input", {"name": r})) for r in self.user_keywords)
-            pass_fields = sum(bool(form.find_all("input", {"name": r})) for r in self.pass_keywords)
-            if user_fields and pass_fields:
-                return True
-        return False
-
     def response_to_json(self, response):
         """
         Convert web response to JSON object, similar to the output of `httpx -irr -json`

bbot-2.1.0.5028rc0/bbot/modules/apkpure.py

@@ -0,0 +1,53 @@
+from pathlib import Path
+from bbot.modules.base import BaseModule
+
+
+class apkpure(BaseModule):
+    watched_events = ["MOBILE_APP"]
+    produced_events = ["FILESYSTEM"]
+    flags = ["passive", "safe", "code-enum"]
+    meta = {
+        "description": "Download android applications from apkpure.com",
+        "created_date": "2024-10-11",
+        "author": "@domwhewell-sage",
+    }
+    options = {"output_folder": ""}
+    options_desc = {"output_folder": "Folder to download apk's to"}
+
+    async def setup(self):
+        output_folder = self.config.get("output_folder")
+        if output_folder:
+            self.output_dir = Path(output_folder) / "apk_files"
+        else:
+            self.output_dir = self.scan.home / "apk_files"
+        self.helpers.mkdir(self.output_dir)
+        return await super().setup()
+
+    async def filter_event(self, event):
+        if event.type == "MOBILE_APP":
+            if "android" not in event.tags:
+                return False, "event is not an android app"
+        return True
+
+    async def handle_event(self, event):
+        app_id = event.data.get("id", "")
+        path = await self.download_apk(app_id)
+        if path:
+            await self.emit_event(
+                {"path": str(path)},
+                "FILESYSTEM",
+                tags=["apk", "file"],
+                parent=event,
+                context=f'{{module}} downloaded the apk "{app_id}" to: {path}',
+            )
+
+    async def download_apk(self, app_id):
+        path = None
+        url = f"https://d.apkpure.com/b/XAPK/{app_id}?version=latest"
+        self.helpers.mkdir(self.output_dir / app_id)
+        file_destination = self.output_dir / app_id / f"{app_id}.xapk"
+        result = await self.helpers.download(url, warn=False, filename=file_destination)
+        if result:
+            self.info(f'Downloaded "{app_id}" from "{url}", saved to {file_destination}')
+            path = file_destination
+        return path

{bbot-2.1.0.4959rc0 → bbot-2.1.0.5028rc0}/bbot/modules/badsecrets.py

@@ -23,12 +23,13 @@ class badsecrets(BaseModule):
         self.custom_secrets = None
         custom_secrets = self.config.get("custom_secrets", None)
         if custom_secrets:
-            if Path(custom_secrets).is_file():
+            secrets_path = Path(custom_secrets).expanduser()
+            if secrets_path.is_file():
                 self.custom_secrets = custom_secrets
                 self.info(f"Successfully loaded secrets file [{custom_secrets}]")
             else:
                 self.warning(f"custom secrets file [{custom_secrets}] is not valid")
-                return None, "Custom secrets file not valid"
+                return False, "Custom secrets file not valid"
         return True
 
     @property

{bbot-2.1.0.4959rc0 → bbot-2.1.0.5028rc0}/bbot/modules/base.py

@@ -984,8 +984,11 @@ class BaseModule:
     def _outgoing_dedup_hash(self, event):
         """
         Determines the criteria for what is considered to be a duplicate event if `suppress_dupes` is True.
+
+        We take into account the `internal` attribute we don't want an internal event (which isn't distributed to output modules)
+        to inadvertently suppress a non-internal event.
         """
-        return hash((event, self.name))
+        return hash((event, self.name, event.internal, event.always_emit))
 
     def get_per_host_hash(self, event):
         """
@@ -1559,7 +1562,7 @@ class BaseModule:
             self.trace()
 
 
-class InterceptModule(BaseModule):
+class BaseInterceptModule(BaseModule):
     """
     An Intercept Module is a special type of high-priority module that gets early access to events.
 
