bbot 2.1.2.5223rc0__py3-none-any.whl → 2.1.2.5232rc0__py3-none-any.whl

bbot/__init__.py

@@ -1,4 +1,4 @@
 # version placeholder (replaced by poetry-dynamic-versioning)
-__version__ = "v2.1.2.5223rc"
+__version__ = "v2.1.2.5232rc"
 
 from .scanner import Scanner, Preset

bbot/modules/dnsbimi.py

@@ -0,0 +1,145 @@
+# bimi.py
+#
+# Checks for and parses common BIMI DNS TXT records, e.g. default._bimi.target.domain
+#
+# Example TXT record: "v=BIMI1; l=https://example.com/brand/logo.svg; a=https://example.com/brand/certificate.pem"
+#
+# BIMI records may contain a link to an SVG format brand authorised image, which may be useful for:
+#  1. Sub-domain or otherwise unknown content hosting locations
+#  2. Brand impersonation
+#  3. May not be formatted/stripped of metadata correctly leading to some (low value probably) information exposure
+#
+# BIMI records may also contain a link to a PEM format X.509 VMC certificate, which may be similarly useful.
+#
+# We simply extract any URL's as URL_UNVERIFIED, no further parsing or download is done by this module in order to remain passive.
+#
+# The domain portion of any URL's is also passively checked and added as appropriate, for additional inspection by other modules.
+#
+# Files may be downloaded by other modules which respond to URL_UNVERIFIED events, if you have configured bbot to do so.
+#
+# NOTE: .svg file extensions are filtered from inclusion by default, modify "url_extension_blacklist" appropriately if you want the .svg image to be considered for download.
+#
+# NOTE: use the "filedownload" module if you to download .svg and .pem files. .pem will be downloaded by defaut, .svg will require a customised configuration for that module.
+#
+# The domain portion of any URL_UNVERIFIED's will be extracted by the various internal modules if .svg is not filtered.
+#
+
+from bbot.modules.base import BaseModule
+from bbot.core.helpers.dns.helpers import service_record
+
+import re
+
+# Handle "v=BIMI1; l=; a=;" == RFC conformant explicit declination to publish, e.g. useful on a sub-domain if you don't want the sub-domain to have a BIMI logo, yet your registered domain does?
+# Handle "v=BIMI1; l=; a=" == RFC non-conformant explicit declination to publish
+# Handle "v=BIMI1; l=;" == RFC non-conformant explicit declination to publish
+# Handle "v=BIMI1; l=" == RFC non-conformant explicit declination to publish
+# Handle "v=BIMI1;" == RFC non-conformant explicit declination to publish
+# Handle "v=BIMI1" == RFC non-conformant explicit declination to publish
+# Handle "v=BIMI1;l=https://bimi.entrust.net/example.com/logo.svg;"
+# Handle "v=BIMI1; l=https://bimi.entrust.net/example.com/logo.svg;"
+# Handle "v=BIMI1;l=https://bimi.entrust.net/example.com/logo.svg;a=https://bimi.entrust.net/example.com/certchain.pem"
+# Handle "v=BIMI1; l=https://bimi.entrust.net/example.com/logo.svg;a=https://bimi.entrust.net/example.com/certchain.pem;"
+_bimi_regex = r"^v=(?P<v>BIMI1);* *(l=(?P<l>https*://[^;]*|)|);*( *a=((?P<a>https://[^;]*|)|);*)*$"
+bimi_regex = re.compile(_bimi_regex, re.I)
+
+
+class dnsbimi(BaseModule):
+    watched_events = ["DNS_NAME"]
+    produced_events = ["URL_UNVERIFIED", "RAW_DNS_RECORD"]
+    flags = ["subdomain-enum", "cloud-enum", "passive", "safe"]
+    meta = {
+        "description": "Check DNS_NAME's for BIMI records to find image and certificate hosting URL's",
+        "author": "@colin-stubbs",
+        "created_date": "2024-11-15",
+    }
+    options = {
+        "emit_raw_dns_records": False,
+        "emit_urls": True,
+        "selectors": "default,email,mail,bimi",
+    }
+    options_desc = {
+        "emit_raw_dns_records": "Emit RAW_DNS_RECORD events",
