Add dnsdmarc module, address #1626 by colin-stubbs · Pull Request #2044 · blacklanternsecurity/bbot

colin-stubbs · 2024-11-29T06:00:03Z

Adds dnsdmarc module, refer to blacklanternsecurity/baddns#629 for more info.

Addresses blacklanternsecurity/baddns#629, partial relevance to #1682

I feel this needs some review, particularly for the VULNERABILITY events that are emitted.

e.g.

VULNERABILITY data content, and context field content/format
VULNERABILITY events, e.g. some of my events are edging into misconfiguration situations, where there might be a potential to spoof the domain but only via a small sub-set of some intermediate mail servers and to some destination domains only.

For anyone reviewing, the following domains and sample scan outputs/events are worth considering.

Sample scans/events,

apple.com, RUA+RUF email addresses, no vulnerabilities.

[DNS_NAME]              apple.com       TARGET  (domain, in-scope, target)
[SCAN]                  test (SCAN:2b5a6fcf955753ec8b8e190ecafb97dd8dcc4e5d)    TARGET  (target)
[EMAIL_ADDRESS]         d@ruf.agari.com dnsdmarc        (distance-1)
[EMAIL_ADDRESS]         d@rua.agari.com dnsdmarc        (distance-1)
[RAW_DNS_RECORD]        {"answer": "\"v=DMARC1; p=quarantine; sp=reject; rua=mailto:d@rua.agari.com; ruf=mailto:d@ruf.agari.com;\"", "host": "_dmarc.apple.com", "type": "TXT"}        dnsdmarc        (in-scope, subdomain)
[INFO] Finishing scan
[SCAN]                  test (SCAN:2b5a6fcf955753ec8b8e190ecafb97dd8dcc4e5d)    TARGET
[SUCC] Scan test completed in 1 second with status FINISHED
[INFO] aggregate: +----------+---------------------------------------+----------------+
[INFO] aggregate: | Module   | Produced                              | Consumed       |
[INFO] aggregate: +==========+=======================================+================+
[INFO] aggregate: | dnsdmarc | 3 (2 EMAIL_ADDRESS, 1 RAW_DNS_RECORD) | 1 (1 DNS_NAME) |
[INFO] aggregate: +----------+---------------------------------------+----------------+

mastodon.social, RUA email only, sub-domains likely vulnerable to spoofing in some way,

[SCAN]                  test (SCAN:bc8d4c5e4cc25d93ab17cc1fcb5b7edc64568f1a)    TARGET  (target)
[DNS_NAME]              mastodon.social TARGET  (domain, in-scope, target)
[EMAIL_ADDRESS]         re+qkqn5debzpq@dmarc.postmarkapp.com    dnsdmarc        (distance-1)
[VULNERABILITY]         {"description": "DMARC subdomain policy is report-only", "host": "_dmarc.mastodon.social", "severity": "HIGH"}  dnsdmarc        (high, in-scope)
[VULNERABILITY]         {"description": "DMARC subdomain policy is report-only", "host": "_dmarc.mastodon.social", "severity": "HIGH"}  dnsdmarc        (high, in-scope)
[RAW_DNS_RECORD]        {"answer": "\"v=DMARC1; p=quarantine; pct=100; rua=mailto:re+qkqn5debzpq@dmarc.postmarkapp.com; sp=none; aspf=r;\"", "host": "_dmarc.mastodon.social", "type": "TXT"}  dnsdmarc        (in-scope, subdomain)
[INFO] Finishing scan
[SCAN]                  test (SCAN:bc8d4c5e4cc25d93ab17cc1fcb5b7edc64568f1a)    TARGET
[SUCC] Scan test completed in 1 second with status FINISHED
[INFO] aggregate: +----------+-----------------------------------------+----------------+
[INFO] aggregate: | Module   | Produced                                | Consumed       |
[INFO] aggregate: +==========+=========================================+================+
[INFO] aggregate: | dnsdmarc | 3 (1 EMAIL_ADDRESS, 1 RAW_DNS_RECORD, 1 | 1 (1 DNS_NAME) |
[INFO] aggregate: |          | VULNERABILITY)                          |                |
[INFO] aggregate: +----------+-----------------------------------------+----------------+

mastodon.com ( a common mistake when trying to get to mastodon's web presence and what I'd use if I wanted to appear to be sending emails from "Mastodon" ;-) ), no DMARC policy, spoofability limited only by SPF.