@@ -1571,7 +1574,6 @@ class InterceptModule(BaseModule):
     """
 
     accept_dupes = True
-    suppress_dupes = False
     _intercept = True
 
     async def _worker(self):

{bbot-2.1.0.4959rc0 → bbot-2.1.0.5028rc0}/bbot/modules/dotnetnuke.py

@@ -155,24 +155,25 @@ class dotnetnuke(BaseModule):
 
                 # InstallWizard SuperUser Privilege Escalation
                 result = await self.helpers.request(f'{event.data["url"]}/Install/InstallWizard.aspx')
-                if result.status_code == 200:
-                    result_confirm = await self.helpers.request(
-                        f'{event.data["url"]}/Install/InstallWizard.aspx?__viewstate=1'
-                    )
-                    if result_confirm.status_code == 500:
-                        description = "DotNetNuke InstallWizard SuperUser Privilege Escalation"
-                        await self.emit_event(
-                            {
-                                "severity": "CRITICAL",
-                                "description": description,
-                                "host": str(event.host),
-                                "url": f'{event.data["url"]}/Install/InstallWizard.aspx',
-                            },
-                            "VULNERABILITY",
-                            event,
-                            context=f'{{module}} scanned {event.data["url"]} and found critical {{event.type}}: {description}',
+                if result:
+                    if result.status_code == 200:
+                        result_confirm = await self.helpers.request(
+                            f'{event.data["url"]}/Install/InstallWizard.aspx?__viewstate=1'
                         )
-                        return
+                        if result_confirm.status_code == 500:
+                            description = "DotNetNuke InstallWizard SuperUser Privilege Escalation"
+                            await self.emit_event(
+                                {
+                                    "severity": "CRITICAL",
+                                    "description": description,
+                                    "host": str(event.host),
+                                    "url": f'{event.data["url"]}/Install/InstallWizard.aspx',
+                                },
+                                "VULNERABILITY",
+                                event,
+                                context=f'{{module}} scanned {event.data["url"]} and found critical {{event.type}}: {description}',
+                            )
+                            return
 
                 # DNNImageHandler.ashx Blind SSRF
                 self.event_dict[event.data["url"]] = event

{bbot-2.1.0.4959rc0 → bbot-2.1.0.5028rc0}/bbot/modules/generic_ssrf.py

@@ -137,10 +137,10 @@ class Generic_XXE(BaseSubmodule):
         post_body = f"""<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
 <!ELEMENT foo ANY >
-<!ENTITY % {rand_entity} SYSTEM "http://{subdomain_tag}.{self.parent_module.interactsh_domain}" >
+<!ENTITY {rand_entity} SYSTEM "http://{subdomain_tag}.{self.parent_module.interactsh_domain}" >
 ]>
 <foo>&{rand_entity};</foo>"""
-        test_url = f"{event.parsed_url.scheme}://{event.parsed_url.netloc}/"
+        test_url = event.parsed_url.geturl()
         r = await self.parent_module.helpers.curl(
             url=test_url, method="POST", raw_body=post_body, headers={"Content-type": "application/xml"}
         )

bbot-2.1.0.5028rc0/bbot/modules/google_playstore.py

@@ -0,0 +1,93 @@
+from bbot.modules.base import BaseModule
+
+
+class google_playstore(BaseModule):
+    watched_events = ["ORG_STUB", "CODE_REPOSITORY"]
+    produced_events = ["MOBILE_APP"]
+    flags = ["passive", "safe", "code-enum"]
+    meta = {
+        "description": "Search for android applications on play.google.com",
+        "created_date": "2024-10-08",
+        "author": "@domwhewell-sage",
+    }
+
+    base_url = "https://play.google.com"
+
+    async def setup(self):
+        self.app_link_regex = self.helpers.re.compile(r"/store/apps/details\?id=([a-zA-Z0-9._-]+)")
+        return True
+
+    async def filter_event(self, event):
+        if event.type == "CODE_REPOSITORY":
+            if "android" not in event.tags:
+                return False, "event is not an android repository"
+        return True
+
+    async def handle_event(self, event):
+        if event.type == "CODE_REPOSITORY":
+            await self.handle_url(event)
+        elif event.type == "ORG_STUB":
+            await self.handle_org_stub(event)
+
+    async def handle_url(self, event):
+        repo_url = event.data.get("url")
+        app_id = repo_url.split("id=")[1].split("&")[0]
+        await self.emit_event(
+            {"id": app_id, "url": repo_url},
+            "MOBILE_APP",
+            tags="android",
+            parent=event,
+            context=f'{{module}} extracted the mobile app name "{app_id}"  from: {repo_url}',
+        )
+
+    async def handle_org_stub(self, event):
+        org_name = event.data
+        self.verbose(f"Searching for any android applications for {org_name}")
+        for apk_name in await self.query(org_name):
+            valid_apk = await self.validate_apk(apk_name)
+            if valid_apk:
+                self.verbose(f"Got {apk_name} from playstore")
+                await self.emit_event(
+                    {"id": apk_name, "url": f"{self.base_url}/store/apps/details?id={apk_name}"},
+                    "MOBILE_APP",
+                    tags="android",
+                    parent=event,
+                    context=f'{{module}} searched play.google.com for apps belonging to "{org_name}" and found "{apk_name}" to be in scope',
+                )
+            else:
+                self.debug(f"Got {apk_name} from playstore app details does not contain any in-scope URLs or Emails")
+
+    async def query(self, query):
+        app_links = []
+        url = f"{self.base_url}/store/search?q={self.helpers.quote(query)}&c=apps"
+        r = await self.helpers.request(url)
+        if r is None:
+            return app_links
+        status_code = getattr(r, "status_code", 0)
+        try:
+            html_content = r.content.decode("utf-8")
+            # Use regex to find all app links
+            app_links = await self.helpers.re.findall(self.app_link_regex, html_content)
+        except Exception as e:
+            self.warning(f"Failed to parse html response from {r.url} (HTTP status: {status_code}): {e}")
+            return app_links
+        return app_links
+
+    async def validate_apk(self, apk_name):
+        """
+        Check the app details page the "App support" section will include URLs or Emails to the app developer
+        """
+        in_scope = False
+        url = f"{self.base_url}/store/apps/details?id={apk_name}"
+        r = await self.helpers.request(url)
+        if r is None:
+            return in_scope
+        status_code = getattr(r, "status_code", 0)
+        if status_code == 200:
+            html = r.text
+            in_scope_hosts = await self.scan.extract_in_scope_hostnames(html)
+            if in_scope_hosts:
+                in_scope = True
+        else:
+            self.warning(f"Failed to fetch {url} (HTTP status: {status_code})")
+        return in_scope

