Integrating with additional scanners

[joostgrunwald]

Description
Hey there, love this tool, I have some ideas/additions which I would build myself if I only had the time.... :

• The Nuclei tool is ran with default setting of stopping a scan of a target after its unreachable for 30 requests, if you put this number a little higher (say 100), in my experience that keeps you from stopping some scans that you do not need to stop.
• I saw that wpscan is implemented, in my experience wpscan requires an API key, you can get the same functionality as premium wpscan with nuclei for free! Using the following set of templates on wordpress hosts: https://github.com/topscoder/nuclei-wordfence-cve
• some internetdb vulnerabilities are verified, as in proven. You could add these as vulnerabilities instead of findings: https://www.shodan.io/search/facet?query=net%3A0%2F0&facet=vuln.verified
• retirejs would be a great addition for javascript vulnerabilities

[TheTechromancer]

Hey @joostgrunwald thanks for these observations.

The Nuclei tool is ran with default setting of stopping a scan of a target after its unreachable for 30 requests

It wouldn't be hard to make -max-host-error configurable for the BBOT nuclei module. We're already passing through several options like concurrency, ratelimit, etc.

same functionality as premium wpscan with nuclei for free

Wow interesting. I'm curious to test that out. @TheFunky1Markimark @domwhewell-sage

some internetdb vulnerabilities are verified

If there's a way to programatically pull an updated list of these without an API key, that would be a good feature to add.

retirejs would be a great addition for javascript vulnerabilities

#1684

[joostgrunwald]

“If there's a way to programatically pull an updated list of these without an API key, that would be a good feature to add” they have been static for around a year, only thing I can think of is hardcoding them.

some more ideas:

• in my experience wappalyzer works way better in browser then via CLI, (like insane difference) I have been looking for a way to use it in browser vut cant seem to get selenium to access browser plugins, might be an interesting idea to do something with this tho.
• Nuclei has tech detect fingerprints you could use to improve your technology fingerprinting maybe?
• Hydra could be a good integration for password checking? Or some more network based default/common password tools like for example SNMP community strings that you are missing now.
• There seems to be no difference (I might be mistaken) between dns records and live subdomains, If I test the subdomain output more then half is offline, maybe its good to differentiate between dns records and websites
• nuclei also has fuzzer templates you can use if you have parameters (paraminer for the win) to find vulns related to sqli/xss/etc which might be usefull
• google tsunami could be a good integration, openvas could be another one
• HaveIbeenPwned could be a good integration (although paid) as enrichment of the email collection. (We do this in post processing now)
• if you find emails existing, you could then check for spf, dkim, dmarc dns-sec
• testssl could be good integration for ssl related vulns and more in depth cipher testing

Just some ideas from my personal experience, feel free to throw some away. If I have an intern in the future, could it be good option to send him/her your way to help with development?

[TheTechromancer]

wappalyzer works way better in browser

This is true. The python wappalyzer library is pretty out-of-date, too. The current plan is to retire gowitness in favor of a native chromium+devtools implementation, which hopefully will let us use the web extension.

Nuclei has tech detect fingerprints

BBOT's nuclei module will already raise these as TECHNOLOGY events.

password checking

We are looking for someone to write this module. Legba looks like it could be a good alternative to hydra.

dns records and live subdomains

BBOT does not emit unresolved subdomains (unless you tell it to). If you're looking for subdomains with actual web servers, the event type you want is URL.

paraminer for the win

We have dedicated paramminer modules for cookies, get params, and headers.

spf, dkim, dmarc dns-sec

@colin-stubbs is working on this.

help with development

We have no shortage of ideas, but only a few contributors. Help with these new features would speed them up considerably, since most of my time is spent maintaining the core scanner. It's always appreciated!

[joostgrunwald]

This is true. The python wappalyzer library is pretty out-of-date, too. The current plan is to retire gowitness in favor of a https://github.com/blacklanternsecurity/bbot/discussions/698, which hopefully will let us use the web extension. Wonderfull idea, maybe smart to keep that in consideration for your retirejs implementation as well, as you can fix that in the same way then.

We have dedicated paramminer modules for cookies, get params, and headers. Yes I know that, but you could fuzz the parameters you find with the nuclei fuzzing templates automatically.

We have no shortage of ideas, but only a few contributors. Help with these new features would speed them up considerably, since most of my time is spent maintaining the core scanner. It's always appreciated! - That is really nice, I will get back to this

[TheTechromancer]

fuzz the parameters you find with the nuclei

Ah I see, that's really interesting.

@liquidsec have you seen these? They might be a goldmine for lightfuzz.

[liquidsec]

fuzz the parameters you find with the nuclei

Ah I see, that's really interesting.

@liquidsec have you seen these? They might be a goldmine for lightfuzz.

That's a good call out. I do want to try to avoid blasting things with too many requests (it is called lightfuzz for a reason) but theres absolutely some good stuff in there, I am going to have to go through all of those