[SCAN]                  test (SCAN:9107d239ea8b88b3eceeac7a442953dfbfc2a7bf)    TARGET  (target)
[DNS_NAME]              mastodon.com    TARGET  (domain, in-scope, target)
[VULNERABILITY]         {"description": "DMARC policy absent for this domain", "host": "_dmarc.mastodon.com", "severity": "HIGH"}       dnsdmarc        (high, in-scope)
[VULNERABILITY]         {"description": "DMARC policy absent for this domain", "host": "_dmarc.mastodon.com", "severity": "HIGH"}       dnsdmarc        (high, in-scope)
[INFO] Finishing scan
[SCAN]                  test (SCAN:9107d239ea8b88b3eceeac7a442953dfbfc2a7bf)    TARGET
[SUCC] Scan test completed in 1 second with status FINISHED
[INFO] aggregate: +----------+---------------------+----------------+
[INFO] aggregate: | Module   | Produced            | Consumed       |
[INFO] aggregate: +==========+=====================+================+
[INFO] aggregate: | dnsdmarc | 1 (1 VULNERABILITY) | 1 (1 DNS_NAME) |
[INFO] aggregate: +----------+---------------------+----------------+

33across.com - totally default "report-only" policy except there's no RUA or RUF destination provided.

[DNS_NAME]              33across.com    TARGET  (domain, in-scope, target)
[SCAN]                  test (SCAN:bbc1f649de808be68227cea7b7314efaba738fdb)    TARGET  (target)
[RAW_DNS_RECORD]        {"answer": "\"v=DMARC1; p=none;\"", "host": "_dmarc.33across.com", "type": "TXT"}       dnsdmarc        (in-scope, subdomain)
[VULNERABILITY]         {"description": "DMARC policy action is valid but reporting destinations were not provided, DMARC policy is report-only, DMARC subdomain policy is report-only", "host": "_dmarc.33across.com", "severity": "HIGH"}    dnsdmarc        (high, in-scope)
[VULNERABILITY]         {"description": "DMARC policy action is valid but reporting destinations were not provided, DMARC policy is report-only, DMARC subdomain policy is report-only", "host": "_dmarc.33across.com", "severity": "HIGH"}    dnsdmarc        (high, in-scope)
[INFO] Finishing scan
[SCAN]                  test (SCAN:bbc1f649de808be68227cea7b7314efaba738fdb)    TARGET
[SUCC] Scan test completed in 1 second with status FINISHED
[INFO] aggregate: +----------+---------------------------------------+----------------+
[INFO] aggregate: | Module   | Produced                              | Consumed       |
[INFO] aggregate: +==========+=======================================+================+
[INFO] aggregate: | dnsdmarc | 2 (1 RAW_DNS_RECORD, 1 VULNERABILITY) | 1 (1 DNS_NAME) |
[INFO] aggregate: +----------+---------------------------------------+----------------+

adriver.ru - wildcard TXT responses are also returned, dnsdmarc module correctly ignores them for anything other than RAW_DNS_RECORD events.

