bbot 2.4.2.6638rc0__py3-none-any.whl → 2.4.2.6655rc0__py3-none-any.whl

bbot/__init__.py

@@ -1,5 +1,5 @@
 # version placeholder (replaced by poetry-dynamic-versioning)
-__version__ = "v2.4.2.6638rc"
+__version__ = "v2.4.2.6655rc"
 
 from .scanner import Scanner, Preset
 

bbot/modules/deadly/medusa.py

@@ -0,0 +1,235 @@
+import re
+from bbot.modules.base import BaseModule
+from bbot.errors import WordlistError
+
+
+class medusa(BaseModule):
+    watched_events = ["PROTOCOL"]
+    produced_events = ["VULNERABILITY"]
+    flags = ["active", "aggressive", "deadly"]
+    per_host_only = True
+    meta = {
+        "description": "Medusa SNMP bruteforcing with v1, v2c and R/W check.",
+        "created_date": "2025-05-16",
+        "author": "@christianfl",
+    }
+    scope_distance_modifier = None
+
+    options = {
+        "snmp_wordlist": "https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Discovery/SNMP/common-snmp-community-strings.txt",
+        "snmp_versions": ["1", "2C"],  # Only 1 and 2C are available with medusa 2.3.
+        "wait_microseconds": 200,
+        "timeout_s": 5,
+        "threads": 5,
+    }
+
+    options_desc = {
+        "snmp_wordlist": "Wordlist url for SNMP community strings, newline separated (default https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Discovery/SNMP/snmp.txt)",
+        "snmp_versions": "List of SNMP versions to attempt against the SNMP server (default ['1', '2C'])",
+        "wait_microseconds": "Wait time after every SNMP request in microseconds (default 200)",
+        "timeout_s": "Wait time for the SNMP response(s) once at the end of all attempts (default 5)",
+        "threads": "Number of communities to be tested concurrently (default 5)",
+    }
+
+    deps_ansible = [
+        {
+            "name": "Install build dependencies",
+            "package": {
+                "name": [
+                    "autoconf",
+                    "automake",
+                    "libtool",
+                    "gcc",
+                    "make",
+                ],
+                "state": "present",
+            },
+            "become": True,
+            "ignore_errors": True,
+        },
+        {
+            "name": "Get medusa repo",
+            "git": {
+                "repo": "https://github.com/jmk-foofus/medusa",
+                "dest": "#{BBOT_TEMP}/medusa/gitrepo",
+                "version": "2.3",  # Newest stable, 2025-05-15
+            },
+        },
+        {
+            # The git repo will be copied because during build, files and subfolders get created. That prevents the Ansible git module to cache the repo.
+            "name": "Copy medusa repo",
+            "copy": {
+                "src": "#{BBOT_TEMP}/medusa/gitrepo/",
+                "dest": "#{BBOT_TEMP}/medusa/workdir/",
+            },
+        },
+        {
+            "name": "Build medusa: autoreconf",
+            "command": {
+                "chdir": "#{BBOT_TEMP}/medusa/workdir",
+                "cmd": "autoreconf -f -i",
+            },
+        },
+        {
+            "name": "Build medusa: configure",
+            "command": {
+                "chdir": "#{BBOT_TEMP}/medusa/workdir",
+                "cmd": "./configure --prefix=#{BBOT_TEMP}/medusa/build",
+            },
+        },
+        {
+            "name": "Build medusa: make",
+            "command": {
+                "chdir": "#{BBOT_TEMP}/medusa/workdir",
+                "cmd": "make",
+            },
+        },
+        {
+            "name": "Build medusa: make install",
+            "command": {
+                "chdir": "#{BBOT_TEMP}/medusa/workdir",
+                "cmd": "make install",
+                "creates": "#{BBOT_TEMP}/medusa/build/bin/medusa",
+            },
+        },
+        {
+            "name": "Install medusa",
+            "copy": {
+                "src": "#{BBOT_TEMP}/medusa/build/bin/medusa",
+                "dest": "#{BBOT_TOOLS}/",
+                "mode": "u+x,g+x,o+x",
+            },
+        },
+    ]
+
+    async def setup(self):
+        # Try to cache wordlist
+        try:
+            self.snmp_wordlist_path = await self.helpers.wordlist(self.config.get("snmp_wordlist"))
+        except WordlistError as e:
+            return False, f"Error retrieving wordlist: {e}"
+
+        self.password_match_regex = re.compile(r"Password:\s*(\S+)")
+        self.success_indicator_match_regex = re.compile(r"\[([^\]]+)\]\s*$")
+
+        return True
+
+    async def filter_event(self, event):
+        handled_protocols = ["snmp"]  # Could be extended later
+
+        protocol = event.data["protocol"].lower()
+        if not protocol in handled_protocols:
