Beispiel #1
0
    def run(self):
        Analyzer.run(self)

        data = self.getData()

        try:
            # enrichment service
            if self.service == 'enrichment':
                enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key)
                result = enrichment_request.get_enrichment(query=data)
                self.report(result)

            # malware service
            elif self.service == 'malware':
                enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key)
                result = enrichment_request.get_malware(query=data)
                self.report(result)

            # osint service
            elif self.service == 'osint':
                enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key)
                result = enrichment_request.get_osint(query=data)
                self.report(result)

            # passive dns service
            elif self.service == 'passive_dns':
                dns_request = DnsRequest(username=self.username, api_key=self.api_key)
                result = dns_request.get_passive_dns(query=data)
                self.report(result)

            # ssl certificate details service
            elif self.service == 'ssl_certificate_details':
                ssl_request = SslRequest(username=self.username, api_key=self.api_key)
                result = ssl_request.get_ssl_certificate_details(query=data)
                self.report(result)

            # ssl certificate history service
            elif self.service == 'ssl_certificate_history':
                ssl_request = SslRequest(username=self.username, api_key=self.api_key)
                result = ssl_request.get_ssl_certificate_history(query=data)
                self.report(result)

            # unique resolutions service
            elif self.service == 'unique_resolutions':
                dns_request = DnsRequest(username=self.username, api_key=self.api_key)
                result = dns_request.get_unique_resolutions(query=data)
                self.report(result)

            # whois details service
            elif self.service == 'whois_details':
                whois_request = WhoisRequest(username=self.username, api_key=self.api_key)
                result = whois_request.get_whois_details(query=data)
                self.report(result)

            else:
                self.error('Unknown PassiveTotal service')

        except Exception as e:
            self.unexpectedError(e)
    def get_dns(self, **kwargs):
        client = DnsRequest(self.username, self.apikey)

        keys = ['query', 'end', 'start', 'timeout', 'sources']

        params = self._cleanup_params(keys, **kwargs)

        if kwargs.get('unique'):
            return client.get_unique_resolutions(**params)
        else:
            return client.get_passive_dns(**params)
    def get_dns(self, **kwargs):
        client = DnsRequest(self.username, self.apikey)

        keys = ['query', 'end', 'start', 'timeout', 'sources']

        params = self._cleanup_params(keys, **kwargs)

        if kwargs.get('unique'):
            return client.get_unique_resolutions(**params)
        else:
            return client.get_passive_dns(**params)
Beispiel #4
0
class DnsTestCase(unittest.TestCase):
    """Test case for DNS methods."""

    formats = ['json']

    def setup_class(self):
        self.patcher = patch('passivetotal.api.Client._get', fake_request)
        self.patcher.start()
        self.client = DnsRequest('--No-User--', '--No-Key--')

    def teardown_class(self):
        self.patcher.stop()

    def test_dns_passive(self):
        """Test getting passive DNS records."""
        payload = {'query': 'passivetotal.org'}
        response = self.client.get_passive_dns(**payload)
        assert (response.get('queryValue')) == 'passivetotal.org'

    def test_process_dns_passive(self):
        """Test processing passive DNS records."""
        payload = {'query': 'passivetotal.org'}
        response = self.client.get_passive_dns(**payload)
        wrapped = Response(response)
        assert (wrapped.queryValue) == 'passivetotal.org'
        assert (
            Response(wrapped.results.pop(0)).recordHash
        ) == '6d24bc7754af023afeaaa05ac689ac36e96656aa6519ba435b301b14916b27d3'

    def test_dns_passive_unique(self):
        """Test getting unique passive DNS records."""
        payload = {'query': 'passivetotal.org'}
        response = self.client.get_unique_resolutions(**payload)
        wrapped = Response(response)
        assert (wrapped.queryValue) == 'passivetotal.org'
        record = wrapped.frequency.pop(0)
        assert (record[0]) == '107.170.89.121'
        assert (record[1]) == 2
Beispiel #5
0
class DnsTestCase(unittest.TestCase):

    """Test case for DNS methods."""

    formats = ['json']

    def setup_class(self):
        self.patcher = patch('passivetotal.api.Client._get', fake_request)
        self.patcher.start()
        self.client = DnsRequest('--No-User--', '--No-Key--')

    def teardown_class(self):
        self.patcher.stop()

    def test_dns_passive(self):
        """Test getting passive DNS records."""
        payload = {'query': 'passivetotal.org'}
        response = self.client.get_passive_dns(**payload)
        assert (response.get('queryValue')) == 'passivetotal.org'

    def test_process_dns_passive(self):
        """Test processing passive DNS records."""
        payload = {'query': 'passivetotal.org'}
        response = self.client.get_passive_dns(**payload)
        wrapped = Response(response)
        assert (wrapped.queryValue) == 'passivetotal.org'
        assert (Response(wrapped.results.pop(0)).recordHash) == '6d24bc7754af023afeaaa05ac689ac36e96656aa6519ba435b301b14916b27d3'

    def test_dns_passive_unique(self):
        """Test getting unique passive DNS records."""
        payload = {'query': 'passivetotal.org'}
        response = self.client.get_unique_resolutions(**payload)
        wrapped = Response(response)
        assert (wrapped.queryValue) == 'passivetotal.org'
        record = wrapped.frequency.pop(0)
        assert (record[0]) == '107.170.89.121'
        assert (record[1]) == 2
Beispiel #6
0
def main():
    """Perform a passive DNS lookup and save the output."""
    if len(sys.argv) <= 1:
        print("Usage: python show_latest <query>")
        sys.exit(1)

    query = sys.argv[1]
    current_day = datetime.datetime.now().strftime("%Y-%m-%d")
    client = DnsRequest(PT_USERNAME, PT_API_KEY)
    results = client.get_passive_dns(query=query, start=current_day)

    unique = list()
    for record in results.get('results', list()):
        resolve = record['resolve']
        if resolve in unique:
            continue
        unique.append(resolve)
        print resolve
Beispiel #7
0
def main():
    """Perform a passive DNS lookup and save the output."""
    if len(sys.argv) <= 1:
        print("Usage: python show_latest <query>")
        sys.exit(1)

    query = sys.argv[1]
    current_day = datetime.datetime.now().strftime("%Y-%m-%d")
    client = DnsRequest(PT_USERNAME, PT_API_KEY)
    results = client.get_passive_dns(query=query, start=current_day)

    unique = list()
    for record in results.get('results', list()):
        resolve = record['resolve']
        if resolve in unique:
            continue
        unique.append(resolve)
        print resolve
Beispiel #8
0
    def run(self, conf, args, plugins):
        if 'subcommand' in args:
            if args.subcommand == 'info':
                if not is_ip(unbracket(args.IP)):
                    print("Invalid IP address")
                    sys.exit(1)
                # FIXME: move code here in a library
                ip = unbracket(args.IP)
                try:
                    ipy = IP(ip)
                except ValueError:
                    print('Invalid IP format, quitting...')
                    return
                ipinfo = self.ipinfo(ip)
                print('MaxMind: Located in %s, %s' %
                      (ipinfo['city'], ipinfo['country']))
                if ipinfo['asn'] == 0:
                    print("MaxMind: IP not found in the ASN database")
                else:
                    print('MaxMind: ASN%i, %s' %
                          (ipinfo['asn'], ipinfo['asn_name']))
                asndb2 = pyasn.pyasn(self.asncidr)
                res = asndb2.lookup(ip)
                if res[1] is None:
                    print("IP not found in ASN database")
                else:
                    # Search for name
                    f = open(self.asnname, 'r')
                    found = False
                    line = f.readline()
                    name = ''
                    while not found and line != '':
                        s = line.split('|')
                        if s[0] == str(res[0]):
                            name = s[1].strip()
                            found = True
                        line = f.readline()

