The client component of the Bug Bounty Reconnaissance Framework (BBRF) is intended to facilitate the workflows of security researchers across multiple devices.
Read the blog post: https://honoki.net/2020/10/08/introducing-bbrf-yet-another-bug-bounty-reconnaissance-framework/
The primary function of the client is providing easy access to information that is stored in a centralized BBRF document store. For example, to quickly create and initialize a new program with a couple of domains, you can try:
# create a new program
bbrf new vzm
bbrf inscope add '*.yahoo.com' '*.yahoo.be'
bbrf domain add www.yahoo.com www.yahoo.be
To add a list of ips from a file or other program, you can pipe into bbrf
:
bbrf use vzm
cat ips.txt | bbrf ip add -
Now, to list all known domains belonging to the active program:
bbrf domains
To use the bbrf client, make sure you set up the bbrf server first. The tool was built to work with the document-based database CouchDB. Below is a suggested way of deploying, but YMMV.
-
Deploy the CouchDB image from Bitnami from the AWS Marketplace or using docker:
curl -sSL https://raw.githubusercontent.com/bitnami/bitnami-docker-couchdb/master/docker-compose.yml > docker-compose.yml docker-compose up -d
-
My current setup runs on a
t3a.small
tier in AWS and seems to effortlessly support 116 thousand documents at the time of writing; -
I strongly suggest enabling (only) https on your server;
-
When up and running, browse to the web interface on
https://<your-instance>:6984/_utils/#/_all_dbs
and check if everything's OK -
Create the
bbrf
user (additional documentation here) via curl:COUCHDB=https://<yourinstance>:6984/ curl -X PUT $COUCHDB"_users" \ -u admin:password curl -X PUT curl -X PUT $COUCHDB"/_users/org.couchdb.user:bbrf" \ -u admin:password \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d '{"name": "bbrf", "password": "<choose a decent password>", "roles": [], "type": "user"}'
-
Create a new database called
bbrf
:curl -X PUT $COUCHDB"bbrf" \ -u admin:password
-
Grant access rights to the new database:
curl -X PUT $COUCHDB"bbrf/_security" \ -u admin:password \ -d "{\"admins\": {\"names\": [\"bbrf\"],\"roles\": []}}"
-
Configure the required views via curl:
curl -X PUT $COUCHDB"bbrf/_design/bbrf" \ -u admin:password \ -H "Content-Type: application/json" \ -d @views.json
Thanks to @plenumlab, you can run the following for an easy out-of-the-box installation of the CouchDB server. Run this on the VPS where you want to install the server. This script requires Docker.
git clone https://github.com/honoki/bbrf-client
cd bbrf-client
chmod +x server-install.sh
./server-install.sh
Now you have a server up and running, go ahead and clone this repository.
git clone https://github.com/honoki/bbrf-client
cd bbrf-client
virtualenv --python=python3 .env && source .env/bin/activate && pip install -r requirements.txt
Register the function bbrf
in your .bash_profile
(or whichever shell you use):
function bbrf() {
source ~/bbrf-client/.env/bin/activate;
python ~/bbrf-client/bbrf.py "$@"
deactivate
}
Create a file ~/.bbrf/config.json
with the required configuration:
{
"username": "bbrf",
"password": "<your secure password>",
"couchdb": "https://<your-instance>:6984/bbrf",
"slack_token": "<a slack token to receive notifications>"
}
Usage:
bbrf (new|use) <program> [--disabled --passive-only]
bbrf program (list|active|scope [--wildcard [--top]] [-p <program>])
bbrf domains [--view <view>] [-p <program> --all]
bbrf domain (add|remove|update) ([-] | <domain>...) [-p <program>] [-s <source>]
bbrf ips [--view <view>] [-p <program> | --all]
bbrf ip (add|remove|update) ([-] | <ip>...) [-p <program>] [-s <source>]
bbrf (inscope|outscope) (add|remove) ([-] | <element>...) [-p <program>]
bbrf blacklist (add|remove) ([-] | <element>...) [-p <program>]
bbrf run <task> [-p <program>]
bbrf show <document>
bbrf listen
bbrf alert <message> [-s <source>]
bbrf --version
Create and configure a new program with a defined scope:
When adding domains to your database, note that bbrf
will automatically remove duplicates and check against the defined scope.
Integrate with recon tools you already know and love:
Resolve domains with massdns
, format with awk
, and save results with bbrf
:
bbrf domains --view unresolved | \
massdns -t A -o Snlqr -r resolvers.txt | \
# reformat output to put query and response on the same line for grepping
awk -v FS="\n" -v RS="\n\n" '{print $1";"$2}' | \
# pipe output to multiple greps
tee \
>(grep ' A ' | awk -F' ' '{print $4":"$7}' | bbrf domain update -) \
>(grep ' A ' | awk -F' ' '{print $7":"$4}' | bbrf ip add - -s massdns) \
>(grep ' A ' | awk -F' ' '{print $7":"$4}' | bbrf ip update -);
In order to process changes and alerts as they are pushed to the data store, you need to have an active listener running somewhere: bbrf listen
This will start listening for changes and push alerts to your configured Slack instance.
The bbrf client can be deployed in AWS Lambda via the Serverless framework.
> cd bbrf-client
> sls deploy
Serverless: Generated requirements from /.../bbrf-client/requirements.txt in /.../bbrf-client/.serverless/requirements.txt...
Serverless: Using static cache of requirements found at /root/.cache/serverless-python-requirements/d4b86359825bfe10a33e24ee5e467c63305fbf34f10b8a76fd27bbaac517bdb5_slspyc ...
Serverless: Packaging service...
Serverless: Excluding development dependencies...
Serverless: Injecting required Python packages to package...
Serverless: Uploading CloudFormation file to S3...
Serverless: Uploading artifacts...
Serverless: Uploading service bbrf.zip file to S3 (1.28 MB)...
Serverless: Validating template...
Serverless: Updating Stack...
Serverless: Checking Stack update progress...
..............
Serverless: Stack update finished...
Service Information
service: bbrf
stage: dev
region: us-east-1
stack: bbrf-dev
resources: 11
api keys:
None
endpoints:
POST - https://[redacted].execute-api.us-east-1.amazonaws.com/dev/bbrf
functions:
bbrf: bbrf-dev-bbrf
layers:
None
Serverless: Removing old service artifacts from S3...
Serverless: Run the "serverless" command to setup monitoring, troubleshooting and testing.
Now you can interact with the client via the Lambda API Gateway as follows:
> curl https://[redacted].execute-api.us-east-1.amazonaws.com/dev/bbrf -d 'task=domains -p vzm'
aa.calendar.yahoo.com
address.news.yahoo.com
admin.finance.yahoo.com
ads.finance.yahoo.com
alpha.news.yahoo.com
api-sched-v3.admanagerplus.yahoo.com