def threatcrowd(self, elastic_output):
output = {}
req_threatcrowd = requests.get("https://www.threatcrowd.org/searchApi/v2/domain/report/?domain=" + self.domain)
json_threatcrowd = json.loads(req_threatcrowd.content)
if json_threatcrowd['response_code'] == "0":
return False
print "--------------------Threatcrowd module------------------------"
votes = json_threatcrowd['votes']
trust = "non-trusted" if votes < 0 else "trusted" if votes > 0 else "no opinion"
print "Reputation of " + self.domain + ": " + trust
print "[*] Domain was resolved to following IPs: "
for i, j in enumerate(json_threatcrowd['resolutions']):
if i == 3:
break
if len(j['ip_address']) > 1:
print bcolors.HEADER + j['ip_address'] + bcolors.ENDC
output[j["ip_address"]] = j["last_resolved"]
else:
del j[
'ip_address'] # Threatcrowd gives "-" when there is no IP address. Check if ip_address has 2 chars at least, if not delete it from json_threatcrowd
# output = {ip:last_resolved}
if elastic_output:
tools.elast('threatcrowd', 'domain', json_threatcrowd)
tools.json_output(self.domain, "/threatcrowd", json_threatcrowd)
return output
def geolocation(self, elastic_output):
print("-------------Geolocation module---------------------")
req_geolocation = requests.get("https://extreme-ip-lookup.com/json/" +
self.ip_address)
json_geolocation = json.loads(req_geolocation.content)
try:
business_name = json_geolocation['businessName']
print(bcolors.HEADER + self.ip_address + bcolors.ENDC +
" belongs to " + bcolors.OKGREEN + business_name if
len(business_name) > 0 else "No business name for that IP")
print("It is from " + bcolors.OKGREEN +
json_geolocation['country'] + ", " +
json_geolocation['city'] + ", " +
json_geolocation['region'] + bcolors.ENDC)
except KeyError:
print(bcolors.FAIL + "Error" + bcolors.ENDC)
coordinates = dict(list(islice(json_geolocation.items(), 9, 11)))
if elastic_output:
tools.elast('coordinates', 'ip', coordinates)
tools.json_output(self.ip_address, "/geolocation", json_geolocation)
return coordinates
def whois_history(self, key, elastic_output):
print "-------------------WhoIs history module---------------------"
req_whois_history = requests.get("http://api.whoxy.com/?key=" + key +
"&history=" + self.domain)
json_whois_history = json.loads(req_whois_history.content)
output = {}
help = 0
if json_whois_history['status'] == 0:
print "Whois Retrieval Failed"
return False
print "[*} Found " + bcolors.OKGREEN + str(
json_whois_history['total_records_found']
) + bcolors.ENDC + " result(s)"
if json_whois_history['total_records_found'] > 0:
for c, i in enumerate(json_whois_history['whois_records']):
try:
print "[*] Domain " + bcolors.HEADER + self.domain + bcolors.ENDC + " was registered on " + i[
'create_date'] + " in " + \
i['domain_registrar']['registrar_name']
# output = {counter: {'create_date': i['create_date'], 'contact': i['registrant_contact'],
# 'dns': i['name_servers']}}
output[c] = {}
output[c]['create_date'] = i['create_date']
output[c]['contact'] = i['registrant_contact']
output[c]['dns'] = i['name_servers']
output[c]['domain_name'] = i['domain_name']
print "[*] Contact: "
for k in i['registrant_contact']:
print bcolors.OKBLUE + i['registrant_contact'][
k] + bcolors.ENDC
print "[*] Name servers:"
for j in i["name_servers"]:
print bcolors.OKBLUE + j + bcolors.ENDC
help = help + 1
except KeyError as e:
print bcolors.FAIL + "No information found about " + e.message + bcolors.ENDC
help = help - 1
print "---"
else:
"No records found"
return False
# output = { sdate: :{create_date : xxx, contact : {xxx : xxx}, dns : [xxx]}
tools.json_output(self.domain, "/whois_history", json_whois_history)
if elastic_output:
tools.elast('history', 'domain', json_whois_history)
return output
def virustotal(self, key, elastic_output):
help = 0
output = {self.ip_address: {'detected': {}, 'hostname': {}}}
print "----------------VirusTotal module---------------------------"
req_virustotal = requests.get(
"https://www.virustotal.com/vtapi/v2/ip-address/report?apikey=" + key + "&ip=" + self.ip_address)
if req_virustotal.status_code == 403:
print "Wrong API key, no more info can be gathered"
sys.exit()
if req_virustotal.status_code == 204:
print "API limit, putting into sleep for 70 sec"
time.sleep(70)