{bbot-2.1.0.4959rc0 → bbot-2.1.0.5028rc0}/bbot/modules/httpx.py

@@ -172,9 +172,6 @@ class httpx(BaseModule):
             httpx_ip = j.get("host", "")
             if httpx_ip:
                 tags.append(f"ip-{httpx_ip}")
-            # detect login pages
-            if self.helpers.web.is_login_page(j.get("body", "")):
-                tags.append("login-page")
             # grab title
             title = self.helpers.tagify(j.get("title", ""), maxlen=30)
             if title:

{bbot-2.1.0.4959rc0 → bbot-2.1.0.5028rc0}/bbot/modules/internal/cloudcheck.py

@@ -1,7 +1,7 @@
-from bbot.modules.base import InterceptModule
+from bbot.modules.base import BaseInterceptModule
 
 
-class CloudCheck(InterceptModule):
+class CloudCheck(BaseInterceptModule):
     watched_events = ["*"]
     meta = {"description": "Tag events by cloud provider, identify cloud resources like storage buckets"}
     scope_distance_modifier = 1

{bbot-2.1.0.4959rc0 → bbot-2.1.0.5028rc0}/bbot/modules/internal/dnsresolve.py

@@ -3,11 +3,11 @@ from contextlib import suppress
 
 from bbot.errors import ValidationError
 from bbot.core.helpers.dns.engine import all_rdtypes
-from bbot.modules.base import InterceptModule, BaseModule
 from bbot.core.helpers.dns.helpers import extract_targets
+from bbot.modules.base import BaseInterceptModule, BaseModule
 
 
-class DNSResolve(InterceptModule):
+class DNSResolve(BaseInterceptModule):
     watched_events = ["*"]
     _priority = 1
     scope_distance_modifier = None
@@ -16,12 +16,6 @@ class DNSResolve(InterceptModule):
         _name = "host"
         _type = "internal"
 
-        def _outgoing_dedup_hash(self, event):
-            # this exists to ensure a second, more interesting host isn't passed up
-            # because its ugly cousin spent its one dedup token before it arrived
-            # by removing those race conditions, this makes for more consistent results
-            return hash((event, self.name, event.always_emit))
-
     @property
     def module_threads(self):
         return self.dns_config.get("threads", 25)

{bbot-2.1.0.4959rc0 → bbot-2.1.0.5028rc0}/bbot/modules/internal/excavate.py

@@ -6,6 +6,7 @@ import regex as re
 from pathlib import Path
 from bbot.errors import ExcavateError
 import bbot.core.helpers.regexes as bbot_regexes
+from bbot.modules.base import BaseInterceptModule
 from bbot.modules.internal.base import BaseInternalModule
 from urllib.parse import urlparse, urljoin, parse_qs, urlunparse
 
