honoki / bbrf-client Goto Github PK

The Bug Bounty Reconnaissance Framework (BBRF) can help you coordinate your reconnaissance workflows across multiple devices

License: MIT License

Python 100.00%

bbrf-client's Introduction

Introduction

The Bug Bounty Reconnaissance Framework (BBRF) can be used to coordinate your reconnaissance workflows across multiple devices. For more background, read the original blog post.

If you are new to BBRF, you will need to deploy a BBRF server before you can make use of the client.

Get started

# install the client
pip install bbrf

# create the .bbrf folder
mkdir -p ~/.bbrf 

# ensure you have the required configuration in ~/.bbrf/config.json
cat > ~/.bbrf/config.json << EOF
{
    "username": "bbrf",
    "password": "<your secure password>",
    "couchdb": "https://<your-bbrf-server>/bbrf",
    "slack_token": "<a slack token to receive notifications>",
    "discord_webhook": "<your discord webhook if you want one>",
    "ignore_ssl_errors": false
}
EOF
# other optional settings are {"debug":true, "slack_channel": "channel-name", "slack_webhook":"https://..."}

# create a new program
bbrf new test

# or continue with a program you have created before
bbrf use test

# define a scope for your program
bbrf inscope add '*.example.com' '*.sub.example.com' 'example.com'
bbrf outscope add 'blog.example.com' '*.dev.example.com'

# view the program in/out scope
bbrf scope in
bbrf scope out

# start a background listener to listen for changes and send alerts to Slack
# in production, you probably want this continuously running on a VPS somewhere
bbrf listen &

# add some domains manually
bbrf domain add www.example.com example.com some.dev.example.com www.example.com www.example.com thisisnotadomain.example

# note that bbrf automatically safeguards the data quality, e.g.
# it checks the program's in and out scope to see if entries
# should be processed or not, prevents duplicate entries in the database,
# and rejects all input that is not a valid domain
bbrf domains

# add a list of ips from a file by piping into bbrf
cat ips.txt | bbrf ip add -

# run a tool based on the program scope, store results in bbrf,
# and display a list of domains that have been added
bbrf scope in --wildcard --top | subfinder | bbrf domain add - --show-new

# retrieve a raw document from the bbrf server and format with jq
bbrf show www.example.com | jq

# update the outscope
bbrf outscope add www.example.com

# note that this does not automatically remove outscoped domains that
# were already in the database, so you will manually need to fix that!
bbrf domains | bbrf scope filter out | bbrf domain remove -

# discover all features of bbrf on the help page
bbrf -h

# Use dnsx to resolve unresolved domains across all your programs
# and store the results in bbrf, either by updating existing ips and domains,
# or by adding them if they are new
for p in $(bbrf programs); do
  bbrf domains --view unresolved -p $p | \
  dnsx -silent -a -resp | tr -d '[]' | tee \
      >(awk '{print $1":"$2}' | bbrf domain update - -p $p -s dnsx) \
      >(awk '{print $1":"$2}' | bbrf domain add - -p $p -s dnsx) \
      >(awk '{print $2":"$1}' | bbrf ip add - -p $p -s dnsx) \
      >(awk '{print $2":"$1}' | bbrf ip update - -p $p -s dnsx)
done

# view all resolved domains
bbrf domains --view resolved

Python module

To use BBRF in your Python projects, use the interface as follows:

from bbrf import BBRFClient as bbrf

# this will use the system's default ~/.bbrf/config.json file:
programs = bbrf('programs').run()

# to specify a custom configuration, provide a second argument:
conf = {
    "username": "bbrf",
    "password": "<your secure password>",
    "couchdb": "https://<your-instance>/bbrf",
    "slack_token": "<a slack token to receive notifications>",
    "discord_webhook": "<your discord webhook>",
    "ignore_ssl_errors": false
}

domains = bbrf('domains --view resolved', conf).run()

Dashboard

If you like browsing through your recon data with a GUI, you can make use of the BBRF dashboard on https://bbrf.me. Just plug in your server URL, username and password, and the dashboard will pull your data and make it searchable. Note that all communication to the server happens via your browser, so your data remains safe!

Advanced

Domains

BBRF will accept and store domains in any of the following input formats:

<domain>
<domain>:<ip>
<domain>:<ip>,<ip>,...

Note that adding the DNS resolutions of a domain in this way does not automatically store the IP in the IPs table, but that domains and ips are logically seperated in the client, which requires you to write your scripts so that they handle this distinction appropriately.

bbrf domain add www.example.com:1.1.1.1
bbrf domain update www.example.com:2.2.2.2,3.3.3.3
bbrf show www.example.com | jq

IPs

Similarly, you can store hostnames of an IP address by appending one or more domains with a colon:

<ip>
<ip>:<domain>
<ip>:<domain>,<domain>,...