req_virustotal = requests.get(
"https://www.virustotal.com/vtapi/v2/ip-address/report?apikey=" + key + "&ip=" + self.ip_address)
json_virustotal = json.loads(req_virustotal.content)
print "[*] Following url(s) was/were hosted on ip " + bcolors.HEADER + self.ip_address + bcolors.ENDC + ' and consider as dangerous: '
try:
for i in json_virustotal['detected_urls']:
# output[self.ip_address]['detected']['url'] = i['url']
output[self.ip_address]['detected'][i['url']] = i['scan_date']
print i['url'] + " on " + bcolors.OKGREEN + i['scan_date'] + bcolors.ENDC
help = help + 1
if help == 3:
break
except KeyError:
print "Nothing found"
return False
sorted_json_virustotal = sorted(json_virustotal['resolutions'], key=lambda k: k['last_resolved'], reverse=True)
help = 0
print "[*] Newest resolution from VirusTotal"
for i in sorted_json_virustotal:
if help < 3:
print bcolors.HEADER + self.ip_address + bcolors.ENDC + " was resolved to " + bcolors.OKGREEN + i[
'hostname'] + bcolors.ENDC + " on " + bcolors.OKGREEN + i['last_resolved'] + bcolors.ENDC
output[self.ip_address]['hostname'][i['hostname']] = i['last_resolved']
help = help + 1
else:
break
# output = {self.ip : { detected {url:scan_date}, hostname : {xxx.xxx.xxx.xxx: xxxx-xx-xx}}
# output.append([json_virustotal['detected_urls']])
if elastic_output:
tools.elast('virustotal_ip', 'ip', json_virustotal)
tools.json_output(self.ip_address, "/virustotal", sorted_json_virustotal)
return output
def whois(self, key, elastic_output):
print("-------------------WhoIs module---------------------")
req_whois = requests.get("https://api.whoxy.com/?key=" + key +
"&whois=" + self.domain)
json_whois = json.loads(req_whois.content)
# #
output = {self.domain: {}}
if json_whois['status'] == 0:
print(bcolors.FAIL + "Whois Retrieval Failed" + bcolors.ENDC)
try:
if json_whois['domain_registered'] != 'no':
print("[*] Domain " + bcolors.HEADER +
json_whois['domain_name'] + bcolors.ENDC +
" was registered on " + bcolors.OKGREEN +
json_whois['create_date'] + bcolors.ENDC + " in " +
json_whois['domain_registrar']['registrar_name'])
print("[*] Name servers")
output[self.domain]['create_date'] = json_whois['create_date']
for j in json_whois['name_servers']:
print(bcolors.OKBLUE + j + bcolors.ENDC)
output[
self.domain]['contact'] = json_whois['registrant_contact']
output[self.domain]['dns'] = json_whois['name_servers']
output[self.domain]['domain_name'] = json_whois['domain_name']
print("[*] Contact: ")
for k in json_whois['registrant_contact']:
print(bcolors.OKBLUE +
json_whois['registrant_contact'][k] + bcolors.ENDC)
else:
print(bcolors.FAIL + "No match for domain" + self.domain +
bcolors.ENDC)
except KeyError as e:
print(bcolors.FAIL + "No information found about " + e.message +
bcolors.ENDC)
# create_date, domain_registered, domain_registar, name_servers
# output = {self.domain : {create_date: xxx, name_servers : [xxxxxx], contact : {x:x}}
if elastic_output:
tools.elast('whois', 'domain', json_whois)
tools.json_output(self.domain, "/whois", json_whois)
return output
def threatcrowd_ip(self, elastic_output):
print("----------------ThreatCrowd module---------------------------")
req_threatcrowd = requests.get(
"https://www.threatcrowd.org/searchApi/v2/ip/report/?ip=" +
self.ip_address)
json_threatcrowd = json.loads(req_threatcrowd.content)
try:
votes = json_threatcrowd['votes']
except KeyError:
votes = 0
output = {self.ip_address: {}}
if json_threatcrowd['response_code'] == 0:
print("[*] " + bcolors.FAIL + "No information about " +
bcolors.HEADER + self.ip_address + bcolors.ENDC)
return False
try:
newlist = sorted(json_threatcrowd['resolutions'],
key=lambda k: k['last_resolved'])
except KeyError:
newlist = []
print("Error")
print("[*] Newest resolution from ThreatCrowd")
for i, j in enumerate(reversed(newlist)):
print(bcolors.HEADER + self.ip_address + bcolors.ENDC +
" was resolved to " + bcolors.OKGREEN + j['domain'] +
bcolors.ENDC + " on " + bcolors.OKGREEN +
j['last_resolved'] + bcolors.ENDC)
output[self.ip_address]['domain'] = j['domain']
output[self.ip_address]['last_resolved'] = j['last_resolved']
if i == 2:
break
trust = bcolors.WARNING + "non-trusted" + bcolors.ENDC if votes < 0 else bcolors.OKGREEN + "trusted" + bcolors.ENDC if votes > 0 else "no opinion"