[DNS_NAME]              adriver.ru      TARGET  (domain, in-scope, target)
[SCAN]                  test (SCAN:fd54116763a850a499f2945becbfcd6cb35f83c7)    TARGET  (target)
[RAW_DNS_RECORD]        {"answer": "\"2020040312194959zvnhbfxebxmwxs7t6xe17fbx2sp0qlpruffxhtgzv3aa9soc\"", "host": "_dmarc.adriver.ru", "type": "TXT"}  dnsdmarc       (in-scope, subdomain)
[RAW_DNS_RECORD]        {"answer": "\"v=DMARC1; p=quarantine; adkim=s; aspf=s\"", "host": "_dmarc.adriver.ru", "type": "TXT"}   dnsdmarc        (in-scope, subdomain)
[RAW_DNS_RECORD]        {"answer": "\"google-site-verification=598_Ywu-Dtocax-loOFzuTXN8s8BxQ_vFvy5tFBJMRg\"", "host": "_dmarc.adriver.ru", "type": "TXT"}    dnsdmarc (in-scope, subdomain)
[RAW_DNS_RECORD]        {"answer": "\"MS=08039FDF681B72D2F0795C8D4D144EEA25D43FEE\"", "host": "_dmarc.adriver.ru", "type": "TXT"}       dnsdmarc        (in-scope, subdomain)
[VULNERABILITY]         {"description": "DMARC policy action is valid but reporting destinations were not provided", "host": "_dmarc.adriver.ru", "severity": "HIGH"}  dnsdmarc        (high, in-scope)
[VULNERABILITY]         {"description": "DMARC policy action is valid but reporting destinations were not provided", "host": "_dmarc.adriver.ru", "severity": "HIGH"}  dnsdmarc        (high, in-scope)
[INFO] Finishing scan
[SCAN]                  test (SCAN:fd54116763a850a499f2945becbfcd6cb35f83c7)    TARGET
[SUCC] Scan test completed in 1 second with status FINISHED
[INFO] aggregate: +----------+---------------------------------------+----------------+
[INFO] aggregate: | Module   | Produced                              | Consumed       |
[INFO] aggregate: +==========+=======================================+================+
[INFO] aggregate: | dnsdmarc | 5 (4 RAW_DNS_RECORD, 1 VULNERABILITY) | 1 (1 DNS_NAME) |
[INFO] aggregate: +----------+---------------------------------------+----------------+

w55c.net - RFC non-compliant DMARC policy due to v=DMARC; instead of v=DMARC1; and extra " at end of TXT content.

[SCAN]                  test (SCAN:bd37b7cee0c02efa6e4e121053641b3f980cf6b7)    TARGET  (target)
[DNS_NAME]              w55c.net        TARGET  (domain, in-scope, target)
[RAW_DNS_RECORD]        {"answer": "\"v=DMARC; p=reject; rua=mailto:dmarc-reporting@roku.com; ruf=mailto:dmarc-reporting@roku.com; sp=reject; aspf=s; fo=0:1:d:s;\\\"\"", "host": "_dmarc.w55c.net", "type": "TXT"}    dnsdmarc        (in-scope, subdomain)
[VULNERABILITY]         {"description": "DMARC policy is not parsable and may not be utilised by third parties, domain may be spoofable to some destinations", "host": "_dmarc.w55c.net", "severity": "HIGH"}  dnsdmarc        (high, in-scope)
[VULNERABILITY]         {"description": "DMARC policy is not parsable and may not be utilised by third parties, domain may be spoofable to some destinations", "host": "_dmarc.w55c.net", "severity": "HIGH"}  dnsdmarc        (high, in-scope)
[INFO] Finishing scan
[SCAN]                  test (SCAN:bd37b7cee0c02efa6e4e121053641b3f980cf6b7)    TARGET
[SUCC] Scan test completed in 1 second with status FINISHED
[INFO] aggregate: +----------+---------------------------------------+----------------+
[INFO] aggregate: | Module   | Produced                              | Consumed       |
[INFO] aggregate: +==========+=======================================+================+
[INFO] aggregate: | dnsdmarc | 2 (1 RAW_DNS_RECORD, 1 VULNERABILITY) | 1 (1 DNS_NAME) |
[INFO] aggregate: +----------+---------------------------------------+----------------+

onenote.net - wildcard SPF TXT response only, no DMARC policy.

[DNS_NAME]              onenote.net     TARGET  (domain, in-scope, target)
[SCAN]                  test (SCAN:4ff923028044a55d7b64d54f6c33df48ee3b740c)    TARGET  (target)
[RAW_DNS_RECORD]        {"answer": "\"v=spf1 -all\"", "host": "_dmarc.onenote.net", "type": "TXT"}      dnsdmarc        (in-scope, subdomain)
[VULNERABILITY]         {"description": "DMARC policy absent for this domain", "host": "_dmarc.onenote.net", "severity": "HIGH"}        dnsdmarc        (high, in-scope)
[VULNERABILITY]         {"description": "DMARC policy absent for this domain", "host": "_dmarc.onenote.net", "severity": "HIGH"}        dnsdmarc        (high, in-scope)
[INFO] Finishing scan
[SCAN]                  test (SCAN:4ff923028044a55d7b64d54f6c33df48ee3b740c)    TARGET
[SUCC] Scan test completed in 1 second with status FINISHED
[INFO] aggregate: +----------+---------------------------------------+----------------+
[INFO] aggregate: | Module   | Produced                              | Consumed       |
[INFO] aggregate: +==========+=======================================+================+
[INFO] aggregate: | dnsdmarc | 2 (1 RAW_DNS_RECORD, 1 VULNERABILITY) | 1 (1 DNS_NAME) |
[INFO] aggregate: +----------+---------------------------------------+----------------+

themoviedb.org - totally invalid TXT/CNAME configuration...