                    print('ASN %i - %s (range %s)' % (res[0], name, res[1]))
                if ipinfo['hostname'] != '':
                    print('Hostname: %s' % ipinfo['hostname'])
                if ipinfo['specific'] != '':
                    print("Specific: %s" % ipinfo['specific'])
                if ipy.iptype() == "PRIVATE":
                    "Private IP"
                print("")
                if ipy.version() == 4:
                    print("Censys:\t\thttps://censys.io/ipv4/%s" % ip)
                    print("Shodan:\t\thttps://www.shodan.io/host/%s" % ip)
                    print("IP Info:\thttp://ipinfo.io/%s" % ip)
                    print("BGP HE:\t\thttps://bgp.he.net/ip/%s" % ip)
                    print(
                        "IP Location:\thttps://www.iplocation.net/?query=%s" %
                        ip)
            elif args.subcommand == "intel":
                if not is_ip(unbracket(args.IP)):
                    print("Invalid IP address")
                    sys.exit(1)
                # Start with MISP and OTX to get Intelligence Reports
                print('###################### %s ###################' %
                      unbracket(args.IP))
                passive_dns = []
                urls = []
                malware = []
                files = []
                # OTX
                otx_e = plugins['otx'].test_config(conf)
                if otx_e:
                    print('[+] Downloading OTX information....')
                    otx = OTXv2(conf["AlienVaultOtx"]["key"])
                    res = otx.get_indicator_details_full(
                        IndicatorTypes.IPv4, unbracket(args.IP))
                    otx_pulses = res["general"]["pulse_info"]["pulses"]
                    # Get Passive DNS
                    if "passive_dns" in res:
                        for r in res["passive_dns"]["passive_dns"]:
                            passive_dns.append({
                                "domain": r['hostname'],
                                "first": parse(r["first"]),
                                "last": parse(r["last"]),
                                "source": "OTX"
                            })
                    if "url_list" in res:
                        for r in res["url_list"]["url_list"]:
                            urls.append(r)
                # RobTex
                print('[+] Downloading Robtex information....')
                rob = Robtex()
                res = rob.get_ip_info(unbracket(args.IP))
                for d in ["pas", "pash", "act", "acth"]:
                    if d in res:
                        for a in res[d]:
                            passive_dns.append({
                                'first': a['date'],
                                'last': a['date'],
                                'domain': a['o'],
                                'source': 'Robtex'
                            })

                # PT
                pt_e = plugins['pt'].test_config(conf)
                if pt_e:
                    out_pt = False
                    print('[+] Downloading Passive Total information....')
                    client = DnsRequest(conf['PassiveTotal']['username'],
                                        conf['PassiveTotal']['key'])
                    raw_results = client.get_passive_dns(
                        query=unbracket(args.IP))
                    if "results" in raw_results:
                        for res in raw_results["results"]:
                            passive_dns.append({
                                "first": parse(res["firstSeen"]),
                                "last": parse(res["lastSeen"]),
                                "domain": res["resolve"],
                                "source": "PT"
                            })
                    if "message" in raw_results:
                        if "quota_exceeded" in raw_results["message"]:
                            print("Quota exceeded for Passive Total")
                            out_pt = True
                            pt_osint = {}
                    if not out_pt:
                        client2 = EnrichmentRequest(
                            conf["PassiveTotal"]["username"],
                            conf["PassiveTotal"]['key'])
                        # Get OSINT
                        # TODO: add PT projects here
                        pt_osint = client2.get_osint(query=unbracket(args.IP))
                        # Get malware
                        raw_results = client2.get_malware(
                            query=unbracket(args.IP))
                        if "results" in raw_results:
                            for r in raw_results["results"]:
                                malware.append({
                                    'hash':
                                    r["sample"],
                                    'date':
                                    parse(r['collectionDate']),
                                    'source':
                                    'PT (%s)' % r["source"]
                                })
                # VT
                vt_e = plugins['vt'].test_config(conf)
                if vt_e:
                    if conf["VirusTotal"]["type"] != "public":
                        print('[+] Downloading VT information....')
                        vt = PrivateApi(conf["VirusTotal"]["key"])
                        res = vt.get_ip_report(unbracket(args.IP))
                        if "results" in res:
                            if "resolutions" in res['results']:
                                for r in res["results"]["resolutions"]:
                                    passive_dns.append({
                                        "first":
                                        parse(r["last_resolved"]),
                                        "last":
                                        parse(r["last_resolved"]),
                                        "domain":
                                        r["hostname"],
                                        "source":
                                        "VT"
                                    })
                            if "undetected_downloaded_samples" in res[
                                    'results']:
                                for r in res['results'][
                                        'undetected_downloaded_samples']:
                                    files.append({
                                        'hash': r['sha256'],
                                        'date': parse(r['date']),
                                        'source': 'VT'
                                    })
                            if "undetected_referrer_samples" in res['results']:
                                for r in res['results'][
                                        'undetected_referrer_samples']:
                                    files.append({
                                        'hash': r['sha256'],
                                        'date': parse(r['date']),
                                        'source': 'VT'
                                    })
                            if "detected_downloaded_samples" in res['results']:
                                for r in res['results'][
                                        'detected_downloaded_samples']:
                                    malware.append({
                                        'hash': r['sha256'],
                                        'date': parse(r['date']),
                                        'source': 'VT'
                                    })
                            if "detected_referrer_samples" in res['results']:
                                for r in res['results'][
                                        'detected_referrer_samples']:
                                    if "date" in r:
                                        malware.append({
                                            'hash': r['sha256'],
                                            'date': parse(r['date']),
                                            'source': 'VT'
                                        })
                    else:
                        vt_e = False

                print('[+] Downloading GreyNoise information....')
                gn = GreyNoise()
                try:
                    greynoise = gn.query_ip(unbracket(args.IP))
                except GreyNoiseError:
                    greynoise = []

                tg_e = plugins['threatgrid'].test_config(conf)
                if tg_e:
                    print('[+] Downloading Threat Grid....')
                    tg = ThreatGrid(conf['ThreatGrid']['key'])
                    res = tg.search_samples(unbracket(args.IP), type='ip')
                    already = []
                    if 'items' in res:
                        for r in res['items']:
                            if r['sample_sha256'] not in already:
                                d = parse(r['ts'])
                                d = d.replace(tzinfo=None)
                                malware.append({
                                    'hash': r["sample_sha256"],
                                    'date': d,
                                    'source': 'TG'
                                })
                                already.append(r['sample_sha256'])

                # TODO: Add MISP
                print('----------------- Intelligence Report')
                if otx_e:
                    if len(otx_pulses):
                        print('OTX:')
                        for p in otx_pulses:
                            print(' -%s (%s - %s)' %
                                  (p['name'], p['created'][:10],
                                   "https://otx.alienvault.com/pulse/" +
                                   p['id']))
                    else:
                        print('OTX: Not found in any pulse')
                if len(greynoise) > 0:
                    print("GreyNoise: IP identified as")
                    for r in greynoise:
                        print("\t%s (%s -> %s)" %
                              (r["name"], r["first_seen"], r["last_updated"]))
                else:
                    print("GreyNoise: Not found")
                if pt_e:
                    if "results" in pt_osint:
                        if len(pt_osint["results"]):
                            if len(pt_osint["results"]) == 1:
                                if "name" in pt_osint["results"][0]:
                                    print(
                                        "PT: %s %s" %
                                        (pt_osint["results"][0]["name"],
                                         pt_osint["results"][0]["sourceUrl"]))
                                else:
                                    print("PT: %s" %
                                          pt_osint["results"][0]["sourceUrl"])
                            else:
                                print("PT:")
                                for r in pt_osint["results"]:
                                    if "name" in r:
                                        print("-%s %s" %
                                              (r["name"], r["sourceUrl"]))
                                    else:
                                        print("-%s" % r["sourceUrl"])
                        else:
                            print("PT: Nothing found!")
                    else:
                        print("PT: Nothing found!")