Again, BBRF will make sure the provided hostnames are valid domain names before storing them, but will not add them to your list of domains for the program, nor does it validate these domains against the defined program scope. Instead, these domains are stored in a domains property on the IP document:

bbrf ip add 1.1.1.1:www.example.com,sub.example.com
bbrf ip update 1.1.1.1:www.google.com,www.apple.com
bbrf show 1.1.1.1 | jq

URLs

BBRF will help you manage your URLs, and store their hostname, port, status code and content length for you:

bbrf url add 'https://www.example.com:8443/a' 'http://www.example.com/b' 'http://www.example.com/c 200 1234'

Two formats are accepted: <url> or <url> <statuscode> <contentlength> delimited by spaces.

The <url> can be absolute or relative. A relative URL will require the -d <hostname> flag to be specified or will be skipped. Whenever the -d flag is set, it will compare that with the hostname parsed from the URL, and skip the URL if they do not match.

Relative URLs and URLs that do not specify a scheme (http:// or https://) will always be interpreted with scheme http://. If no port is found, ports 80 and 443 will be used as a default depending on the scheme.

The flag --show-new will print a list of new and updated URLs if they were added, or if their status code and/or content length were updated respectively:

cat urls.txt | bbrf url add - --show-new
[UPDATED] https://sub.example.com:8443/b
[NEW] http://www.example.com/a
[NEW] http://www.example.com/c

To view a list of stored URLs of your active program, simply use:

bbrf urls

Or, to return URLs belonging to a specific host:

bbrf urls -d www.example.com

To list URLs across all programs, run:

bbrf urls --all

To print full URLs with the saved query strings:

bbrf urls --all --with-query

Services

To store services (i.e. open ports) in BBRF, provide the input formatted as ip:port or ip:port:service, and manually specify other properties by means of the tagging system (see below for more info about tags), e.g.:

bbrf service add 127.0.0.1:8443 127.0.0.1:8888 -t hostname:localhost -t protocol:tcp
bbrf service add 127.0.0.1:80:http 127.0.0.1:21:ftp -t hostname:localhost -t protocol:tcp
bbrf service add 127.0.0.1:22:ssh 127.0.0.1:53:domain 127.0.0.1:80 -t scanned:$(date +%s)

Note that services can only be stored for an IP address, and not as domain:port for example. This avoids the complexity of mapping domains to IPs (especially when an IP address maps to more than one domain), while still allowing search operations supported by a mix of default properties and tags:

# get all known services on port 8443
bbrf services where port is 8443
# return services for which a tag has been manually provided
bbrf services where hostname is localhost

Tagging and querying

By setting custom properties for the different document types (programs, domains, ips, urls and services), you can specify e.g. the platform a program belongs to or the name of a team member that added a bunch of new domains.

To add tags to documents, specify a -t key:value when creating a new domain, ip, url or service, or leave empty to remove the tag:

# add a custom tag to all domains
cat domains.txt | bbrf domain add - -t added_by:pieter -t from:domains.txt
# create an IP with a custom tag
bbrf ip add 1.2.3.4 -t added_by:pieter
# remove the tag
bbrf ip update 1.2.3.4 -t added_by:

Note that you can specify the same tag multiple times to store the tags as arrays. BBRF will follow the following rules to determine how to store tags:

if a single -t tag:value is found, treat as a normal value;
if the same tag name is provided more than once, default to an array: -t cname:one -t cname:two
by default, overwrite existing values for the tags when updating, unless --append-tags is specified, in which case append new values to existing values:

bbrf domain update www.example.tld -t name:value
bbrf show www.example.tld | jq .tags # { "name": "value" }
bbrf domain update www.example.tld -t name:value2 -t name:value3
bbrf show www.example.tld | jq .tags # { "name": ["value2", "value3"] }
bbrf domain update www.example.tld -t name:value4 --append-tags
bbrf show www.example.tld | jq .tags # { "name": ["value2", "value3", "value4"] }
bbrf domain update www.example.tld -t name:
bbrf show www.example.tld | jq .tags # { }

To facilitate basic data querying, the BBRF server provides an indexed search based on all custom tags, as well as some default properties of all document types:

# search domains based on custom tags:
bbrf domains where added_by is pieter --all
bbrf domains where last_updated is before 1610698911
bbrf domains where last_scan is after 2021-01-01 -p myprogram

# or search the properties that are available by design:
bbrf domains where ip is 1.1.1.1
bbrf ips where domain is www.example.com
bbrf urls where port is 443
bbrf services where port is 22

This works on domains, ips, urls and services and will search based on text-based comparisons as is defined in the Unicode Collation Algorithm as implemented by Couchdb.

Since all values are stored as text, this allows date comparison if you store dates as unix timestamps or in a ISO-8601 format e.g. 2021-01-15T09:02:40.628Z.

That also means, however, that for example "20" comes after "1000", which makes this less suitable for integer comparison. So if you want to store integers, you may want to use padded zeros at the front to ensure that 0020 comes before 1000.