@@ -153,7 +154,9 @@ class ExcavateRule:
         yara_rule_settings = YaraRuleSettings(description, tags, emit_match)
         yara_results = {}
         for h in r.strings:
-            yara_results[h.identifier.lstrip("$")] = sorted(set([i.matched_data.decode("utf-8") for i in h.instances]))
+            yara_results[h.identifier.lstrip("$")] = sorted(
+                set([i.matched_data.decode("utf-8", errors="ignore") for i in h.instances])
+            )
         await self.process(yara_results, event, yara_rule_settings, discovery_context)
 
     async def process(self, yara_results, event, yara_rule_settings, discovery_context):
@@ -279,7 +282,7 @@ class CustomExtractor(ExcavateRule):
                 await self.report(event_data, event, yara_rule_settings, discovery_context)
 
 
-class excavate(BaseInternalModule):
+class excavate(BaseInternalModule, BaseInterceptModule):
     """
     Example (simple) Excavate Rules:
 
@@ -310,6 +313,7 @@ class excavate(BaseInternalModule):
         "custom_yara_rules": "Include custom Yara rules",
     }
     scope_distance_modifier = None
+    accept_dupes = False
 
     _module_threads = 8
 
@@ -669,8 +673,32 @@ class excavate(BaseInternalModule):
 
     class URLExtractor(ExcavateRule):
         yara_rules = {
-            "url_full": r'rule url_full { meta: tags = "spider-danger" description = "contains full URL" strings: $url_full = /https?:\/\/([\w\.-]+)(:\d{1,5})?([\/\w\.-]*)/ condition: $url_full }',
-            "url_attr": r'rule url_attr { meta: tags = "spider-danger" description = "contains tag with src or href attribute" strings: $url_attr = /<[^>]+(href|src)=["\'][^"\']*["\'][^>]*>/ condition: $url_attr }',
+            "url_full": (
+                r"""
+                rule url_full {
+                    meta:
+                        tags = "spider-danger"
+                        description = "contains full URL"
+                    strings:
+                        $url_full = /https?:\/\/([\w\.-]+)(:\d{1,5})?([\/\w\.-]*)/
+                    condition:
+                        $url_full
+                }
+                """
+            ),
+            "url_attr": (
+                r"""
+                rule url_attr {
+                    meta:
+                        tags = "spider-danger"
+                        description = "contains tag with src or href attribute"
+                    strings:
+                        $url_attr = /<[^>]+(href|src)=["\'][^"\']*["\'][^>]*>/
+                    condition:
+                        $url_attr
+                }
+                """
+            ),
         }
         full_url_regex = re.compile(r"(https?)://((?:\w|\d)(?:[\d\w-]+\.?)+(?::\d{1,5})?(?:/[-\w\.\(\)]*[-\w\.]+)*/?)")
         full_url_regex_strict = re.compile(r"^(https?):\/\/([\w.-]+)(?::\d{1,5})?(\/[\w\/\.-]*)?(\?[^\s]+)?$")
@@ -749,6 +777,25 @@ class excavate(BaseInternalModule):
                 for domain_str in yara_results[identifier]:
                     await self.report(domain_str, event, yara_rule_settings, discovery_context, event_type="DNS_NAME")
 
+    class LoginPageExtractor(ExcavateRule):
+        yara_rules = {
+            "login_page": r"""
+            rule login_page {
+                meta:
+                    description = "Detects login pages with username and password fields"
+                strings:
+                    $username_field = /<input[^>]+name=["']?(user|login|email)/ nocase
+                    $password_field = /<input[^>]+name=["']?passw?/ nocase
+                condition:
+                    $username_field and $password_field
+            }
+            """
+        }
+
+        async def process(self, yara_results, event, yara_rule_settings, discovery_context):
+            if yara_results:
+                event.add_tag("login-page")
+
     def add_yara_rule(self, rule_name, rule_content, rule_instance):
         rule_instance.name = rule_name
         self.yara_rules_dict[rule_name] = rule_content
@@ -829,6 +876,8 @@ class excavate(BaseInternalModule):
         yara_rules_combined = "\n".join(self.yara_rules_dict.values())
         try:
             self.info(f"Compiling {len(self.yara_rules_dict):,} YARA rules")
+            for rule_name, rule_content in self.yara_rules_dict.items():
+                self.debug(f"  - {rule_name}")
             self.yara_rules = yara.compile(source=yara_rules_combined)
         except yara.SyntaxError as e:
             self.debug(yara_rules_combined)