                if len(malware) > 0:
                    print('----------------- Malware')
                    for r in sorted(malware, key=lambda x: x["date"]):
                        print("[%s] %s %s" % (r["source"], r["hash"],
                                              r["date"].strftime("%Y-%m-%d")))
                if len(files) > 0:
                    print('----------------- Files')
                    for r in sorted(files, key=lambda x: x["date"]):
                        print("[%s] %s %s" % (r["source"], r["hash"],
                                              r["date"].strftime("%Y-%m-%d")))
                if len(passive_dns) > 0:
                    print('----------------- Passive DNS')
                    for r in sorted(passive_dns,
                                    key=lambda x: x["first"],
                                    reverse=True):
                        print("[+] %-40s (%s -> %s)(%s)" %
                              (r["domain"], r["first"].strftime("%Y-%m-%d"),
                               r["last"].strftime("%Y-%m-%d"), r["source"]))

            else:
                self.parser.print_help()
        else:
            self.parser.print_help()
Beispiel #9
0
    def run(self, conf, args, plugins):
        if 'subcommand' in args:
            if args.subcommand == "intel":
                # Start with MISP and OTX to get Intelligence Reports
                print('###################### %s ###################' % args.DOMAIN)
                passive_dns = []
                urls = []
                malware = []
                files = []
                # MISP
                misp_e = plugins['misp'].test_config(conf)
                if misp_e:
                    print('[+] Downloading MISP information...')
                    server = ExpandedPyMISP(conf['Misp']['url'], conf['Misp']['key'])
                    misp_results = server.search('attributes', value=unbracket(args.DOMAIN))
                # OTX
                otx_e = plugins['otx'].test_config(conf)
                if otx_e:
                    print('[+] Downloading OTX information....')
                    try:
                        otx = OTXv2(conf["AlienVaultOtx"]["key"])
                        res = otx.get_indicator_details_full(IndicatorTypes.DOMAIN, unbracket(args.DOMAIN))
                        otx_pulses =  res["general"]["pulse_info"]["pulses"]
                        # Get Passive DNS
                        if "passive_dns" in res:
                            for r in res["passive_dns"]["passive_dns"]:
                                passive_dns.append({
                                    "ip": r['hostname'],
                                    "first": parse(r["first"]).astimezone(pytz.utc),
                                    "last": parse(r["last"]).astimezone(pytz.utc),
                                    "source" : "OTX"
                                })
                        if "url_list" in res:
                            for r in res["url_list"]["url_list"]:
                                if "result" in r:
                                    urls.append({
                                        "date": parse(r["date"]).astimezone(pytz.utc),
                                        "url": r["url"],
                                        "ip": r["result"]["urlworker"]["ip"] if "ip" in r["result"]["urlworker"] else "" ,
                                        "source": "OTX"
                                    })
                                else:
                                    urls.append({
                                        "date": parse(r["date"]).astimezone(pytz.utc),
                                        "url": r["url"],
                                        "ip": "",
                                        "source": "OTX"
                                    })
                    except AttributeError:
                        print('OTX crashed  ¯\_(ツ)_/¯')

                # UrlScan
                us = UrlScan()
                print('[+] Downloading UrlScan information....')
                res = us.search(args.DOMAIN)
                for r in res['results']:
                    urls.append({
                        "date": parse(r["task"]["time"]).astimezone(pytz.utc),
                        "url": r["page"]["url"],
                        "ip": r["page"]["ip"] if "ip" in r["page"] else "",
                        "source": "UrlScan"
                    })

                # UrlHaus
                uh_e = plugins['urlhaus'].test_config(conf)
                if uh_e:
                    print("[+] Checking urlhaus...")
                    try:
                        urlhaus = UrlHaus(conf["UrlHaus"]["key"])
                        res = urlhaus.get_host(unbracket(args.DOMAIN))
                    except UrlHausError:
                        print("Error with the query")
                    else:
                        if "urls" in res:
                            for r in res['urls']:
                                urls.append({
                                    "date": parse(r["date_added"]).astimezone(pytz.utc),
                                    "url": r["url"],
                                    "ip":"",
                                    "source": "UrlHaus"
                                })
                # CIRCL
                circl_e = plugins['circl'].test_config(conf)
                if circl_e:
                    print('[+] Downloading CIRCL passive DNS information....')
                    x = pypdns.PyPDNS(
                        basic_auth=(
                            conf['Circl']['user'],
                            conf['Circl']['pass']
                        )
                    )
                    res = x.query(unbracket(args.DOMAIN))
                    for answer in res:
                        passive_dns.append({
                            "ip": answer['rdata'],
                            "first": answer['time_first'].astimezone(pytz.utc),
                            "last": answer['time_last'].astimezone(pytz.utc),
                            "source" : "CIRCL"
                        })
                # BinaryEdge
                be_e = plugins['binaryedge'].test_config(conf)
                if be_e:
                    print('[+] Downloading BinaryEdge information....')
                    try:
                        be = BinaryEdge(conf['BinaryEdge']['key'])
                        res = be.domain_dns(unbracket(args.DOMAIN))
                        for d in res['events']:
                            if "A" in d:
                                for a in d['A']:
                                    passive_dns.append({
                                        "ip": a,
                                        "first": parse(d['updated_at']).astimezone(pytz.utc),
                                        "last": parse(d['updated_at']).astimezone(pytz.utc),
                                        "source" : "BinaryEdge"
                                    })
                    except BinaryEdgeException:
                        print('You need a paid BinaryEdge subscription for this request')
                # RobTex
                print('[+] Downloading Robtex information....')
                try:
                    rob = Robtex()
                    res = rob.get_pdns_domain(args.DOMAIN)
                    for d in res:
                        if d['rrtype'] in ['A', 'AAAA']:
                            passive_dns.append({
                                'first': d['time_first_o'].astimezone(pytz.utc),
                                'last': d['time_last_o'].astimezone(pytz.utc),
                                'ip': d['rrdata'],
                                'source': 'Robtex'
                            })
                except RobtexError:
                    print("Robtex query failed")
                # PT
                pt_e = plugins['pt'].test_config(conf)
                if pt_e:
                    try:
                        pt_osint = {}
                        ptout = False
                        print('[+] Downloading Passive Total information....')
                        client = DnsRequest(conf['PassiveTotal']['username'], conf['PassiveTotal']['key'])
                        raw_results = client.get_passive_dns(query=unbracket(args.DOMAIN))
                        if "results" in raw_results:
                            for res in raw_results["results"]:
                                passive_dns.append({
                                    "first": parse(res["firstSeen"]).astimezone(pytz.utc),
                                    "last": parse(res["lastSeen"]).astimezone(pytz.utc),
                                    "ip": res["resolve"],
                                    "source": "PT"
                                })
                        if "message" in raw_results:
                            if "quota_exceeded" in raw_results["message"]:
                                print("PT quota exceeded")
                                ptout = True
                        if not ptout:
                            client2 = EnrichmentRequest(conf["PassiveTotal"]["username"], conf["PassiveTotal"]['key'])
                            # Get OSINT
                            # TODO: add PT projects here
                            pt_osint = client2.get_osint(query=unbracket(args.DOMAIN))
                            # Get malware
                            raw_results = client2.get_malware(query=unbracket(args.DOMAIN))
                            if "results" in raw_results:
                                for r in raw_results["results"]:
                                    malware.append({
                                        'hash': r["sample"],
                                        'date': parse(r['collectionDate']).astimezone(pytz.utc),
                                        'source' : 'PT (%s)' % r["source"]
                                    })
                    except requests.exceptions.ReadTimeout:
                        print("PT: Time Out")
                # VT
                vt_e = plugins['vt'].test_config(conf)
                if vt_e:
                    if conf["VirusTotal"]["type"] != "public":
                        print('[+] Downloading VT information....')
                        vt = PrivateApi(conf["VirusTotal"]["key"])
                        res = vt.get_domain_report(unbracket(args.DOMAIN))
                        if "results" in res:
                            if "resolutions" in res['results']:
                                for r in res["results"]["resolutions"]:
                                    passive_dns.append({
                                        "first": parse(r["last_resolved"]).astimezone(pytz.utc),
                                        "last": parse(r["last_resolved"]).astimezone(pytz.utc),
                                        "ip": r["ip_address"],
                                        "source": "VT"
                                    })
                            if "undetected_downloaded_samples" in res['results']:
                                for r in res['results']['undetected_downloaded_samples']:
                                    files.append({
                                        'hash': r['sha256'],
                                        'date': parse(r['date']).astimezone(pytz.utc) if 'date' in r else '',
                                        'source' : 'VT'
                                    })
                            if "undetected_referrer_samples" in res['results']:
                                for r in res['results']['undetected_referrer_samples']:
                                    files.append({
                                        'hash': r['sha256'],
                                        'date': parse(r['date']).astimezone(pytz.utc) if 'date' in r else '',
                                        'source' : 'VT'
                                    })
                            if "detected_downloaded_samples" in res['results']:
                                for r in res['results']['detected_downloaded_samples']:
                                    malware.append({
                                        'hash': r['sha256'],
                                        'date': parse(r['date']).astimezone(pytz.utc),
                                        'source' : 'VT'
                                    })
                            if "detected_referrer_samples" in res['results']:
                                for r in res['results']['detected_referrer_samples']:
                                    if "date" in r:
                                        malware.append({
                                            'hash': r['sha256'],
                                            'date': parse(r['date']).astimezone(pytz.utc),
                                            'source' : 'VT'
                                        })
                            if "detected_urls" in res['results']:
                                for r in res['results']['detected_urls']:
                                    urls.append({
                                        'date': parse(r['scan_date']).astimezone(pytz.utc),
                                        'url': r['url'],
                                        'ip': '',
                                        'source': 'VT'
                                    })
                    else:
                        vt_e = False
                tg_e = plugins['threatgrid'].test_config(conf)
                if tg_e:
                    try:
                        print('[+] Downloading Threat Grid....')
                        tg = ThreatGrid(conf['ThreatGrid']['key'])
                        res = tg.search_samples(unbracket(args.DOMAIN), type='domain')
                        already = []
                        if 'items' in res:
                            for r in res['items']:
                                if r['sample_sha256'] not in already:
                                    d = parse(r['ts']).astimezone(pytz.utc)
                                    malware.append({
                                        'hash': r["sample_sha256"],
                                        'date': d,
                                        'source' : 'ThreatGrid'
                                    })
                                    already.append(r['sample_sha256'])
                    except ThreatGridError as e:
                        print("Failed to connect to Threat Grid: %s" % e.message)
                print('[+] Downloading ThreatMiner....')
                tm = ThreatMiner()
                response = tm.get_report(unbracket(args.DOMAIN))
                if response['status_code'] == '200':
                    tmm = response['results']
                else:
                    tmm = []
                    if response['status_code'] == '404':
                        print("Request to ThreatMiner failed: {}".format(response['status_message']))
                response = tm.get_related_samples(unbracket(args.DOMAIN))
                if response['status_code'] == '200':
                    for r in response['results']:
                        malware.append({
                            'hash': r,
                            'date': None,
                            'source': 'ThreatMiner'
                        })