Dynamic program inference

Use the dynamic program name -p @INFER to infer the program name based on other properties if you're unable to specify the program flag yourself for some reason; this is currently supported for the following operations:

bbrf ip add 1.1.1.1:example.tld -p @INFER will set the IP's program name to the same as the domain example.tld if it already exists;
bbrf domain add some.example.tld:1.2.3.4 -p @INFER will set the domain's program name to the same as 1.2.3.4 if it already exists - note that this will bypass the scope validation of the program, because the program name is inferred just before writing to the database.
bbrf domain add some.example.tld some.other.tld -p @INFER will add the domains to whatever program scope matches the input;
bbrf url add http://this.example.tld https://that.some.tld/robots.txt -p @INFER will add the URLs to whatever program has the domain in scope;

BBRF Listener

In order to process changes and alerts as they are pushed to the data store, you need to have an active listener running somewhere:

bbrf listen

This will start listening for changes on the BBRF server and push notifications to your configured Slack instance. Note that this will fail e.g. when the BBRF server is temporarily unavailable or in case of certificate errors, so you may want to loop this to auto-start in case of issues.

Custom execution hooks

The BBRF listener will also execute custom local scripts when it sees new or updated ips, domains, urls and/or services. It will automatically look for executable .sh files in the following locations:

~/.bbrf/hooks/ip/new/,
~/.bbrf/hooks/ip/update/,
~/.bbrf/hooks/domain/new/,
~/.bbrf/hooks/domain/update/,
~/.bbrf/hooks/url/new/,
~/.bbrf/hooks/url/update/,
~/.bbrf/hooks/service/new/,
~/.bbrf/hooks/service/update/,

For example, here is a custom execution hook that will resolve newly added domains and store the results back in BBRF. Find more examples in docs/hooks.

#!/bin/bash

#
# BBRF hook - save to ~/.bbrf/hooks/domain/new/resolve.sh
# and make sure it is executable: chmod +x resolve.sh
#

domains=$@

printf '%s\n' ${domains[@]} | dnsx -silent -a -resp | tr -d '[]' | tee \
      >(awk '{print $1":"$2}' | bbrf domain update -) \
      >(awk '{print $2":"$1}' | bbrf ip add - -p @INFER) \
      >(awk '{print $2":"$1}' | bbrf ip update -);

Proxy configuration

Since version 1.2, BBRF allows you to store and retrieve proxy configurations per program. This feature was designed to integrate with my OpenVPN via SOCKS5 proxy setup, but can be used with other proxy setups independently.

For example, configure your proxy settings in BBRF as follows:

# add a proxy with name 'hackerone' and a valid proxy URL
bbrf proxy set hackerone socks5://user:[email protected]:1080

Update a program's proxy settings with the custom tag proxy as follows:

# use the same name as the name of the configured proxy
bbrf program update my_hackerone_program -t proxy:hackerone

Get the proxy settings of a program with bbrf proxy -p my_hackerone_program. For example, you can update your automation scripts to always send traffic through the right proxy as follows:

# note that the use of double quotes will allow this to work even if no proxy is configured for the current program
curl -x "$(bbrf proxy)" ifconfig.co

bbrf-client's People

Contributors

Stargazers

Watchers

Forkers

jr69ss tracid56 ocakgun timb-machine-mirrors 3esawe hollow667 bbhunter slooppe chouaibhm peachycloudsecurity th3cyb3rc0p ihab000 hotelzululima zimshk spwn3r49sd3r00 tusharkeshav renniepak pdelteil pry0cc sadjy ndbrain yut0u fabiopw fatal0x45 inosec2 st3kz k-sau securestep9 masterbyteltd rangeldarosa z0mb13s3c sec99 athul1337 dr4gonw4ll matheusbbarni isarabia92 sandrogarcia cyal1 c002 datascientist1976 jgnmrtd afwu okaayfine kingofbugbounty gprime31 0xjeti raystyle unconfigured madusec silocityit facundozs gsatyadev tkmyles 5ub5i5t jimmymin aroly ascassinda abdilahrf excloudx6 chanpu9 sajeeshab xmardus wizardwa hxlxmjxbbxs kluo84 haka110 zeb0x01 divital-coder ronin-dojo wnltc rainclv schniggie redteamcloudinfra ramosslyz rrrrrx diamond-alliance kursadalsan kurogai rodriguezjorgex 0xbloody ghost00shell mdiqbalahmad arash16 0danteh oops4git conspiracy98 o3oskye nak000

bbrf-client's Issues

Unexpected behaviour adding domains when scope is only *.example.com

When starting with a new program and defining scope only with:

bbrf scope in add *.example.com

trying to add the domain example.com will fail.

For replying the behaviour try:

bbrf new example
bbrf use example
bbrf inscope add *.example.com
bbrf domain add example.com
bbrf domains

Output will be empty.

Errors when installing with pip3 install

Hi Honoki,

I was trying to install fresh copy of bbrf-client using new method using pip3 install bbrf (my VPS has both python2 and python3 installed).