;; ANSWER SECTION:
_dmarc.themoviedb.org.  264     IN      CNAME   v=dmarc1\;p=none\;rua=mailto:4lt6i9e8\@ag.dmarcian.com.

[SCAN]                  test (SCAN:7960aa40debaf786df1c3f87ec3fa5882636c9d7)    TARGET  (target)
[DNS_NAME]              themoviedb.org  TARGET  (domain, in-scope, target)
[VULNERABILITY]         {"description": "DMARC policy absent for this domain", "host": "_dmarc.themoviedb.org", "severity": "HIGH"}     dnsdmarc        (high, in-scope)
[VULNERABILITY]         {"description": "DMARC policy absent for this domain", "host": "_dmarc.themoviedb.org", "severity": "HIGH"}     dnsdmarc        (high, in-scope)
[INFO] Finishing scan
[SCAN]                  test (SCAN:7960aa40debaf786df1c3f87ec3fa5882636c9d7)    TARGET
[SUCC] Scan test completed in 1 second with status FINISHED
[INFO] aggregate: +----------+---------------------+----------------+
[INFO] aggregate: | Module   | Produced            | Consumed       |
[INFO] aggregate: +==========+=====================+================+
[INFO] aggregate: | dnsdmarc | 1 (1 VULNERABILITY) | 1 (1 DNS_NAME) |
[INFO] aggregate: +----------+---------------------+----------------+

webex.com - partial (in fact zero) enforcement,

[DNS_NAME]              webex.com       TARGET  (domain, in-scope, target)
[SCAN]                  test (SCAN:dce64941d25ba5da2d1d8968508484d5b2879576)    TARGET  (target)
[RAW_DNS_RECORD]        {"answer": "\"v=DMARC1; p=quarantine; pct=0; rua=mailto:mailauth-webex@cisco.com; ruf=mailto:mailauth-webex@cisco.com\"", "host": "_dmarc.webex.com", "type": "TXT"}   dnsdmarc        (in-scope, subdomain)
[EMAIL_ADDRESS]         mailauth-webex@cisco.com        dnsdmarc        (distance-1)
[VULNERABILITY]         {"description": "DMARC policy specifies partial enforcement (pct=0)", "host": "_dmarc.webex.com", "severity": "HIGH"}   dnsdmarc      (high, in-scope)
[VULNERABILITY]         {"description": "DMARC policy specifies partial enforcement (pct=0)", "host": "_dmarc.webex.com", "severity": "HIGH"}   dnsdmarc      (high, in-scope)
[INFO] Finishing scan
[SCAN]                  test (SCAN:dce64941d25ba5da2d1d8968508484d5b2879576)    TARGET
[SUCC] Scan test completed in 1 second with status FINISHED
[INFO] aggregate: +----------+-----------------------------------------+----------------+
[INFO] aggregate: | Module   | Produced                                | Consumed       |
[INFO] aggregate: +==========+=========================================+================+
[INFO] aggregate: | dnsdmarc | 3 (1 EMAIL_ADDRESS, 1 RAW_DNS_RECORD, 1 | 1 (1 DNS_NAME) |
[INFO] aggregate: |          | VULNERABILITY)                          |                |
[INFO] aggregate: +----------+-----------------------------------------+----------------+