+        "emit_urls": "Emit URL_UNVERIFIED events",
+        "selectors": "CSV list of BIMI selectors to check",
+    }
+
+    async def setup(self):
+        self.emit_raw_dns_records = self.config.get("emit_raw_dns_records", False)
+        self.emit_urls = self.config.get("emit_urls", True)
+        self._selectors = self.config.get("selectors", "").replace(", ", ",").split(",")
+
+        return await super().setup()
+
+    def _incoming_dedup_hash(self, event):
+        # dedupe by parent
+        parent_domain = self.helpers.parent_domain(event.data)
+        return hash(parent_domain), "already processed parent domain"
+
+    async def filter_event(self, event):
+        if "_wildcard" in str(event.host).split("."):
+            return False, "event is wildcard"
+
+        # there's no value in inspecting service records
+        if service_record(event.host) == True:
+            return False, "service record detected"
+
+        return True
+
+    async def inspectBIMI(self, event, domain):
+        parent_domain = self.helpers.parent_domain(event.data)
+        rdtype = "TXT"
+
+        for selector in self._selectors:
+            tags = ["bimi-record", f"bimi-{selector}"]
+            hostname = f"{selector}._bimi.{parent_domain}"
+
+            r = await self.helpers.resolve_raw(hostname, type=rdtype)
+
+            if r:
+                raw_results, errors = r
+
+                for answer in raw_results:
+                    if self.emit_raw_dns_records:
+                        await self.emit_event(
+                            {
+                                "host": hostname,
+                                "type": rdtype,
+                                "answer": answer.to_text(),
+                            },
+                            "RAW_DNS_RECORD",
+                            parent=event,
+                            tags=tags.append(f"{rdtype.lower()}-record"),
+                            context=f"{rdtype} lookup on {hostname} produced {{event.type}}",
+                        )
+
+                    # we need to strip surrounding quotes and whitespace, as well as fix TXT data that may have been split across two different rdata's
+                    # e.g. we will get a single string, but within that string we may have two parts such as:
+                    # answer = '"part 1 that was really long" "part 2 that did not fit in part 1"'
+                    s = answer.to_text().strip('"').strip().replace('" "', "")
+
+                    bimi_match = bimi_regex.search(s)
+
+                    if bimi_match and bimi_match.group("v") and "bimi" in bimi_match.group("v").lower():
+                        if bimi_match.group("l") and bimi_match.group("l") != "":
+                            if self.emit_urls:
+                                await self.emit_event(
+                                    bimi_match.group("l"),
+                                    "URL_UNVERIFIED",
+                                    parent=event,
+                                    tags=tags.append("bimi-location"),
+                                )
+
+                        if bimi_match.group("a") and bimi_match.group("a") != "":
+                            if self.emit_urls:
+                                await self.emit_event(
+                                    bimi_match.group("a"),
+                                    "URL_UNVERIFIED",
+                                    parent=event,
+                                    tags=tags.append("bimi-authority"),
+                                )
+
+    async def handle_event(self, event):
+        await self.inspectBIMI(event, event.host)
+
+
+# EOF