But after installation I'm getting this error:

$ pip3 install bbrf
Collecting bbrf
  Cache entry deserialization failed, entry ignored
  Downloading https://files.pythonhosted.org/packages/b6/76/5b258579f087be9b418f6bf63400ccdae1cd34bb4680bf26e701601ccb27/bbrf-1.0.7-py3-none-any.whl
Collecting slackclient==1.3.2 (from bbrf)
  Cache entry deserialization failed, entry ignored
Collecting docopt (from bbrf)
  Cache entry deserialization failed, entry ignored
[...]
Installing collected packages: chardet, certifi, urllib3, idna, requests, six, websocket-client, slackclient, docopt, bbrf
Successfully installed bbrf-1.0.7 certifi-2020.12.5 chardet-4.0.0 docopt-0.6.2 idna-2.10 requests-2.25.1 six-1.15.0 slackclient-1.3.2 urllib3-1.26.3 websocket-client-0.54.0

$ bbrf
Traceback (most recent call last):
  File "/home/xxx/.local/bin/bbrf", line 7, in <module>
    from bbrf import main
ModuleNotFoundError: No module named 'bbrf'

[issue] not able to query programs using tags

Hello @honoki,
I have the following program:

> bbrf show program
{"_id":"domain","_rev":"4-d573602c57707b62902e6ba77993d56f","type":"program","disabled":false,
"passive_only":false,"inscope":"*.domain.com","*.domainmoney.com","*.domainmall.com",
"*.domainbank.com","domain.com","outscope":[],"tags":{"site":"self","reward":"money"}}

I was trying to query programs by tag in the following way: bbrf programs where site is self but I have no results.

Same happens with tag reward bbrf programs where reward is money I also tried using " and ' in tags names and key values.

Error while adding a tag to a new program

Commands

bbrf new 1testing -t site

Traceback (most recent call last):
  File "/home/kali/.local/bin/bbrf", line 8, in <module>
    sys.exit(main())
  File "/home/kali/.local/lib/python3.9/site-packages/bbrf/bbrf.py", line 986, in main
    result = bbrf.run()
  File "/home/kali/.local/lib/python3.9/site-packages/bbrf/bbrf.py", line 771, in run
    self.new_program()
  File "/home/kali/.local/lib/python3.9/site-packages/bbrf/bbrf.py", line 101, in new_program
    self.api.create_new_program(self.get_program(), tags=self.arguments['-t'])
  File "/home/kali/.local/lib/python3.9/site-packages/bbrf/bbrf_api.py", line 39, in create_new_program
    tag_map = {x.split(':', 1)[0]: x.split(':', 1)[1] for x in tags}
  File "/home/kali/.local/lib/python3.9/site-packages/bbrf/bbrf_api.py", line 39, in <dictcomp>
    tag_map = {x.split(':', 1)[0]: x.split(':', 1)[1] for x in tags}
IndexError: list index out of range

And then without the -t flag

> bbrf new 1testing
(no output)

add_documents gets called even if add_domains is empty

Try adding an out of scope domain.
in line https://github.com/honoki/bbrf-client/blob/master/bbrf.py#L246
add_documents gets called with empty add_domain object. Wasted call.

Unexpected behavior when multiple programs have overlapping services

Since the BBRF server stores services with their ip:port identifier, adding the same service when it is already assigned to another program will fail.

In practice, this might occur for either local IPs (although unlikely to be the result of a portscan), as well as when scanning shared infrastructure.

An improvement would be to either allow assigning more than one program to a single service, e.g. "program": ["one", "two"] rather than a single value "program": "one", and improving the server so it returns the document regardless of which program is specified.

[issue] adding domains fail due to colon

I was adding some domains and I had this error:

[ERROR] too many values to unpack (expected 2)

I discovered it was because of a IPv6 (therefore the : symbol)

Doing this solved the issue:

cat domains.txt | grep -v ":" | bbrf domain add - -s subfinder --show-new

Cann't add domain name same as program name

Hi, I usually create programs with the parent org's domain name for example

bbrf new yahoo.com
bbrf inscope add 'yahoo.com' -p yahoo.com
bbrf domain add yahoo.com -p yahoo.com

The last step always fails without error output in debug mode, is there a way around it, other than to rename all my program names? Thanks!

debug output:

┌──(root💀kali)-[~]
└─# bbrf domain add yahoo.com -p yahoo.com                                                                                                                                                   1 ⨯
[DEBUG] getting program scope
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): IP:PORT
DEBUG:urllib3.connectionpool:http://IP:PORT "GET /bbrf/yahoo.com HTTP/1.1" 200 3167
[DEBUG] getting program blacklist
[DEBUG] adding documents in bulk
DEBUG:urllib3.connectionpool:http://IP:PORT "POST /bbrf/_bulk_docs HTTP/1.1" 201 77

┌──(root💀kali)-[~]
└─# bbrf domains -p yahoo.com|egrep '^yahoo.com'
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): IP:PORT
DEBUG:urllib3.connectionpool:http://IP:PORT "GET /bbrf/_design/bbrf/_view/domains?reduce=false&key=%22yahoo.com%22 HTTP/1.1" 200 None

Feature request: support for services and nmap import

BBRF does not yet support services, which would be a nice addition to urls, ips and urls. The idea would be to store the results of network scans like nmap or masscan that discovered open services.

