Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 10 additions & 1 deletion bbot/cli.py
Original file line number Diff line number Diff line change
Expand Up @@ -232,9 +232,18 @@ async def _main():
if stdin_is_tty:
# warn if any targets belong directly to a cloud provider
if not scan.preset.strict_scope:
from cloudcheck import CloudCheckError

for event in scan.target.seeds.event_seeds:
if event.type == "DNS_NAME":
cloudcheck_result = await scan.helpers.cloudcheck.lookup(event.host)
# a cloudcheck failure here (e.g. signatures couldn't be
# fetched) shouldn't abort the scan — this is only a
# pre-scan heads-up, so warn and move on
try:
cloudcheck_result = await scan.helpers.cloudcheck.lookup(event.host)
except CloudCheckError as e:
scan.warning(f"Unable to check whether {event.host} is a cloud domain: {e}")
cloudcheck_result = None
if cloudcheck_result:
scan.hugewarning(
f'YOUR TARGET CONTAINS A CLOUD DOMAIN: "{event.host}". You\'re in for a wild ride!'
Expand Down
3 changes: 2 additions & 1 deletion bbot/core/helpers/helper.py
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,8 @@ def cloudcheck(self):
if self._cloudcheck is None:
from cloudcheck import CloudCheck

self._cloudcheck = CloudCheck()
ssl_verify = self.web_config.get("ssl_verify_infrastructure", True)
self._cloudcheck = CloudCheck(verify_ssl=ssl_verify)
return self._cloudcheck

def bloom_filter(self, size):
Expand Down
19 changes: 17 additions & 2 deletions bbot/modules/internal/cloudcheck.py
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,23 @@ class CloudCheck(BaseInterceptModule):
_lookup_cache_size = 100_000

async def setup(self):
# perform a test lookup during setup to force signature update
await self.helpers.cloudcheck.lookup("8.8.8.8")
# perform a test lookup during setup to force signature update.
# if cloudcheck can't fetch its signatures (e.g. network/TLS problem,
# offline), don't crash the scan — degrade gracefully. cloud tagging
# by IP/domain will be unavailable, but static storage-bucket regexes
# (loaded from the cloudcheck package below) and per-event lookups
# (already wrapped in try/except) keep working.
from cloudcheck import CloudCheckError

try:
await self.helpers.cloudcheck.lookup("8.8.8.8")
except CloudCheckError as e:
self.warning(
f"Failed to load cloud provider signatures ({e}); continuing with cloud detection degraded. "
f"If this is caused by a TLS-intercepting proxy on a network you trust, you can set "
f"ssl_verify_infrastructure: false to allow the fetch — note this turns off certificate "
f"verification for non-target traffic, so only do so if you understand the risk."
)
# build the storage-bucket regexes + the YARA prefilter eagerly so we
# don't pay an asyncio.Lock acquire on every handle_event
self._storage_bucket_regexes, self._bucket_yara = self._build_bucket_matchers()
Expand Down
4 changes: 2 additions & 2 deletions pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ dependencies = [
"orjson>=3.10.12,<4",
"ansible-core>=2.17,<3",
"tldextract>=5.3.0,<6",
"cloudcheck>=10.0.0,<11",
"cloudcheck>=11.1.0,<12",
"blasthttp>=0.9.0",
"blastdns>=1.9.0,<2",
"zstandard>=0.22,<1",
Expand Down Expand Up @@ -79,7 +79,7 @@ dev = [
"fastapi>=0.115.5,<0.137.0",
"pytest-httpx>=0.35",
"pytest-benchmark>=4,<6",
"baddns~=2.4.0",
"baddns~=2.4.1",
"ruff==0.15.18",
"maturin>=1.4,<2",
]
Expand Down
Loading
Loading