                print('----------------- Intelligence Report')
                if misp_e:
                    if len(misp_results['Attribute']) > 0:
                        print('MISP:')
                        for event in misp_results['Attribute']:
                            print("- {} - {}".format(
                                event['Event']['id'],
                                event['Event']['info']
                            ))
                if otx_e:
                    if len(otx_pulses):
                        print('OTX:')
                        for p in otx_pulses:
                            print('- %s (%s - %s)' % (
                                    p['name'],
                                    p['created'][:10],
                                    "https://otx.alienvault.com/pulse/" + p['id']
                                )
                            )
                    else:
                        print('OTX: Not found in any pulse')
                if pt_e:
                    if "results" in pt_osint:
                        if len(pt_osint["results"]):
                            if len(pt_osint["results"]) == 1:
                                if "name" in pt_osint["results"][0]:
                                    print("PT: %s %s" % (pt_osint["results"][0]["name"], pt_osint["results"][0]["sourceUrl"]))
                                else:
                                    print("PT: %s" % (pt_osint["results"][0]["sourceUrl"]))
                            else:
                                print("PT:")
                                for r in pt_osint["results"]:
                                    if "name" in r:
                                        print("- %s %s" % (r["name"], r["sourceUrl"]))
                                    else:
                                        print("- %s" % (r["sourceUrl"]))
                        else:
                            print("PT: Nothing found!")
                    else:
                        print("PT: Nothing found!")
                # ThreatMiner
                if len(tmm) > 0:
                    print("ThreatMiner:")
                    for r in tmm:
                        print("- {} {} - {}".format(
                            r['year'],
                            r['filename'],
                            r['URL']
                        ))

                if len(malware) > 0:
                    print('----------------- Malware')
                    for r in malware:
                        print("[%s] %s %s" % (
                                r["source"],
                                r["hash"],
                                r["date"].strftime("%Y-%m-%d") if r["date"] else ""
                            )
                        )
                if len(files) > 0:
                    print('----------------- Files')
                    for r in files:
                        if r['date'] != '':
                            print("[%s] %s (%s)" % (
                                    r["source"],
                                    r["hash"],
                                    r["date"].strftime("%Y-%m-%d")
                                )
                            )
                        else:
                            print("[%s] %s" % (
                                    r["source"],
                                    r["hash"],
                                )
                            )
                if len(urls) > 0:
                    print('----------------- Urls')
                    for r in sorted(urls, key=lambda x: x["date"], reverse=True):
                        print("[%s] %s - %s %s" % (
                                r["source"],
                                r["url"],
                                r["ip"],
                                r["date"].strftime("%Y-%m-%d")
                            )
                        )
                # TODO: add ASN + location info here
                if len(passive_dns) > 0:
                    print('----------------- Passive DNS')
                    for r in sorted(passive_dns, key=lambda x: x["first"], reverse=True):
                        print("[+] %-40s (%s -> %s)(%s)" % (
                                r["ip"],
                                r["first"].strftime("%Y-%m-%d"),
                                r["last"].strftime("%Y-%m-%d"),
                                r["source"]
                            )
                        )