Inspiration for some supported attributes for services can be gathered from this nmap-to-mongo project:

ip
port
state
service
hostname
ostype
...

A useful unique key (_id) would likely be the concatenation of ip:port so that it can feed back into other scanners, e.g. like this:

# retrieve all known services (i.e. known open ports) and store URLs when the service is a valid HTTP service
bbrf services | httpx | bbrf url add - -t root:true

Thanks to @pry0cc for the valuable input!

add_domains does't show any error message

Try adding any out of scope domain
No error message is thown and nothing gets added as well

Feature: Discord alerts

Hi,

Really loving this tool, one feature I'd like to see is the ability to use Discord instead of Slack for alerts. This way people collaborating on Discord can have a more streamlined workflow instead of having to switch between applications.

Preferably this would be done with webhooks.

Thanks.

ImportError: attempted relative import with no known parent package

python3 bbrf.py 
Traceback (most recent call last):
  File "/home/kali/software/bbrf-client/bbrf/bbrf.py", line 48, in <module>
    from . import bbrf_api
ImportError: attempted relative import with no known parent package

After a fresh install. A workaround is removing "from ."

Canceled bbrf process keeps running on CouchDB

I have tested this situation many times:

Running a heavy process (deleting over 100k urls or domains)
Press Control + C
Processes on the CouchDB server keep running. Sometimes overloading the server.

I often need to restart the DB in order to get rid of the left over processes.
This might be the cause for the 'unknown error' described in another issue.

You need to select a program to execute this action.

I ran one of the examples and this is my output:

 bbrf new vzm
 bbrf inscope add '*.yahoo.com' '*.yahoo.be'
Traceback (most recent call last):
  File "/home/ubuntu/bbrf-client/bbrf.py", line 753, in <module>
    result = bbrf.run()
  File "/home/ubuntu/bbrf-client/bbrf.py", line 667, in run
    self.add_inscope(self.arguments['<element>'])
  File "/home/ubuntu/bbrf-client/bbrf.py", line 483, in add_inscope
    (inscope, outscope) = self.api.get_program_scope(self.get_program())
  File "/home/ubuntu/bbrf-client/bbrf.py", line 126, in get_program
    raise Exception('You need to select a program to execute this action.')
Exception: You need to select a program to execute this action.

urls cannot be matched by port number

Hi! Thanks for the new release! Really great job, again!

To the point... I don't know if I have this problem locally or not, but when trying to query all urls with certain port number with command like:
bbrf urls where port is 443, the command does not result any urls despite the fact that I most certainly have urls with port 443:
bbrf show https://test.xyz
..."hostname":"test.xyz","port":443, ...

However when trying to query with source or custom tag(s), it works flawlessly. Thanks again :)

Inconsistent behaviour for --show-disabled when getting bbrf scope

In general, the flags --all --show-disabled are meant to "return data from all programs, including disabled programs". For some reason, it seems I originally implemented bbrf scope in --all --show-disabled to mean "get scope of ONLY disabled programs.

This is inconsistent, which means I'll likely change this to either use a new flag --only-disabled, or to return scope of both enabled and disabled programs.

Feature request: Search

Sometimes I would like to know the program from which a domain is coming from, for example, somedomain.com

bbrf search domain somedomain.com

Output

> _Program

Search IP

bbrf search ip 1.1.1.1

Output

> Program0 Program1 ... Program n

Search URL

bbrf search http://www.test.com

Output
> Program_0

[Feature request] Verbose/debug flag

Sometimes I face errors like this one

Hostname could not be parsed, skipping http://

I have no idea what the hostname is or what might have cause the error.

I would be useful to increase the verbose level to show what hostname was giving troubles.

Feature request: Get all urls with query parameters

Hello! Thanks for the awesome tool, you guys have done a great job so far!

I think it would be great if one can query all urls with query parameters so its possible to feed them to another tool (think dalfox / sqlmap). At the moment the parameters are not returned when querying all urls:
bbrf urls

Since its storing the parameter values in array:
bbrf show https://hostwithqueryparams.xyz

{ ... "hostname": "hostwithqueryparams.xyz", "port": 443, "status": 200, "content_length": 298820, "query": [ "cat=1&catb=136", "product=4847" ] ...

The syntax could be:
bbrf urls -params

Which returns all urls with query parameters:
https://hostwithqueryparams.xyz?cat=1&catb=136
https://hostwithqueryparams.xyz?product=4847
...