richaudience.com - invalid policy action due to typeo,

[SCAN]                  test (SCAN:e6121fa9f2249a14933f176f04583c3d05c6efaf)    TARGET  (target)
[DNS_NAME]              richaudience.com        TARGET  (domain, in-scope, target)
[EMAIL_ADDRESS]         dmarc-reports@richaudience.com  dnsdmarc        (in-scope)
[RAW_DNS_RECORD]        {"answer": "\"v=DMARC1; p= reject; rua=mailto:dmarc-reports@richaudience.com; adkim=s; aspf=s\"", "host": "_dmarc.richaudience.com", "type": "TXT"}    dnsdmarc        (in-scope, subdomain)
[VULNERABILITY]         {"description": "DMARC policy action invalid or not provided (p=' reject')", "host": "_dmarc.richaudience.com", "severity": "HIGH"}   dnsdmarc (high, in-scope)
[VULNERABILITY]         {"description": "DMARC policy action invalid or not provided (p=' reject')", "host": "_dmarc.richaudience.com", "severity": "HIGH"}   dnsdmarc (high, in-scope)
[INFO] Finishing scan
[SCAN]                  test (SCAN:e6121fa9f2249a14933f176f04583c3d05c6efaf)    TARGET
[SUCC] Scan test completed in 1 second with status FINISHED
[INFO] aggregate: +----------+-----------------------------------------+----------------+
[INFO] aggregate: | Module   | Produced                                | Consumed       |
[INFO] aggregate: +==========+=========================================+================+
[INFO] aggregate: | dnsdmarc | 3 (1 EMAIL_ADDRESS, 1 RAW_DNS_RECORD, 1 | 1 (1 DNS_NAME) |
[INFO] aggregate: |          | VULNERABILITY)                          |                |
[INFO] aggregate: +----------+-----------------------------------------+----------------+

Sample SIEM-friendly JSON event,

{
  "type": "VULNERABILITY",
  "id": "VULNERABILITY:26d5410a4c16fd2e43f62034d3f769f289122ca4",
  "uuid": "VULNERABILITY:7fc95082-3b76-4708-b54a-e59cc9e1e558",
  "scope_description": "in-scope",
  "netloc": "_dmarc.mastodon.com",
  "data": {
    "VULNERABILITY": {
      "host": "_dmarc.mastodon.com",
      "severity": "HIGH",
      "description": "DMARC policy absent for this domain"
    }
  },
  "host": "_dmarc.mastodon.com",
  "resolved_hosts": [],
  "dns_children": {},
  "web_spider_distance": 0,
  "scope_distance": 0,
  "scan": "SCAN:2222aff66432a64b7da77a24870368cfe8a94736",
  "timestamp": "2024-11-29T05:51:24.230972+00:00",
  "parent": "DNS_NAME:a902607a832e41d20f790f7ebb9a3b556099cb70",
  "parent_uuid": "DNS_NAME:e9ec1eeb-2cfb-4542-b169-379c384cdbf6",
  "tags": [
    "in-scope",
    "high"
  ],
  "module": "dnsdmarc",
  "module_sequence": "dnsdmarc",
  "discovery_context": "TXT requests against _dmarc.mastodon.com returned 0 answers, of which 0 were DMARC policies. The target domain can be spoofed.",
  "discovery_path": [
    "Scan test seeded with DNS_NAME: mastodon.com",
    "TXT requests against _dmarc.mastodon.com returned 0 answers, of which 0 were DMARC policies. The target domain can be spoofed."
  ],
  "parent_chain": [
    "DNS_NAME:e9ec1eeb-2cfb-4542-b169-379c384cdbf6",
    "VULNERABILITY:7fc95082-3b76-4708-b54a-e59cc9e1e558"
  ]
}

Another one,

{
  "type": "VULNERABILITY",
  "id": "VULNERABILITY:957d634f9584dfdf82b39605a291cbdc23cdb99b",
  "uuid": "VULNERABILITY:cb53cf92-4bf9-4258-96fc-8720d5697044",
  "scope_description": "in-scope",
  "netloc": "_dmarc.33across.com",
  "data": {
    "VULNERABILITY": {
      "host": "_dmarc.33across.com",
      "severity": "HIGH",
      "description": "DMARC policy action is valid but reporting destinations were not provided, DMARC policy is report-only, DMARC subdomain policy is report-only"
    }
  },
  "host": "_dmarc.33across.com",
  "resolved_hosts": [],
  "dns_children": {},
  "web_spider_distance": 0,
  "scope_distance": 0,
  "scan": "SCAN:bbc1f649de808be68227cea7b7314efaba738fdb",
  "timestamp": "2024-11-29T05:57:37.358823+00:00",
  "parent": "DNS_NAME:b5f6b4570a07977c5af962b9eff15eafdc5c4b6a",
  "parent_uuid": "DNS_NAME:ce2ba30d-4571-41d3-a85a-1f57d885da82",
  "tags": [
    "high",
    "in-scope"
  ],
  "module": "dnsdmarc",
  "module_sequence": "dnsdmarc",
  "discovery_context": "DMARC policy inspection against _dmarc.33across.com identified one or more vulnerabilities in answer 1 'v=DMARC1; p=none;'. Potential for domain spoofing exists.",
  "discovery_path": [
    "Scan test seeded with DNS_NAME: 33across.com",
    "DMARC policy inspection against _dmarc.33across.com identified one or more vulnerabilities in answer 1 'v=DMARC1; p=none;'. Potential for domain spoofing exists."
  ],
  "parent_chain": [
    "DNS_NAME:ce2ba30d-4571-41d3-a85a-1f57d885da82",
    "VULNERABILITY:cb53cf92-4bf9-4258-96fc-8720d5697044"
  ]
}