            else:
                self.parser.print_help()
        else:
            self.parser.print_help()
Beispiel #10
0
 def intel(self, type, query, data, conf):
     if type == "domain":
         print("[+] Checking Passive Total...")
         try:
             pt_osint = {}
             ptout = False
             client = DnsRequest(
                 conf["PassiveTotal"]["username"],
                 conf["PassiveTotal"]["key"],
             )
             raw_results = client.get_passive_dns(query=query)
             if "results" in raw_results:
                 for res in raw_results["results"]:
                     data["passive_dns"].append({
                         "first":
                         parse(res["firstSeen"]).astimezone(pytz.utc),
                         "last":
                         parse(res["lastSeen"]).astimezone(pytz.utc),
                         "ip":
                         res["resolve"],
                         "source":
                         "PT",
                     })
             if "message" in raw_results:
                 if "quota_exceeded" in raw_results["message"]:
                     print("PT quota exceeded")
                     ptout = True
             if not ptout:
                 client2 = EnrichmentRequest(
                     conf["PassiveTotal"]["username"],
                     conf["PassiveTotal"]["key"],
                 )
                 # Get OSINT
                 pt_osint = client2.get_osint(query=query)
                 if "results" in pt_osint:
                     for r in pt_osint["results"]:
                         data["reports"].append({
                             "date":
                             "",
                             "title":
                             r["name"] if "name" in r else "",
                             "url":
                             r["sourceUrl"],
                             "source":
                             "PT"
                         })
                 # Get malware
                 raw_results = client2.get_malware(query=query)
                 if "results" in raw_results:
                     for r in raw_results["results"]:
                         data["malware"].append({
                             "hash":
                             r["sample"],
                             "date":
                             parse(r["collectionDate"]).astimezone(
                                 pytz.utc),
                             "source":
                             "PT (%s)" % r["source"],
                         })
         except requests.exceptions.ReadTimeout:
             print("PT: Time Out")
     elif type == "ip":
         print("[+] Checking Passive Total...")
         try:
             pt_osint = {}
             ptout = False
             client = DnsRequest(
                 conf["PassiveTotal"]["username"],
                 conf["PassiveTotal"]["key"],
             )
             raw_results = client.get_passive_dns(query=query)
             if "results" in raw_results:
                 for res in raw_results["results"]:
                     data["passive_dns"].append({
                         "first":
                         parse(res["firstSeen"]).astimezone(pytz.utc),
                         "last":
                         parse(res["lastSeen"]).astimezone(pytz.utc),
                         "domain":
                         res["resolve"],
                         "source":
                         "PT",
                     })
             if "message" in raw_results:
                 if "quota_exceeded" in raw_results["message"]:
                     print("PT quota exceeded")
                     ptout = True
             if not ptout:
                 client2 = EnrichmentRequest(
                     conf["PassiveTotal"]["username"],
                     conf["PassiveTotal"]["key"],
                 )
                 # Get OSINT
                 pt_osint = client2.get_osint(query=query)
                 if "results" in pt_osint:
                     for r in pt_osint["results"]:
                         data["reports"].append({
                             "date":
                             "",
                             "title":
                             r["name"] if "name" in r else "",
                             "url":
                             r["sourceUrl"],
                             "source":
                             "PT"
                         })
                 # Get malware
                 raw_results = client2.get_malware(query=query)
                 if "results" in raw_results:
                     for r in raw_results["results"]:
                         data["malware"].append({
                             "hash":
                             r["sample"],
                             "date":
                             parse(r["collectionDate"]).astimezone(
                                 pytz.utc),
                             "source":
                             "PT (%s)" % r["source"],
                         })
         except requests.exceptions.ReadTimeout:
             print("PT: Time Out")
Beispiel #11
0
    def run(self, conf, args, plugins):
        if 'subcommand' in args:
            if args.subcommand == 'info':
                print("Not implemented yet")
            elif args.subcommand == "intel":
                # Start with MISP and OTX to get Intelligence Reports
                print('###################### %s ###################' % args.DOMAIN)
                passive_dns = []
                urls = []
                malware = []
                files = []
                # OTX
                otx_e = plugins['otx'].test_config(conf)
                if otx_e:
                    print('[+] Downloading OTX information....')
                    otx = OTXv2(conf["AlienVaultOtx"]["key"])
                    res = otx.get_indicator_details_full(IndicatorTypes.DOMAIN, unbracket(args.DOMAIN))
                    otx_pulses =  res["general"]["pulse_info"]["pulses"]
                    # Get Passive DNS
                    if "passive_dns" in res:
                        for r in res["passive_dns"]["passive_dns"]:
                            passive_dns.append({
                                "ip": r['hostname'],
                                "first": parse(r["first"]),
                                "last": parse(r["last"]),
                                "source" : "OTX"
                            })
                    if "url_list" in res:
                        for r in res["url_list"]["url_list"]:
                            if "result" in r:
                                urls.append({
                                    "date": parse(r["date"]),
                                    "url": r["url"],
                                    "ip": r["result"]["urlworker"]["ip"] if "ip" in r["result"]["urlworker"] else "" ,
                                    "source": "OTX"
                                })
                            else:
                                urls.append({
                                    "date": parse(r["date"]),
                                    "url": r["url"],
                                    "ip": "",
                                    "source": "OTX"
                                })
                # CIRCL
                circl_e = plugins['circl'].test_config(conf)
                if circl_e:
                    print('[+] Downloading CIRCL passive DNS information....')
                    x = pypdns.PyPDNS(
                        basic_auth=(
                            conf['Circl']['user'],
                            conf['Circl']['pass']
                        )
                    )
                    res = x.query(unbracket(args.DOMAIN))
                    for answer in res:
                        passive_dns.append({
                            "ip": answer['rdata'],
                            "first": answer['time_first'],
                            "last": answer['time_last'],
                            "source" : "CIRCL"
                        })
                # BinaryEdge
                be_e = plugins['binaryedge'].test_config(conf)
                if be_e:
                    print('[+] Downloading BinaryEdge information....')
                    be = BinaryEdge(conf['BinaryEdge']['key'])
                    res = be.domain_dns(unbracket(args.DOMAIN))
                    for d in res['events']:
                        if "A" in d:
                            for a in d['A']:
                                passive_dns.append({
                                    "ip": a,
                                    "first": parse(d['updated_at']),
                                    "last": parse(d['updated_at']),
                                    "source" : "BinaryEdge"
                                })
                # RobTex
                print('[+] Downloading Robtex information....')
                rob = Robtex()
                res = rob.get_pdns_domain(args.DOMAIN)
                for d in res:
                    if d['rrtype'] in ['A', 'AAAA']:
                        passive_dns.append({
                            'first': d['time_first_o'],
                            'last': d['time_last_o'],
                            'ip': d['rrdata'],
                            'source': 'Robtex'
                        })

                # PT
                pt_e = plugins['pt'].test_config(conf)
                if pt_e:
                    try:
                        pt_osint = {}
                        ptout = False
                        print('[+] Downloading Passive Total information....')
                        client = DnsRequest(conf['PassiveTotal']['username'], conf['PassiveTotal']['key'])
                        raw_results = client.get_passive_dns(query=unbracket(args.DOMAIN))
                        if "results" in raw_results:
                            for res in raw_results["results"]:
                                passive_dns.append({
                                    "first": parse(res["firstSeen"]),
                                    "last": parse(res["lastSeen"]),
                                    "ip": res["resolve"],
                                    "source": "PT"
                                })
                        if "message" in raw_results:
                            if "quota_exceeded" in raw_results["message"]:
                                print("PT quota exceeded")
                                ptout = True
                        if not ptout:
                            client2 = EnrichmentRequest(conf["PassiveTotal"]["username"], conf["PassiveTotal"]['key'])
                            # Get OSINT
                            # TODO: add PT projects here
                            pt_osint = client2.get_osint(query=unbracket(args.DOMAIN))
                            # Get malware
                            raw_results = client2.get_malware(query=unbracket(args.DOMAIN))
                            if "results" in raw_results:
                                for r in raw_results["results"]:
                                    malware.append({
                                        'hash': r["sample"],
                                        'date': parse(r['collectionDate']),
                                        'source' : 'PT (%s)' % r["source"]
                                    })
                    except requests.exceptions.ReadTimeout:
                        print("PT: Time Out")
                # VT
                vt_e = plugins['vt'].test_config(conf)
                if vt_e:
                    if conf["VirusTotal"]["type"] != "public":
                        print('[+] Downloading VT information....')
                        vt = PrivateApi(conf["VirusTotal"]["key"])
                        res = vt.get_domain_report(unbracket(args.DOMAIN))
                        if "results" in res:
                            if "resolutions" in res['results']:
                                for r in res["results"]["resolutions"]:
                                    passive_dns.append({
                                        "first": parse(r["last_resolved"]),
                                        "last": parse(r["last_resolved"]),
                                        "ip": r["ip_address"],
                                        "source": "VT"
                                    })
                            if "undetected_downloaded_samples" in res['results']:
                                for r in res['results']['undetected_downloaded_samples']:
                                    files.append({
                                        'hash': r['sha256'],
                                        'date': parse(r['date']) if 'date' in r else '',
                                        'source' : 'VT'
                                    })
                            if "undetected_referrer_samples" in res['results']:
                                for r in res['results']['undetected_referrer_samples']:
                                    files.append({
                                        'hash': r['sha256'],
                                        'date': parse(r['date']) if 'date' in r else '',
                                        'source' : 'VT'
                                    })
                            if "detected_downloaded_samples" in res['results']:
                                for r in res['results']['detected_downloaded_samples']:
                                    malware.append({
                                        'hash': r['sha256'],
                                        'date': parse(r['date']),
                                        'source' : 'VT'
                                    })
                            if "detected_referrer_samples" in res['results']:
                                for r in res['results']['detected_referrer_samples']:
                                    if "date" in r:
                                        malware.append({
                                            'hash': r['sha256'],
                                            'date': parse(r['date']),
                                            'source' : 'VT'
                                        })
                            if "detected_urls" in res['results']:
                                for r in res['results']['detected_urls']:
                                    urls.append({
                                        'date': parse(r['scan_date']),
                                        'url': r['url'],
                                        'ip': '',
                                        'source': 'VT'
                                    })
                    else:
                        vt_e = False
                tg_e = plugins['threatgrid'].test_config(conf)
                if tg_e:
                    try:
                        print('[+] Downloading Threat Grid....')
                        tg = ThreatGrid(conf['ThreatGrid']['key'])
                        res = tg.search_samples(unbracket(args.DOMAIN), type='domain')
                        already = []
                        if 'items' in res:
                            for r in res['items']:
                                if r['sample_sha256'] not in already:
                                    d = parse(r['ts'])
                                    d = d.replace(tzinfo=None)
                                    malware.append({
                                        'hash': r["sample_sha256"],
                                        'date': d,
                                        'source' : 'ThreatGrid'
                                    })
                                    already.append(r['sample_sha256'])
                    except ThreatGridError as e:
                        print("Failed to connect to Threat Grid: %s" % e.message)