Thanks! :)

[Feature request] Import inscope/outscope from Burp Suite Project Configuration file

Hello there @honoki

In Hackerone some programs have a Burp Suite Project Configuration file (example
shopify.txt) with the scope and outscope assests. It would be great to be able to import that file to bbrf.

add_domains doesn't add any value to database

I can add program, inscope, out scope, but I can't add domain to the program.
> bbrf show starbucks
{"_id":"starbucks","_rev":"2-6e239c74c5dc4d17055ab4cbe087c18d","type":"program","disabled":false,"passive_only":false,"inscope":["www.starbucks.com"],"outscope":[]}

When I type :
> bbrf domain add 1.starbucks.com -p starbucks
and then:
> bbrf domains
its output is none.

Feature request: mass add domains/urls across programs

At the moment, you can only add domains and URLs within a program (i.e. with he -p flag, or in the currently active program). It might be useful to have a "bulk add" feature that takes the input and adds it to any programs that match the input, regardless of the specified or active program. For example, this could look like:

cat urls_all.txt | bbrf url add - --cross-program
cat domains_all.txt | bbrf domain add - --cross-program

Feature Request: Update program tag

Sometimes I need to update or modify a program tag, ie:

bbrf new programX

bbrf new programX -update -t hackerone

bbrf update programX -t hackerone

Improve error handling

The error handling at the moment is not very clear, as the client just dumps the error to stdout. Ideally, the error message is concise and shows actionable information that will help the end user solve any potential issues.

[Issue] domain add fails due to incorrect domain formatting

I was running cat domains.txt |bbrf domain add - -s subfinder --show-new and got this error:

[ERROR] string indices must be integers

I found some domains (from subfinder) starting with '_', character that is not allowed.

It would be cool/nice to have a warning/error message when these type of formatting errors are found.

Unable to remove blacklist element

when trying to delete a blacklist element from a program, I get bellow error

$ bbrf blacklist add www.example.com -p example.com
$ bbrf blacklist remove www.example.com -p example.com
Traceback (most recent call last):
  File "/root/bbrf-client/bbrf.py", line 935, in <module>
    result = bbrf.run()
  File "/root/bbrf-client/bbrf.py", line 884, in run
    self.remove_blacklist(self.arguments['<element>'])
  File "/root/bbrf-client/bbrf.py", line 694, in remove_blacklist
    blacklist.delete(e)
AttributeError: 'list' object has no attribute 'delete'

[Issue] Exception: not_found

Hello there,

Managed to install CouchDB and the client, I needed to modify the file bbrf_api.py to allow requests to my server with a self-signed certificate, so I just added verify=False to all self.requests_session functions.

I manage to create programs and their scope/domains, but I can't retrieve them:

 > bbrf programs 

Traceback (most recent call last):
  File "/home/kali/software/bbrf-client/bbrf.py", line 828, in <module>
    result = bbrf.run()
  File "/home/kali/software/bbrf-client/bbrf.py", line 666, in run
    return self.list_domains(self.arguments['--all'])
  File "/home/kali/software/bbrf-client/bbrf.py", line 565, in list_domains
    return self.api.get_domains_by_program_name()
  File "/home/kali/software/bbrf-client/bbrf_api.py", line 45, in get_domains_by_program_name
    raise Exception(r.json()['error'])
Exception: not_found

> bbrf domains --all

Traceback (most recent call last):
  File "/home/kali/software/bbrf-client/bbrf.py", line 828, in <module>
    result = bbrf.run()
  File "/home/kali/software/bbrf-client/bbrf.py", line 666, in run
    return self.list_domains(self.arguments['--all'])
  File "/home/kali/software/bbrf-client/bbrf.py", line 565, in list_domains
    return self.api.get_domains_by_program_name()
  File "/home/kali/software/bbrf-client/bbrf_api.py", line 45, in get_domains_by_program_name
    raise Exception(r.json()['error'])
Exception: not_found

bbrf new OK 
/home/kali/software/bbrf-client/.env/lib/python3.9/site-packages/urllib3/connectionpool.py:981: InsecureRequestWarning: Unverified HTTPS request is being made to host 'info-sec.cl'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  warnings.warn(

What could be the problem?

Inaccurately handling data when providing multiple resolutions of the same domain

IP resolutions are not correctly parsed and stored when passing multiple <domain>:<ip> records for a single IP, which leads to innacuracies in the dataset.

E.g.:

bbrf domain add test.example.com:1.1.1.1 test.example.com:2.2.2.2
bbrf show test.example.com | jq
{
  "_id": "test.example.com",
  "_rev": "1-83edf0d0046f8dd062845c996aa8488f",
  "ips": [
    "2.2.2.2"
  ],
  "type": "domain",
  "program": "example"
}

Expected would be that both resolutions of the domain are stored.

Feature Request : Site Title and Webserver

First off, thanks so much for this awesome tool. Got txt files everywhere and this is a total lifesaver. Just started using it after watching you on Nahamcon.