+            return False, f"service {protocol} is currently not supported. Only SNMP."
+
+        return True
+
+    async def handle_event(self, event):
+        host = str(event.host)
+        port = str(event.port)
+        protocol = event.data["protocol"].lower()
+
+        if protocol == "snmp":
+            snmp_versions = self.config.get("snmp_versions")
+
+            # Medusa must be called for each SNMP version separately after each run finished.
+            for snmp_version in snmp_versions:
+                command = await self.construct_command(host, port, protocol, snmp_version)
+
+                result = await self.run_process(command)
+
+                if result.stderr:
+                    # Medusa outputs to stderr if a readonly community was found in WRITE mode
+                    # That's intended behavior
+                    self.info(f"Medusa stderr: {result.stderr}")
+
+                async for message in self.parse_output(result.stdout, snmp_version):
+                    vuln_event = self.create_vuln_event("CRITICAL", message, event)
+                    await self.emit_event(vuln_event)
+
+        # else: Medusa supports various protocols which could in theory be implemented later on.
+
+    async def parse_output(self, output, protocol_version):
+        for line in output.splitlines():
+            # Print original Medusa output
+            self.info(line)
+
+            if "FOUND" in line:
+                # Some credential was guessed
+                password_match = self.password_match_regex.search(line)
+                password = password_match.group(1) if password_match else None
+
+                success_indicator_match = self.success_indicator_match_regex.search(line)
+                success_indicator = success_indicator_match.group(1) if success_indicator_match else None
+
+                # Medusa in WRITE mode shows "ERROR" if a readonly community was found. Replace with "READ"
+                mode = "R/W" if success_indicator == "success" else "READ" if success_indicator == "ERROR" else "MODE?"
+
+                message = f"VALID [SNMPV{protocol_version}] CREDENTIALS FOUND: {password} [{mode}]"
+
+                yield message
+
+    async def construct_command(self, host, port, protocol, protocol_version):
+        # -b                Suppress startup banner
+        # -v                Set verbosity level (4 = Show only errors and credentials)
+        # -R                Number of attempted retries
+        # -M                Medusa module to execute (SNMP)
+        # -T                Number of concurrent hosts
+        # -t                Number of concurrent login attempts
+        # -h                Target hostname or ip address
+        # -u                Username to test (Empty for SNMP)
+        # -P                Wordlist for passwords
+        # -m                Module specific parameters:
+        #   TIMEOUT:<number>        Sets the number of seconds to wait for the UDP responses (default: 5 sec).
+        #   SEND_DELAY:<number>     Sets the number of microseconds to wait between sending queries (default: 200 usec).
+        #   VERSION:<1|2C>          Set the SNMP client version.
+        #   ACCESS:<READ|WRITE>     Set level of access to test for with the community string. ("WRITE" does include "READ")
+
+        # Example command to bruteforce SNMP:
+        #
+        # medusa -b -v 4 -R 1 -M snmp -T 1 -t 1 -h 127.0.0.1 -u '' -P communities.txt -m VERSION:2C -m SEND_DELAY:1000000 -m ACCESS:WRITE -m TIMEOUT:10
+
+        cmd = [
+            "medusa",
+            "-b",
+            "-v",
+            4,
+            "-R",
+            1,
+            "-M",
+            protocol,
+            "-T",
+            1,
+            "-t",
+            self.config.get("threads"),
+            "-h",
+            host,
+            "-u",
+            "''",
+            "-P",
+            self.snmp_wordlist_path,
+            "-m",
+            f"VERSION:{protocol_version}",
+            "-m",
+            f"SEND_DELAY:{self.config.get('wait_microseconds')}",
+            "-m",
+            "ACCESS:WRITE",
+            "-m",
+            f"TIMEOUT:{self.config.get('timeout_s')}",
+        ]
+
+        return cmd
+
+    def create_vuln_event(self, severity, description, source_event):
+        host = str(source_event.host)
+        port = str(source_event.port)
+
+        return self.make_event(
+            {
+                "severity": severity,
+                "host": host,
+                "port": port,
+                "description": description,
+            },
+            "VULNERABILITY",
+            source_event,
+        )