                # TODO: Add MISP
                print('----------------- Intelligence Report')
                if otx_e:
                    if len(otx_pulses):
                        print('OTX:')
                        for p in otx_pulses:
                            print(' -%s (%s - %s)' % (
                                    p['name'],
                                    p['created'][:10],
                                    "https://otx.alienvault.com/pulse/" + p['id']
                                )
                            )
                    else:
                        print('OTX: Not found in any pulse')
                if pt_e:
                    if "results" in pt_osint:
                        if len(pt_osint["results"]):
                            if len(pt_osint["results"]) == 1:
                                if "name" in pt_osint["results"][0]:
                                    print("PT: %s %s" % (pt_osint["results"][0]["name"], pt_osint["results"][0]["sourceUrl"]))
                                else:
                                    print("PT: %s" % (pt_osint["results"][0]["sourceUrl"]))
                            else:
                                print("PT:")
                                for r in pt_osint["results"]:
                                    if "name" in r:
                                        print("-%s %s" % (r["name"], r["sourceUrl"]))
                                    else:
                                        print("-%s" % (r["sourceUrl"]))
                        else:
                            print("PT: Nothing found!")
                    else:
                        print("PT: Nothing found!")


                if len(malware) > 0:
                    print('----------------- Malware')
                    for r in sorted(malware, key=lambda x: x["date"]):
                        print("[%s] %s %s" % (
                                r["source"],
                                r["hash"],
                                r["date"].strftime("%Y-%m-%d")
                            )
                        )
                if len(files) > 0:
                    print('----------------- Files')
                    for r in files:
                        if r['date'] != '':
                            print("[%s] %s (%s)" % (
                                    r["source"],
                                    r["hash"],
                                    r["date"].strftime("%Y-%m-%d")
                                )
                            )
                        else:
                            print("[%s] %s" % (
                                    r["source"],
                                    r["hash"],
                                )
                            )
                if len(urls) > 0:
                    print('----------------- Urls')
                    for r in sorted(urls, key=lambda x: x["date"], reverse=True):
                        print("[%s] %s - %s %s" % (
                                r["source"],
                                r["url"],
                                r["ip"],
                                r["date"].strftime("%Y-%m-%d")
                            )
                        )
                # TODO: add ASN + location info here
                if len(passive_dns) > 0:
                    print('----------------- Passive DNS')
                    for r in sorted(passive_dns, key=lambda x: x["first"], reverse=True):
                        print("[+] %-40s (%s -> %s)(%s)" % (
                                r["ip"],
                                r["first"].strftime("%Y-%m-%d"),
                                r["last"].strftime("%Y-%m-%d"),
                                r["source"]
                            )
                        )


            else:
                self.parser.print_help()
        else:
            self.parser.print_help()
Beispiel #12
0
    def run(self, conf, args, plugins):
        if 'subcommand' in args:
            if args.subcommand == 'info':
                if not is_ip(unbracket(args.IP)):
                    print("Invalid IP address")
                    sys.exit(1)
                # FIXME: move code here in a library
                ip = unbracket(args.IP)
                try:
                    ipy = IP(ip)
                except ValueError:
                    print('Invalid IP format, quitting...')
                    return
                ipinfo = self.ipinfo(ip)
                print('MaxMind: Located in %s, %s' %
                      (ipinfo['city'], ipinfo['country']))
                if ipinfo['asn'] == 0:
                    print("MaxMind: IP not found in the ASN database")
                else:
                    print('MaxMind: ASN%i, %s' %
                          (ipinfo['asn'], ipinfo['asn_name']))
                    print('CAIDA Type: %s' % ipinfo['asn_type'])
                try:
                    asndb2 = pyasn.pyasn(self.asncidr)
                    res = asndb2.lookup(ip)
                except OSError:
                    print("Configuration files are not available")
                    print("Please run harpoon update before using harpoon")
                    sys.exit(1)
                if res[1] is None:
                    print("IP not found in ASN database")
                else:
                    # Search for name
                    f = open(self.asnname, 'r')
                    found = False
                    line = f.readline()
                    name = ''
                    while not found and line != '':
                        s = line.split('|')
                        if s[0] == str(res[0]):
                            name = s[1].strip()
                            found = True
                        line = f.readline()