bbot/test/test_step_2/module_tests/test_module_dnsbimi.py

@@ -0,0 +1,103 @@
+from .base import ModuleTestBase
+
+raw_bimi_txt_default = (
+    '"v=BIMI1;l=https://bimi.test.localdomain/logo.svg; a=https://bimi.test.localdomain/certificate.pem"'
+)
+raw_bimi_txt_nondefault = '"v=BIMI1; l=https://nondefault.thirdparty.tld/brand/logo.svg;a=https://nondefault.thirdparty.tld/brand/certificate.pem;"'
+
+
+class TestBIMI(ModuleTestBase):
+    targets = ["test.localdomain"]
+    modules_overrides = ["dnsbimi", "speculate"]
+    config_overrides = {
+        "modules": {"dnsbimi": {"emit_raw_dns_records": True, "selectors": "default,nondefault"}},
+    }
+
+    async def setup_after_prep(self, module_test):
+        await module_test.mock_dns(
+            {
+                "test.localdomain": {
+                    "A": ["127.0.0.11"],
+                },
+                "bimi.test.localdomain": {
+                    "A": ["127.0.0.22"],
+                },
+                "_bimi.test.localdomain": {
+                    "A": ["127.0.0.33"],
+                },
+                "default._bimi.test.localdomain": {
+                    "A": ["127.0.0.44"],
+                    "TXT": [raw_bimi_txt_default],
+                },
+                "nondefault._bimi.test.localdomain": {
+                    "A": ["127.0.0.44"],
+                    "TXT": [raw_bimi_txt_nondefault],
+                },
+                "_bimi.default._bimi.test.localdomain": {
+                    "A": ["127.0.0.44"],
+                    "TXT": [raw_bimi_txt_default],
+                },
+                "_bimi.nondefault._bimi.test.localdomain": {
+                    "A": ["127.0.0.44"],
+                    "TXT": [raw_bimi_txt_default],
+                },
+                "default._bimi.default._bimi.test.localdomain": {
+                    "A": ["127.0.0.44"],
+                    "TXT": [raw_bimi_txt_default],
+                },
+                "nondefault._bimi.nondefault._bimi.test.localdomain": {
+                    "A": ["127.0.0.44"],
+                    "TXT": [raw_bimi_txt_nondefault],
+                },
+            }
+        )
+
+    def check(self, module_test, events):
+        assert any(
+            e.type == "RAW_DNS_RECORD"
+            and e.data["host"] == "default._bimi.test.localdomain"
+            and e.data["type"] == "TXT"
+            and e.data["answer"] == raw_bimi_txt_default
+            for e in events
+        ), "Failed to emit RAW_DNS_RECORD"
+        assert any(
+            e.type == "RAW_DNS_RECORD"
+            and e.data["host"] == "nondefault._bimi.test.localdomain"
+            and e.data["type"] == "TXT"
+            and e.data["answer"] == raw_bimi_txt_nondefault
+            for e in events
+        ), "Failed to emit RAW_DNS_RECORD"
+
+        assert any(
+            e.type == "DNS_NAME" and e.data == "bimi.test.localdomain" for e in events
+        ), "Failed to emit DNS_NAME"
+
+        # This should be filtered by a default BBOT configuration
+        assert not any(str(e.data) == "https://nondefault.thirdparty.tld/brand/logo.svg" for e in events)
+
+        # This should not be filtered by a default BBOT configuration
+        assert any(
+            e.type == "URL_UNVERIFIED" and e.data == "https://bimi.test.localdomain/certificate.pem" for e in events
+        ), "Failed to emit URL_UNVERIFIED"
+
+        # These should be filtered simply due to distance
+        assert not any(str(e.data) == "https://nondefault.thirdparty.tld/brand/logo.svg" for e in events)
+        assert not any(str(e.data) == "https://nondefault.thirdparty.tld/certificate.pem" for e in events)
+
+        # These should have been filtered via filter_event()
+        assert not any(
+            e.type == "RAW_DNS_RECORD" and e.data["host"] == "default._bimi.default._bimi.test.localdomain"
+            for e in events
+        ), "Unwanted recursion occurring"
+        assert not any(
+            e.type == "RAW_DNS_RECORD" and e.data["host"] == "nondefault._bimi.nondefault._bimi.test.localdomain"
+            for e in events
+        ), "Unwanted recursion occurring"
+        assert not any(
+            e.type == "RAW_DNS_RECORD" and e.data["host"] == "nondefault._bimi.default._bimi.test.localdomain"
+            for e in events
+        ), "Unwanted recursion occurring"
+        assert not any(
+            e.type == "RAW_DNS_RECORD" and e.data["host"] == "default._bimi.nondefault._bimi.test.localdomain"
+            for e in events
+        ), "Unwanted recursion occurring"

{bbot-2.1.2.5223rc0.dist-info → bbot-2.1.2.5232rc0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: bbot
-Version: 2.1.2.5223rc0
+Version: 2.1.2.5232rc0
 Summary: OSINT automation for hackers.
 Home-page: https://github.com/blacklanternsecurity/bbot
 License: GPL-3.0