At the moment URLs support status code and content length but it would be amazing to have the ability to pipe domains into httpx and store the site title, webserver and content type too. That way you can just query for any url that had XYZ in the title or Apache in the webserver.

Example httpx output:
http://sub.domain.com:80 [200] [178] [text/html] [I'm the title] [nginx]

Example command:
bbrf urls where title is "I'm the title"
bbrf urls where webserver is "nginx"

Again, thanks a million for this tool.

Feature request: filter a list of domains against the in/outscope and return matches

An example use case where this would be useful is if the outscope changes, and a number of domains in the database "become outscoped". BBRF does not retroactively remove those domains from the database (nor should it), but it would be nice to do something like bbrf domains | bbrf scope filter out to display the list of domains in the database that match the outscope.

As a result, it becomes easy to remove outscoped domains from the database:

bbrf domains | bbrf scope filter out | bbrf domain remove -

Filter urls/domains/ips by source

Hi @honoki,

I'm not sure if this feature maybe in your dev plans. So far I haven't found a way to query the data by source value.
I'm expecting something like this:

> bbrf urls where source is 'httpx'

> bbrf urls -s 'httpx'

[Issue] debug false doesn't work in config file

I was using the option "debug": "true" changed it to "debug": "false" but still shows the debug message.

Thanks.

Unexpected behavior when multiple programs have overlapping scope

There is currently a known issue when configuring multiple programs with overlapping scope to a single bbrf instance, when trying to add a domain to each of the programs.

For example, when program1 and program2 both have *.example.com in their inscope, the command bbrf domain add www.example.com -p program1 will add a new document with identifier www.example.com to the database, and a subsequent bbrf domain add www.example.com -p program2 will silently fail without adding the new document, because a document with the same key already exists.

As a result, listing domains for program 2 with bbrf domains -p program2 will not include www.example.com.

A possible solution would be to store program names as part of the document key, but this introduces a number of other disadvantages. Another solution might be to issue a warning when specifying a scope that overlaps with the scope of another program.

Feature: Search by keyword

Ability to search db by keywords
example:

> bbrf domains -p vzm -s omega
something.omega.gq1.yahoo.com
omega.gq1.yahoo.com
gq1.something.omega.yahoo.com

[Question] How do I delete a program?

I don't see the option on the bbrf client.

Feature request: add custom properties to documents

By supporting custom properties to be set for documents, you could specify e.g. the platform a program belongs to or the name of a team member that added a bunch of new domains.

This could look as follows:

bbrf new example --set platform:intigriti
bbrf domain add 'www.example.com' --set added_by:pieter 'comment:just stumbled across this'

This probably requires some checks on property names to ensure the integrity of the information, e.g. no reserved keywords like id, _id, _rev or bbrf-related fields like domains, ips, url, type, etc. should be allowed.

[WARNING] `bbrf program list` will be deprecated in 1.0.8

Instead, ensure you use bbrf programs to list all programs, compatible with the where syntax to query custom tags on programs:

# add tags when creating a program
bbrf new example -t priority:high -t platform:hackerone

# filter programs on custom tags
bbrf programs where platform is hackerone
bbrf programs where priority is high

# update program tags with a new command
bbrf program update example -t priority:low
# or remove tags as follows
bbrf program update example -t priority:
# or update multiple programs in-line:
bbrf program update example example2 -t custom:tag
# to add a custom tag to all programs at once:
bbrf programs | bbrf program update - -t custom:tag

Collision handling

Hello,

I've been using bbrf and i have the following situation:

*.example.com is in scope
www.example.com is out of scope

What do will bbrf do in this particular case? is outscope "stronger" than in? In my particular case i filled inscope of several programs automatically, then i checked for example.com program and filled out of scope after adding www.example.com as a valid domain and url. Then when added www.example.com to out of scope, bbrf kept showing www.example.com when using bbrf urls.

If this is intended behaviour, could bbrf outscope add remove both domains and urls?

Thanks in advance

Error when adding domain with the tag option

Hi,
I get bellow error when I try to add a domain to a program with the tag option -t:

# bbrf domain add www.example.com -p example.com -t test
Traceback (most recent call last):
  File "/root/bbrf-client/bbrf.py", line 935, in <module>
    result = bbrf.run()
  File "/root/bbrf-client/bbrf.py", line 765, in run
    return self.add_domains(self.arguments['<domain>'])
  File "/root/bbrf-client/bbrf.py", line 255, in add_domains
    success, _ = self.api.add_documents('domain', add_domains, self.get_program(), source=self.arguments['-s'], tags=self.arguments['-t'])
  File "/root/bbrf-client/bbrf_api.py", line 233, in add_documents
    tag_map = {x.split(':', 1)[0]: x.split(':', 1)[1] for x in tags}
  File "/root/bbrf-client/bbrf_api.py", line 233, in <dictcomp>
    tag_map = {x.split(':', 1)[0]: x.split(':', 1)[1] for x in tags}
IndexError: list index out of range