                    print('ASN %i - %s (range %s)' % (res[0], name, res[1]))
                if ipinfo['hostname'] != '':
                    print('Hostname: %s' % ipinfo['hostname'])
                if ipinfo['specific'] != '':
                    print("Specific: %s" % ipinfo['specific'])
                if ipy.iptype() == "PRIVATE":
                    "Private IP"
                print("")
                if ipy.version() == 4:
                    print("Censys:\t\thttps://censys.io/ipv4/%s" % ip)
                    print("Shodan:\t\thttps://www.shodan.io/host/%s" % ip)
                    print("IP Info:\thttp://ipinfo.io/%s" % ip)
                    print("BGP HE:\t\thttps://bgp.he.net/ip/%s" % ip)
                    print(
                        "IP Location:\thttps://www.iplocation.net/?query=%s" %
                        ip)
            elif args.subcommand == "intel":
                if not is_ip(unbracket(args.IP)):
                    print("Invalid IP address")
                    sys.exit(1)
                # Start with MISP and OTX to get Intelligence Reports
                print('###################### %s ###################' %
                      unbracket(args.IP))
                passive_dns = []
                urls = []
                malware = []
                files = []
                # MISP
                misp_e = plugins['misp'].test_config(conf)
                if misp_e:
                    print('[+] Downloading MISP information...')
                    server = ExpandedPyMISP(conf['Misp']['url'],
                                            conf['Misp']['key'])
                    misp_results = server.search('attributes',
                                                 value=unbracket(args.IP))
                # Binary Edge
                be_e = plugins['binaryedge'].test_config(conf)
                if be_e:
                    try:
                        print('[+] Downloading BinaryEdge information...')
                        be = BinaryEdge(conf['BinaryEdge']['key'])
                        # FIXME: this only get the first page
                        res = be.domain_ip(unbracket(args.IP))
                        for d in res["events"]:
                            passive_dns.append({
                                "domain":
                                d['domain'],
                                "first":
                                parse(d['updated_at']).astimezone(pytz.utc),
                                "last":
                                parse(d['updated_at']).astimezone(pytz.utc),
                                "source":
                                "BinaryEdge"
                            })
                    except BinaryEdgeException:
                        print(
                            'BinaryEdge request failed, you need a paid subscription'
                        )
                # OTX
                otx_e = plugins['otx'].test_config(conf)
                if otx_e:
                    print('[+] Downloading OTX information....')
                    otx = OTXv2(conf["AlienVaultOtx"]["key"])
                    res = otx.get_indicator_details_full(
                        IndicatorTypes.IPv4, unbracket(args.IP))
                    otx_pulses = res["general"]["pulse_info"]["pulses"]
                    # Get Passive DNS
                    if "passive_dns" in res:
                        for r in res["passive_dns"]["passive_dns"]:
                            passive_dns.append({
                                "domain":
                                r['hostname'],
                                "first":
                                parse(r["first"]).astimezone(pytz.utc),
                                "last":
                                parse(r["last"]).astimezone(pytz.utc),
                                "source":
                                "OTX"
                            })
                    if "url_list" in res:
                        for r in res["url_list"]["url_list"]:
                            if "result" in r:
                                urls.append({
                                    "date":
                                    parse(r["date"]).astimezone(pytz.utc),
                                    "url":
                                    r["url"],
                                    "ip":
                                    r["result"]["urlworker"]["ip"] if "ip"
                                    in r["result"]["urlworker"] else "",
                                    "source":
                                    "OTX"
                                })
                            else:
                                urls.append({
                                    "date":
                                    parse(r["date"]).astimezone(pytz.utc),
                                    "url":
                                    r["url"],
                                    "ip":
                                    "",
                                    "source":
                                    "OTX"
                                })
                # RobTex
                print('[+] Downloading Robtex information....')
                rob = Robtex()
                try:
                    res = rob.get_ip_info(unbracket(args.IP))
                except RobtexError:
                    print("Error with Robtex")
                else:
                    for d in ["pas", "pash", "act", "acth"]:
                        if d in res:
                            for a in res[d]:
                                passive_dns.append({
                                    'first':
                                    a['date'].astimezone(pytz.utc),
                                    'last':
                                    a['date'].astimezone(pytz.utc),
                                    'domain':
                                    a['o'],
                                    'source':
                                    'Robtex'
                                })

                # PT
                pt_e = plugins['pt'].test_config(conf)
                if pt_e:
                    out_pt = False
                    print('[+] Downloading Passive Total information....')
                    client = DnsRequest(conf['PassiveTotal']['username'],
                                        conf['PassiveTotal']['key'])
                    try:
                        raw_results = client.get_passive_dns(
                            query=unbracket(args.IP))
                        if "results" in raw_results:
                            for res in raw_results["results"]:
                                passive_dns.append({
                                    "first":
                                    parse(res["firstSeen"]).astimezone(
                                        pytz.utc),
                                    "last":
                                    parse(res["lastSeen"]).astimezone(
                                        pytz.utc),
                                    "domain":
                                    res["resolve"],
                                    "source":
                                    "PT"
                                })
                        if "message" in raw_results:
                            if "quota_exceeded" in raw_results["message"]:
                                print("Quota exceeded for Passive Total")
                                out_pt = True
                                pt_osint = {}
                    except requests.exceptions.ReadTimeout:
                        print("Timeout on Passive Total requests")
                    if not out_pt:
                        try:
                            client2 = EnrichmentRequest(
                                conf["PassiveTotal"]["username"],
                                conf["PassiveTotal"]['key'])
                            # Get OSINT
                            # TODO: add PT projects here
                            pt_osint = client2.get_osint(
                                query=unbracket(args.IP))
                            # Get malware
                            raw_results = client2.get_malware(
                                query=unbracket(args.IP))
                            if "results" in raw_results:
                                for r in raw_results["results"]:
                                    malware.append({
                                        'hash':
                                        r["sample"],
                                        'date':
                                        parse(r['collectionDate']),
                                        'source':
                                        'PT (%s)' % r["source"]
                                    })
                        except requests.exceptions.ReadTimeout:
                            print("Timeout on Passive Total requests")
                # Urlhaus
                uh_e = plugins['urlhaus'].test_config(conf)
                if uh_e:
                    print("[+] Checking urlhaus data...")
                    try:
                        urlhaus = UrlHaus(conf["UrlHaus"]["key"])
                        res = urlhaus.get_host(unbracket(args.IP))
                    except UrlHausError:
                        print("Error with the query")
                    else:
                        if "urls" in res:
                            for r in res['urls']:
                                urls.append({
                                    "date":
                                    parse(r["date_added"]).astimezone(
                                        pytz.utc),
                                    "url":
                                    r["url"],
                                    "source":
                                    "UrlHaus"
                                })
                # VT
                vt_e = plugins['vt'].test_config(conf)
                if vt_e:
                    if conf["VirusTotal"]["type"] != "public":
                        print('[+] Downloading VT information....')
                        vt = PrivateApi(conf["VirusTotal"]["key"])
                        res = vt.get_ip_report(unbracket(args.IP))
                        if "results" in res:
                            if "resolutions" in res['results']:
                                for r in res["results"]["resolutions"]:
                                    passive_dns.append({
                                        "first":
                                        parse(r["last_resolved"]).astimezone(
                                            pytz.utc),
                                        "last":
                                        parse(r["last_resolved"]).astimezone(
                                            pytz.utc),
                                        "domain":
                                        r["hostname"],
                                        "source":
                                        "VT"
                                    })
                            if "undetected_downloaded_samples" in res[
                                    'results']:
                                for r in res['results'][
                                        'undetected_downloaded_samples']:
                                    files.append({
                                        'hash': r['sha256'],
                                        'date': parse(r['date']),
                                        'source': 'VT'
                                    })
                            if "undetected_referrer_samples" in res['results']:
                                for r in res['results'][
                                        'undetected_referrer_samples']:
                                    if 'date' in r:
                                        files.append({
                                            'hash': r['sha256'],
                                            'date': parse(r['date']),
                                            'source': 'VT'
                                        })
                                    else:
                                        #FIXME : should consider data without dates
                                        files.append({
                                            'hash':
                                            r['sha256'],
                                            'date':
                                            datetime.datetime(1970, 1, 1),
                                            'source':
                                            'VT'
                                        })
                            if "detected_downloaded_samples" in res['results']:
                                for r in res['results'][
                                        'detected_downloaded_samples']:
                                    malware.append({
                                        'hash': r['sha256'],
                                        'date': parse(r['date']),
                                        'source': 'VT'
                                    })
                            if "detected_referrer_samples" in res['results']:
                                for r in res['results'][
                                        'detected_referrer_samples']:
                                    if "date" in r:
                                        malware.append({
                                            'hash': r['sha256'],
                                            'date': parse(r['date']),
                                            'source': 'VT'
                                        })
                    else:
                        vt_e = False

                print('[+] Downloading GreyNoise information....')
                gn = GreyNoise()
                try:
                    greynoise = gn.query_ip(unbracket(args.IP))
                except GreyNoiseError:
                    greynoise = []

                tg_e = plugins['threatgrid'].test_config(conf)
                if tg_e:
                    print('[+] Downloading Threat Grid....')
                    try:
                        tg = ThreatGrid(conf['ThreatGrid']['key'])
                        res = tg.search_samples(unbracket(args.IP), type='ip')
                        already = []
                        if 'items' in res:
                            for r in res['items']:
                                if r['sample_sha256'] not in already:
                                    d = parse(r['ts'])
                                    d = d.replace(tzinfo=None)
                                    malware.append({
                                        'hash': r["sample_sha256"],
                                        'date': d,
                                        'source': 'TG'
                                    })
                                    already.append(r['sample_sha256'])
                    except ThreatGridError as e:
                        print("Error with threat grid: {}".format(e.message))