…y/excavate-intercept Misc Bugfixes

…y/dnn-installwizard-bug DNN installwizard detector bugfix

…y/badsecrets-customsecrets-tweak better handling of custom secrets files

…y/update-trufflehog Update trufflehog to 3.82.11

…y/yara-handle-bad-chars handle bad chars in matched data

…y/shodan-pagination Misc improvements

…y/generic-ssrf-fix Fixing Bugs with Generic SSRF Payload

…y/fix-preset-bug Fix bug with module exclusions

…y/excavate-intercept Break out docs updater into separate workflow

…y/dev Dev --> Stable (2.1.0)

I noticed this change here: blacklanternsecurity@02acd94#diff-c6756c35a5fb1d7b87dc0ed3d33a2d211374dc196f245d26a362c82c8c346d5cR131 I can only assume it was unintentional, given `id` is a python builtin function, and `str(id)` returns: ```py cmyui@Joshs-MacBook-Pro ~ % python3 Python 3.13.0 (main, Oct 7 2024, 05:02:14) [Clang 15.0.0 (clang-1500.3.9.4)] on darwin Type "help", "copyright", "credits" or "license" for more information. >>> str(id) '<built-in function id>' ```

Fix preservation of scan id at scan init

…y/fix-extractous Update Extractous with new API changes

…y/dev Dev -> Stable 2.2.0

…y/bump-version Bump version

…y/dev Dev -> Stable Version Bump

TheTechromancer · 2024-12-09T21:25:29Z

@colin-stubbs nice work on this module. Also thanks for commenting and providing all those examples.

I think it's safe to say you went deeper on DMARC than we typically do at BLS (our approach is to yeet a spoofed email and see if it lands 😂).

A couple things:

The module is deduping events based on their parent domain, but acting on the original host. To keep things predictable, we should probably take the parent first thing in handle_event()
In BBOT we have a strict separation between FINDING and VULNERABILITY, which is that FINDING is anything interesting or probably vulnerable, while VULNERABILITY is reserved for things that are guaranteed-exploitable. Therefore I'd err on the side of making things a FINDING unless they would make spoofing a certainty. For example, I think that even if DMARC is misconfigured or nonexistent, SPF alone might prevent the spoofing of emails. Email is insanely complex and there are so many factors so it's hard to be sure about a specific domain, without testing it end-to-end.

Thoughts?

liquidsec · 2026-02-27T17:41:50Z

i am going to close this, since work is actively being done on this currently at baddns