Feature: Fetch entire scope

Currently we can do bbrf program scope --wildcard to fetch the domains in scope for the active program, but unless I've missed something there isn't a way to fetch all domains in scope for all programs. This makes automation difficult without looping over each domain and setting it with bbrf use.

slow processing using where source

It takes more than a minute to execute:

> bbrf urls -p PROGRAM where source is 'httpx'

Debug command (~ 326K urls):

> time curl $(jq -r .couchdb ~/.bbrf/config.json)'/_design/bbrf/_view/search_tags?key=\["source","httpx"\]' -i -u bbrf:password


 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                Dload  Upload   Total   Spent    Left  Speed
100 22.7M    0 22.7M    0     0  3892k      0 --:--:--  0:00:05 --:--:-- 3883k

real	0m6.034s
user	0m0.315s
sys	0m0.260s

[Issue] Inconsistency while using where source

I was testing the use of this syntax to retrieve urls by source:

> bbrf urls -p PROGRAM where source is 'httpx'

It takes some time (more than 1 minute, but it works)

But, if I do the following:

bbrf use PROGRAM

bbrf urls where source is 'httpx'

It retrieves all urls (from all programs with the source 'httpx')

I'm using v1.1.7 and the latest server update.

[Issue] Scope not updated (no errors/warnings)

I was adding some urls after defining a the scopes and some were rejected due to the domain name not being in scope.
Then I realized the scope was not updated because it contains upper case letters.

> bbrf inscope add bugcrowdcontentAPI.site.cloud
[DEBUG] getting program scope
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): XX:6984
DEBUG:urllib3.connectionpool:XX:6984 "GET /bbrf/Softdocs HTTP/1.1" 200 176

> bbrf scope in
[DEBUG] getting program scope
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): XX:6984
DEBUG:urllib3.connectionpool:https://XX:6984 "GET /bbrf/Softdocs HTTP/1.1" 200 176

Then using api instead of API

> bbrf inscope add bugcrowdcontentapi.site.cloud
[DEBUG] getting program scope
truncated ...
[DEBUG] updating program scope
truncated ...

> bbrf scope in
[DEBUG] getting program scope
truncated ...
bugcrowdcontentapi.site.cloud

I guess case sensitivity in domain names should be ignored or warned.

Updating a nonexistent program does not issue warning

When you update an nonexistent program BBRF gives an empty response.

In debug mode, when the program exists displays POST /bbrf/_bulk_docs HTTP/1.1

It would be useful to have an error message for when you enter a typo and don't check the updated info.

Ability to add a domain without the need to explicitly using the -p option

Hi, it would be great if we can just use the bbrf domain add asdf.example.com and bbrf add it to the matching program without the need to use the -p option

[Feature request] Include tags in bbrf show

A common task for me is to discover where a subdomain/url is coming from (program + platform) it would be super useful to have something like this:

> bbrf show domain.example -t 

{"_id":"domain.example","_rev":"2-f0XXXX4226734cf9da7002e6","ips":["91.199.XX.XX"],"program":"Program","type":"domain","source":"subfinder", "tags": "key:value" }

Thanks!

Feature request: Get all domains/urls/ip from enabled programs only

It might be something like:

bbrf urls --enabled or that by default bbrf url with print only the urls from enabled programs and using --all will retrieve them all. Same with domains and ips.

[issue] Problem using symbol in program name

Hi @honoki,

A collaborator created a program with name 'AT&T' (using bbrf new "AT&T"). The program was created correctly and we could add domains, but other functions failed:

bbrf use "AT&T" Worked

> bbrf domains
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1)
DEBUG:urllib3.connectionpool: "GET /bbrf/_design/bbrf/_view/domains?reduce=false&key=%22AT&T%22 HTTP/1.1" 400 54
[ERROR] 'rows'

> bbrf urls
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1)
DEBUG:urllib3.connectionpool: "GET /bbrf/_design/bbrf/_view/urls_by_program?reduce=false&key=%22AT&T%22 HTTP/1.1" 400 54
[ERROR] 'rows'

It would be easy for me to recreate the program without the symbol, I just wanted to point it out.

Issue when adding domains

if sub list contains colons bbrf would consider it resolved and will add it to resolved list

[Issue] Problem loading big amount of domains

I'm trying to add a big program, around 5.5 million domains, the inscope and outscope are big also.

I don't know why it's failing, this is what I tried:

cat domains-big.txt | bbrf domain add - -s subfinder --show-new

Doesn't add any domain nor output any error.

If I do this sed -n '50001 ,100000p' domains-big.txt| bbrf domain add - -s subfinder --show-new

I get this error "[ERROR] local variable 'success' referenced before assignment"

The same error doing:

awk 'NR > 50000 && NR <= 100000' domains-big.txt | bbrf domain add - -s subfinder --show-new

Any idea why this might happen?