                # ThreatMiner
                print('[+] Downloading ThreatMiner....')
                tm = ThreatMiner()
                response = tm.get_report(unbracket(args.IP))
                if response['status_code'] == '200':
                    tmm = response['results']
                else:
                    tmm = []
                    if response['status_code'] != '404':
                        print("Request to ThreatMiner failed: {}".format(
                            response['status_message']))
                response = tm.get_related_samples(unbracket(args.IP))
                if response['status_code'] == '200':
                    for r in response['results']:
                        malware.append({
                            'hash': r,
                            'date': None,
                            'source': 'ThreatMiner'
                        })

                print('----------------- Intelligence Report')
                ctor = CommandTor()
                tor_list = ctor.get_list()
                if tor_list:
                    if unbracket(args.IP) in tor_list:
                        print("{} is a Tor Exit node".format(unbracket(
                            args.IP)))
                else:
                    print("Impossible to reach the Tor Exit Node list")
                if otx_e:
                    if len(otx_pulses):
                        print('OTX:')
                        for p in otx_pulses:
                            print('- %s (%s - %s)' %
                                  (p['name'], p['created'][:10],
                                   "https://otx.alienvault.com/pulse/" +
                                   p['id']))
                    else:
                        print('OTX: Not found in any pulse')
                if misp_e:
                    if len(misp_results['Attribute']) > 0:
                        print('MISP:')
                        for event in misp_results['Attribute']:
                            print("- {} - {}".format(event['Event']['id'],
                                                     event['Event']['info']))
                if len(greynoise) > 0:
                    print("GreyNoise: IP identified as")
                    for r in greynoise:
                        print("\t%s (%s -> %s)" %
                              (r["name"], r["first_seen"], r["last_updated"]))
                else:
                    print("GreyNoise: Not found")
                if pt_e:
                    if "results" in pt_osint:
                        if len(pt_osint["results"]):
                            if len(pt_osint["results"]) == 1:
                                if "name" in pt_osint["results"][0]:
                                    print(
                                        "PT: %s %s" %
                                        (pt_osint["results"][0]["name"],
                                         pt_osint["results"][0]["sourceUrl"]))
                                else:
                                    print("PT: %s" %
                                          pt_osint["results"][0]["sourceUrl"])
                            else:
                                print("PT:")
                                for r in pt_osint["results"]:
                                    if "name" in r:
                                        print("-%s %s" %
                                              (r["name"], r["sourceUrl"]))
                                    else:
                                        print("-%s" % r["sourceUrl"])
                        else:
                            print("PT: Nothing found!")
                    else:
                        print("PT: Nothing found!")
                # ThreatMiner
                if len(tmm) > 0:
                    print("ThreatMiner:")
                    for r in tmm:
                        print("- {} {} - {}".format(r['year'], r['filename'],
                                                    r['URL']))

                if len(malware) > 0:
                    print('----------------- Malware')
                    for r in malware:
                        print("[%s] %s %s" % (r["source"], r["hash"],
                                              r["date"].strftime("%Y-%m-%d")
                                              if r["date"] else ""))
                if len(files) > 0:
                    print('----------------- Files')
                    for r in sorted(files, key=lambda x: x["date"]):
                        print("[%s] %s %s" % (r["source"], r["hash"],
                                              r["date"].strftime("%Y-%m-%d")))
                if len(passive_dns) > 0:
                    print('----------------- Passive DNS')
                    for r in sorted(passive_dns,
                                    key=lambda x: x["first"],
                                    reverse=True):
                        print("[+] %-40s (%s -> %s)(%s)" %
                              (r["domain"], r["first"].strftime("%Y-%m-%d"),
                               r["last"].strftime("%Y-%m-%d"), r["source"]))
                if len(urls) > 0:
                    print('----------------- Urls')
                    for r in sorted(urls,
                                    key=lambda x: x["date"],
                                    reverse=True):
                        print("[%s] %s - %s" %
                              (r["source"], r["url"],
                               r["date"].strftime("%Y-%m-%d")))
            else:
                self.parser.print_help()
        else:
            self.parser.print_help()
Beispiel #13
0
def get_config():
    conf_file = os.path.join(os.path.expanduser("~"),
                             ".config/passivetotal/api_config.json")
    if os.path.isfile(conf_file):
        with open(conf_file, 'r') as f:
            conf = json.loads(f.read())
    else:
        print('No config file')
        sys.exit(1)
    return conf


if __name__ == '__main__':
    parser = argparse.ArgumentParser(
        description='Extract all domains from an IP address')
    parser.add_argument('IP', help='an IP address')
    args = parser.parse_args()

    conf = get_config()

    client = DnsRequest(conf['username'], conf['api_key'])
    raw_results = client.get_passive_dns(query=args.IP)
    print("{} domains identified".format(len(raw_results["results"])))

    csvout = open("csv.out", "w+")
    csvout.write("Domain,First,Last,Type\n")
    for r in raw_results["results"]:
        csvout.write("{},{},{},{}\n".format(r['resolve'], r['firstSeen'],
                                            r['lastSeen'], r['recordType']))
    print("extracted in csv.out")
Beispiel #14
0
    def run(self):
        data = self.get_data()

        try:
            # enrichment service
            if self.service == 'enrichment':
                enrichment_request = EnrichmentRequest(username=self.username,
                                                       api_key=self.api_key)
                result = enrichment_request.get_enrichment(query=data)
                self.report(result)

            # malware service
            elif self.service == 'malware':
                enrichment_request = EnrichmentRequest(username=self.username,
                                                       api_key=self.api_key)
                result = enrichment_request.get_malware(query=data)
                self.report(result)

            # osint service
            elif self.service == 'osint':
                enrichment_request = EnrichmentRequest(username=self.username,
                                                       api_key=self.api_key)
                result = enrichment_request.get_osint(query=data)
                self.report(result)

            # passive dns service
            elif self.service == 'passive_dns':
                dns_request = DnsRequest(username=self.username,
                                         api_key=self.api_key)
                result = dns_request.get_passive_dns(query=data)
                self.report(result)

            # ssl certificate details service
            elif self.service == 'ssl_certificate_details':
                ssl_request = SslRequest(username=self.username,
                                         api_key=self.api_key)
                result = ssl_request.get_ssl_certificate_details(query=data)
                self.report(result)

            # ssl certificate history service
            elif self.service == 'ssl_certificate_history':
                ssl_request = SslRequest(username=self.username,
                                         api_key=self.api_key)
                result = ssl_request.get_ssl_certificate_history(query=data)
                print(len(result['results']))
                if len(result['results']
                       ) == 1 and result['results'][0]['ipAddresses'] == 'N/A':
                    print("ok")
                    self.report({'results': []})
                else:
                    self.report(result)

            # unique resolutions service
            elif self.service == 'unique_resolutions':
                dns_request = DnsRequest(username=self.username,
                                         api_key=self.api_key)
                result = dns_request.get_unique_resolutions(query=data)
                self.report(result)

            # whois details service
            elif self.service == 'whois_details':
                whois_request = WhoisRequest(username=self.username,
                                             api_key=self.api_key)
                result = whois_request.get_whois_details(query=data)
                self.report(result)

            # components service
            elif self.service == 'components':
                host_attr_request = HostAttributeRequest(
                    username=self.username, api_key=self.api_key)
                result = host_attr_request.get_components(query=data)
                self.report(result)

            # trackers service
            elif self.service == 'trackers':
                host_attr_request = HostAttributeRequest(
                    username=self.username, api_key=self.api_key)
                result = host_attr_request.get_trackers(query=data)
                self.report(result)

            # host pairs service
            elif self.service == 'host_pairs':
                host_attr_request = HostAttributeRequest(
                    username=self.username, api_key=self.api_key)
                result = host_attr_request.get_host_pairs(query=data,
                                                          direction='parents')
                children = host_attr_request.get_host_pairs(
                    query=data, direction='children')
                result['totalRecords'] += children['totalRecords']
                result['results'] = result['results'] + children['results']
                self.report(result)

            else:
                self.error('Unknown PassiveTotal service')

        except Exception as e:
            self.unexpectedError(e)