{bbot-2.1.2.5223rc0.dist-info → bbot-2.1.2.5232rc0.dist-info}/RECORD

@@ -1,4 +1,4 @@
-bbot/__init__.py,sha256=aekooHcHziO6lPgvwep-hyBz_rH9rrpnNKqtzZdp7Qg,130
+bbot/__init__.py,sha256=YSTPQiPA_XqIwvnL1uYS3Icpqeb_ARNyplI6Pk4f37Y,130
 bbot/cli.py,sha256=7S3a4eB-Dl8yodc5WC-927Z30CNlLl9EXimGvIVypJo,10434
 bbot/core/__init__.py,sha256=l255GJE_DvUnWvrRb0J5lG-iMztJ8zVvoweDOfegGtI,46
 bbot/core/config/__init__.py,sha256=zYNw2Me6tsEr8hOOkLb4BQ97GB7Kis2k--G81S8vofU,342
@@ -86,6 +86,7 @@ bbot/modules/deadly/nuclei.py,sha256=fH6oayOhPyd3z0edOvluef3K64FQ8JuQCcb_729u73M
 bbot/modules/deadly/vhost.py,sha256=lHKK5Gn9cOSeJT-8XvNnOAG97cB_zXJE1_j07KLKTqI,5462
 bbot/modules/dehashed.py,sha256=enDarOzlY84R4_ctp2fLVNLmjocaCh1j1x8nIKwEdHY,5064
 bbot/modules/digitorus.py,sha256=nZIuJhDhX152yP_bDH0BFTswHYdm1YVDYN56Sdm0u7k,1021
+bbot/modules/dnsbimi.py,sha256=vuyZJGTv7gkpqpFXrGcfdeHanR96ukSRDS3CpvGeOMI,6920
 bbot/modules/dnsbrute.py,sha256=Y2bSbG2IcwIJID1FSQ6Qe9fdpWwG7GIO-wVQw7MdQFM,2439
 bbot/modules/dnsbrute_mutations.py,sha256=bOJidK_oKZe87u8e9t0mEFnyuBi93UiNsQvpZYvhzZg,6939
 bbot/modules/dnscaa.py,sha256=TC7uWps0xBlRXCQHxwfIORKDsojnOGXUeIWCOBvlMl8,4981
@@ -295,6 +296,7 @@ bbot/test/test_step_2/module_tests/test_module_dastardly.py,sha256=rQ7WerNqZxxxV
 bbot/test/test_step_2/module_tests/test_module_dehashed.py,sha256=YVsTEFEPchahDT7q_8BofMsH4tYQlN-G1QtAxq6YUn0,3626
 bbot/test/test_step_2/module_tests/test_module_digitorus.py,sha256=81mNwDb4WLUibstUSD8TowSJB3B5DBneS2LWimie9y4,1613
 bbot/test/test_step_2/module_tests/test_module_discord.py,sha256=Z66fGb-kkdZTQfUh6WZiM35Ad-gDyvwxlA7mUUB2vnQ,1838
+bbot/test/test_step_2/module_tests/test_module_dnsbimi.py,sha256=Ag24Bcm4MFxgUwvXXubPGE6mLMBsJGwfhCQ6paK-rRU,4391
 bbot/test/test_step_2/module_tests/test_module_dnsbrute.py,sha256=33j93ayz7Ul4Fvg7plf6H4LKcUgFuEH4SlAXnNkEmD0,5153
 bbot/test/test_step_2/module_tests/test_module_dnsbrute_mutations.py,sha256=Faojc5UHkUP2lMeWukUjLOU6tQSL3HdeepjuVIcs4rY,3902
 bbot/test/test_step_2/module_tests/test_module_dnscaa.py,sha256=5JaAYt-oFGON8Gc4xJNyc2UtjCp97OEiaJrvD04VHQM,2751
@@ -402,8 +404,8 @@ bbot/wordlists/raft-small-extensions-lowercase_CLEANED.txt,sha256=ruUQwVfia1_m2u
 bbot/wordlists/top_open_ports_nmap.txt,sha256=LmdFYkfapSxn1pVuQC2LkOIY2hMLgG-Xts7DVtYzweM,42727
 bbot/wordlists/valid_url_schemes.txt,sha256=VciB-ww0y-O8Ii1wpTR6rJzGDiC2r-dhVsIJApS1ZYU,3309
 bbot/wordlists/wordninja_dns.txt.gz,sha256=DYHvvfW0TvzrVwyprqODAk4tGOxv5ezNmCPSdPuDUnQ,570241
-bbot-2.1.2.5223rc0.dist-info/LICENSE,sha256=GzeCzK17hhQQDNow0_r0L8OfLpeTKQjFQwBQU7ZUymg,32473
-bbot-2.1.2.5223rc0.dist-info/METADATA,sha256=twDbdgmWLHvXj0d5DNc6B-Q6ioy4pNN0dOVdpU2fGgA,17109
-bbot-2.1.2.5223rc0.dist-info/WHEEL,sha256=Nq82e9rUAnEjt98J6MlVmMCZb-t9cYE2Ir1kpBmnWfs,88
-bbot-2.1.2.5223rc0.dist-info/entry_points.txt,sha256=cWjvcU_lLrzzJgjcjF7yeGuRA_eDS8pQ-kmPUAyOBfo,38
-bbot-2.1.2.5223rc0.dist-info/RECORD,,
+bbot-2.1.2.5232rc0.dist-info/LICENSE,sha256=GzeCzK17hhQQDNow0_r0L8OfLpeTKQjFQwBQU7ZUymg,32473
+bbot-2.1.2.5232rc0.dist-info/METADATA,sha256=GL4dxSfsZJj9tk0IrOJNINpmPg9n9mOQq5Q9GQv9MAE,17109
+bbot-2.1.2.5232rc0.dist-info/WHEEL,sha256=Nq82e9rUAnEjt98J6MlVmMCZb-t9cYE2Ir1kpBmnWfs,88
+bbot-2.1.2.5232rc0.dist-info/entry_points.txt,sha256=cWjvcU_lLrzzJgjcjF7yeGuRA_eDS8pQ-kmPUAyOBfo,38
+bbot-2.1.2.5232rc0.dist-info/RECORD,,