github-actions and others added 30 commits October 16, 2024 15:36

fix hash

bfb6799

allow merging targets

dbca7ed

don't make netlocs for ip networks

406a58c

update scope tests

fbb54fd

fixed excavate test

7d6e25a

resolve conflicts

0f7c266

remove critical debug

d7478cd

comment out clobbering API keys

c16fd46

fixing but with dnn installwizard detector

27c819e

better handling of custom secrets files

3f1e574

Merge pull request blacklanternsecurity#1857 from blacklanternsecurit…

b186634

…y/excavate-intercept Misc Bugfixes

Merge pull request blacklanternsecurity#1863 from blacklanternsecurit…

652d08f

…y/dnn-installwizard-bug DNN installwizard detector bugfix

Merge pull request blacklanternsecurity#1864 from blacklanternsecurit…

3ff9e8e

…y/badsecrets-customsecrets-tweak better handling of custom secrets files

Update trufflehog

918f3b7

Merge pull request blacklanternsecurity#1867 from blacklanternsecurit…

0a20c13

…y/update-trufflehog Update trufflehog to 3.82.11

handle bad chars in matched data

7d6a57e

black

7595ff7

fixing bugs with generic_ssrf

4bd16b7

Merge pull request blacklanternsecurity#1868 from blacklanternsecurit…

e7e5c6a

…y/yara-handle-bad-chars handle bad chars in matched data

fix preset bug

481bd35

blacked

cc83d6c

fix tests

c6f445b

Merge pull request blacklanternsecurity#1840 from blacklanternsecurit…

37ae382

…y/shodan-pagination Misc improvements

rebase dev

80a65a1

evilcorp

29206f0

Merge pull request blacklanternsecurity#1870 from blacklanternsecurit…

7bbc9e6

…y/generic-ssrf-fix Fixing Bugs with Generic SSRF Payload

Merge pull request blacklanternsecurity#1872 from blacklanternsecurit…

a3f0bbe

…y/fix-preset-bug Fix bug with module exclusions

Merge pull request blacklanternsecurity#1871 from blacklanternsecurit…

7716db3

…y/excavate-intercept Break out docs updater into separate workflow

enable manual trigger

126c1c6

Merge pull request blacklanternsecurity#1724 from blacklanternsecurit…

989bd78

…y/dev Dev --> Stable (2.1.0)

cmyui and others added 13 commits November 17, 2024 21:26

Merge pull request blacklanternsecurity#1978 from cmyui/patch-1

985624a

Fix preservation of scan id at scan init

Merge pull request blacklanternsecurity#1976 from blacklanternsecurit…

3945fd1

…y/fix-extractous Update Extractous with new API changes

Merge pull request blacklanternsecurity#1919 from blacklanternsecurit…

c67c51f

…y/dev Dev -> Stable 2.2.0

bump version

f0e9d41

Merge pull request blacklanternsecurity#1983 from blacklanternsecurit…

0ca76f3

…y/bump-version Bump version

Merge pull request blacklanternsecurity#1984 from blacklanternsecurit…

95d1bc5

…y/dev Dev -> Stable Version Bump

initial release of dnsdmarc module

c2d021f

improve tests, improve vulnerability event descriptions/context etc

7ca201b

Add comments, handle missing RUA/RUF in valid policies

77249f4

add documentation, improve tests

f275f34

improve testing, valid pct via int() cast

92ccbad

improve pct check, check all rua/ruf URI's start with mailto:

145914a

TheTechromancer added this to the BBOT 2.3.0 - ferocious_raymond milestone Dec 9, 2024

TheTechromancer self-assigned this Dec 9, 2024

TheTechromancer mentioned this pull request Dec 9, 2024

Dev -> Stable 2.3.0 #1986

Merged

TheTechromancer modified the milestones: BBOT 2.3.0 - ferocious_raymond, BBOT 2.4.0 - baby_austin Jan 28, 2025

TheTechromancer modified the milestones: BBOT 2.4.0 - baby_austin, BBOT 2.5.0 - harmful_gregory Feb 28, 2025

TheTechromancer force-pushed the dev branch from c1e1cd9 to 9a7db9e Compare April 24, 2025 14:42

nareshrajkumar866 approved these changes May 22, 2025

View reviewed changes

TheTechromancer modified the milestones: BBOT 2.5.0 - harmful_gregory, BBOT 2.6.0 - unholy_deborah Jun 3, 2025

TheTechromancer modified the milestones: BBOT 2.6.0 - unholy_deborah, BBOT 2.7.0 - severe_adam Aug 13, 2025

liquidsec closed this Feb 27, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add dnsdmarc module, address #1626#2044

Add dnsdmarc module, address #1626#2044
colin-stubbs wants to merge 4739 commits intoblacklanternsecurity:devfrom
colin-stubbs:dnsdmarc

colin-stubbs commented Nov 29, 2024 •

edited

Loading

Uh oh!

TheTechromancer commented Dec 9, 2024 •

edited

Loading

Uh oh!

liquidsec commented Feb 27, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

Uh oh!

Conversation

colin-stubbs commented Nov 29, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

TheTechromancer commented Dec 9, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

liquidsec commented Feb 27, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

colin-stubbs commented Nov 29, 2024 •

edited

Loading

TheTechromancer commented Dec 9, 2024 •

edited

Loading