bbot/test/test_step_2/module_tests/test_module_medusa.py

@@ -0,0 +1,50 @@
+from .base import ModuleTestBase, tempwordlist
+import pytest
+
+
+@pytest.fixture
+def mock_medusa_run_process(monkeypatch):
+    async def fake_run_process(self, cmd):
+        class FakeResult:
+            stdout = "ACCOUNT FOUND: [snmp] Host: 127.0.0.1 User: (null) Password: public [ERROR]\n"
+            stderr = (
+                "ERROR: [snmp.mod] Error processing SNMP response (1).\n"
+                "ERROR: [snmp.mod] Community string appears to have only READ access.\n"
+            )
+
+        return FakeResult()
+
+    from bbot.modules.base import BaseModule
+
+    monkeypatch.setattr(BaseModule, "run_process", fake_run_process)
+
+
+@pytest.mark.usefixtures("mock_medusa_run_process")
+class TestMedusa(ModuleTestBase):
+    targets = ["127.0.0.1"]
+    temp_snmp_wordlist = tempwordlist(["public", "private, admin"])
+    config_overrides = {
+        "modules": {
+            "medusa": {
+                "snmp_versions": ["2C"],
+                "timeout_s": 1,
+                "snmp_wordlist": str(temp_snmp_wordlist),
+            }
+        }
+    }
+
+    async def setup_after_prep(self, module_test):
+        protocol_data = {"host": str(self.targets[0]), "protocol": "snmp", "port": 161}
+
+        protocol_event = module_test.scan.make_event(
+            protocol_data,
+            "PROTOCOL",
+            parent=module_test.scan.root_event,
+        )
+        await module_test.module.emit_event(protocol_event)
+
+    def check(self, module_test, events):
+        vuln_events = [e for e in events if e.type == "VULNERABILITY"]
+
+        assert len(vuln_events) == 1
+        assert "VALID [SNMPV2C] CREDENTIALS FOUND: public [READ]" in vuln_events[0].data["description"]

{bbot-2.4.2.6638rc0.dist-info → bbot-2.4.2.6655rc0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: bbot
-Version: 2.4.2.6638rc0
+Version: 2.4.2.6655rc0
 Summary: OSINT automation for hackers.
 License: GPL-3.0
 Keywords: python,cli,automation,osint,threat-intel,intelligence,neo4j,scanner,python-library,hacking,recursion,pentesting,recon,command-line-tool,bugbounty,subdomains,security-tools,subdomain-scanner,osint-framework,attack-surface,subdomain-enumeration,osint-tool

{bbot-2.4.2.6638rc0.dist-info → bbot-2.4.2.6655rc0.dist-info}/RECORD

@@ -1,4 +1,4 @@
-bbot/__init__.py,sha256=MKxhXFa7Z1IH-IYRMco6EJRNAHZvMyIhFC_T-5pCQV0,163
+bbot/__init__.py,sha256=yDRP6RswzftH1j2TWgwfKcvWyZmu1jV25g7RRdk5lj0,163
 bbot/cli.py,sha256=1QJbANVw9Q3GFM92H2QRV2ds5756ulm08CDZwzwPpeI,11888
 bbot/core/__init__.py,sha256=l255GJE_DvUnWvrRb0J5lG-iMztJ8zVvoweDOfegGtI,46
 bbot/core/config/__init__.py,sha256=zYNw2Me6tsEr8hOOkLb4BQ97GB7Kis2k--G81S8vofU,342
@@ -83,6 +83,7 @@ bbot/modules/code_repository.py,sha256=x70Z45VnNNMF8BPkHfGWZXsZXw_fStGB3y0-8jbP1
 bbot/modules/credshed.py,sha256=HAF5wgRGKIIpdMAe4mIAtkZRLmFYjMFyXtjjst6RJ20,4203
 bbot/modules/crt.py,sha256=6Zm90VKXwYYN6Sab0gwwhTARrtnQIqALJTVtFWMMTGk,1369
 bbot/modules/crt_db.py,sha256=xaIm2457_xGJjnKss73l1HpPn7pLPHksVzejsimTfZA,2198
+bbot/modules/deadly/medusa.py,sha256=44psluRg9VFo6WNLKlnTtH66afqhrOF0STBbLhFkHCE,8859
 bbot/modules/dehashed.py,sha256=0lzcqMEgwRmprwurZ2-8Y8aOO4KTueJgpY_vh0DWQwA,5155
 bbot/modules/digitorus.py,sha256=XQY0eAQrA7yo8S57tGncP1ARud-yG4LiWxx5VBYID34,1027
 bbot/modules/dnsbimi.py,sha256=A4cqhvhytmEEd-tY4CgFwMLbsVtMjkRY9238Aj8aVtU,6921
@@ -378,6 +379,7 @@ bbot/test/test_step_2/module_tests/test_module_jadx.py,sha256=qTBfDc_Iv03n8iGdyL
 bbot/test/test_step_2/module_tests/test_module_json.py,sha256=gmlqge5ZJpjVMGs7OLZBsNlSFTTrKnKjIZMIU23o8VQ,3350
 bbot/test/test_step_2/module_tests/test_module_leakix.py,sha256=DQaQsL4ewpuYeygp-sgcvdeOSzvHq77_eYjKcgebS7A,1817
 bbot/test/test_step_2/module_tests/test_module_lightfuzz.py,sha256=g8rPTtjPe90ZkjCEMlNUC2fraqzZu4XK_0GaA7sGI9A,77463
+bbot/test/test_step_2/module_tests/test_module_medusa.py,sha256=vYoAyMf0LbIXCoUzLycOISZtF7M58E30WjuLuqxDiCg,1671
 bbot/test/test_step_2/module_tests/test_module_mysql.py,sha256=4wAPjbjhlxmOkEhQnIQIBC2BLEaE57TX6lChGZ3zLsU,2630
 bbot/test/test_step_2/module_tests/test_module_myssl.py,sha256=zRJ1sOEespWtBx2jA07bW5sHD1XQ9pV0PtHtGogo7Gs,1531
 bbot/test/test_step_2/module_tests/test_module_neo4j.py,sha256=pUUaqxBsF6s11dEDhrETpvlR2pqiUcc0uvH8Z5GvVUQ,1332
@@ -450,8 +452,8 @@ bbot/wordlists/raft-small-extensions-lowercase_CLEANED.txt,sha256=ZSIVebs7ptMvHx
 bbot/wordlists/top_open_ports_nmap.txt,sha256=LmdFYkfapSxn1pVuQC2LkOIY2hMLgG-Xts7DVtYzweM,42727
 bbot/wordlists/valid_url_schemes.txt,sha256=0B_VAr9Dv7aYhwi6JSBDU-3M76vNtzN0qEC_RNLo7HE,3310
 bbot/wordlists/wordninja_dns.txt.gz,sha256=DYHvvfW0TvzrVwyprqODAk4tGOxv5ezNmCPSdPuDUnQ,570241
-bbot-2.4.2.6638rc0.dist-info/LICENSE,sha256=GzeCzK17hhQQDNow0_r0L8OfLpeTKQjFQwBQU7ZUymg,32473
-bbot-2.4.2.6638rc0.dist-info/METADATA,sha256=vHgtJRTbiaQgj8CWEdh7mMF-gHzb85Xrr2jSUbFqjKc,18308
-bbot-2.4.2.6638rc0.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
-bbot-2.4.2.6638rc0.dist-info/entry_points.txt,sha256=cWjvcU_lLrzzJgjcjF7yeGuRA_eDS8pQ-kmPUAyOBfo,38
-bbot-2.4.2.6638rc0.dist-info/RECORD,,
+bbot-2.4.2.6655rc0.dist-info/LICENSE,sha256=GzeCzK17hhQQDNow0_r0L8OfLpeTKQjFQwBQU7ZUymg,32473
+bbot-2.4.2.6655rc0.dist-info/METADATA,sha256=ZGC7qPJcqpTX0gaUp2rLUa6oIi9Qzxex27HjI0cGFmg,18308
+bbot-2.4.2.6655rc0.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
+bbot-2.4.2.6655rc0.dist-info/entry_points.txt,sha256=cWjvcU_lLrzzJgjcjF7yeGuRA_eDS8pQ-kmPUAyOBfo,38
+bbot-2.4.2.6655rc0.dist-info/RECORD,,