print("Reputation of " + bcolors.HEADER + self.ip_address +
bcolors.ENDC + ": " + trust)
output[self.ip_address]['trust'] = trust
# output = {self.ip : {domain:[xxx,xxx], trust: trust}
if elastic_output:
tools.elast('threatcrowd_ip', 'domain', json_threatcrowd)
tools.json_output(self.ip_address, "/threatcrowd", json_threatcrowd)
return json_threatcrowd
def threatcrowd_ip(self, elastic_output):
print "----------------ThreatCrowd module---------------------------"
req_threatcrowd = requests.get("https://www.threatcrowd.org/searchApi/v2/ip/report/?ip=" + self.ip_address)
json_threatcrowd = json.loads(req_threatcrowd.content)
try:
votes = json_threatcrowd['votes']
except KeyError:
votes = 0
output = {self.ip_address: {}}
if json_threatcrowd['response_code'] == 0:
print "[*] " + bcolors.FAIL + "No information about " + bcolors.HEADER + self.ip_address + bcolors.ENDC
return False
try:
newlist = sorted(json_threatcrowd['resolutions'], key=lambda k: k['last_resolved'])
except KeyError:
newlist = []
print "Error"
print "[*] Newest resolution from ThreatCrowd"
for i, j in enumerate(reversed(newlist)):
print bcolors.HEADER + self.ip_address + bcolors.ENDC + " was resolved to " + bcolors.OKGREEN + j[
'domain'] + bcolors.ENDC + " on " + bcolors.OKGREEN + j['last_resolved'] + bcolors.ENDC
output[self.ip_address]['domain'] = j['domain']
output[self.ip_address]['last_resolved'] = j['last_resolved']
if i == 2:
break
trust = bcolors.WARNING + "non-trusted" + bcolors.ENDC if votes < 0 else bcolors.OKGREEN + "trusted" + bcolors.ENDC if votes > 0 else "no opinion"
print "Reputation of " + bcolors.HEADER + self.ip_address + bcolors.ENDC + ": " + trust
output[self.ip_address]['trust'] = trust
# output = {self.ip : {domain:[xxx,xxx], trust: trust}
if elastic_output:
tools.elast('threatcrowd_ip', 'domain', json_threatcrowd)
tools.json_output(self.ip_address, "/threatcrowd", json_threatcrowd)
return json_threatcrowd
def virustotal(self, key, elastic_output):
output = {self.domain: []}
help = 0
print("----------------VirusTotal module---------------------------")
req_virustotal = requests.get(
"https://www.virustotal.com/vtapi/v2/domain/report?apikey=" + key +
"&domain=" + self.domain)
if req_virustotal.status_code == 204:
print("API limitation, putting into sleep for 70 sec")
time.sleep(70)
req_virustotal = requests.get(
"https://www.virustotal.com/vtapi/v2/domain/report?apikey=" +
key + "&domain=" + self.domain)
if req_virustotal.status_code == 403:
print("Wrong API key, no more info can be gathered")
sys.exit()
json_virustotal = json.loads(req_virustotal.content)
if json_virustotal['response_code'] != 0:
print("[*] Domain was resolved to following IPs: ")
for i in json_virustotal['resolutions']:
print(bcolors.HEADER + i['ip_address'] + bcolors.ENDC +
" on " + bcolors.OKBLUE + i['last_resolved'] +
bcolors.ENDC)
output[self.domain].append(i['ip_address'])
help = help + 1
if help > 2:
break
else:
print(bcolors.FAIL + "Nothing found" + bcolors.ENDC)
# output = { self.domain : [xxx.xxx,zzz.zzz,yyy.yyy]
if elastic_output:
tools.elast('virustotal', 'domain', json_virustotal)
tools.json_output(self.domain, "/virustotal", json_virustotal)
return output
def geolocation(self, elastic_output):
print "-------------Geolocation module---------------------"
req_geolocation = requests.get("https://extreme-ip-lookup.com/json/" + self.ip_address)
json_geolocation = json.loads(req_geolocation.content)
try:
business_name = json_geolocation['businessName']
print bcolors.HEADER + self.ip_address + bcolors.ENDC + " belongs to " + bcolors.OKGREEN + business_name if len(
business_name) > 0 else "No business name for that IP"
print "It is from " + bcolors.OKGREEN + json_geolocation['country'] + ", " + json_geolocation[
'city'] + ", " + json_geolocation[
'region'] + bcolors.ENDC
except KeyError:
print bcolors.FAIL + "Error" + bcolors.ENDC
coordinates = dict(json_geolocation.items()[8:11])
if elastic_output:
tools.elast('coordinates', 'ip', coordinates)
tools.json_output(self.ip_address, "/geolocation", json_geolocation)
return coordinates
def whoxy(self, key, elastic_output):
print(bcolors.UNDERLINE + "------------Reverse whoxy module-----------------------" + bcolors.ENDC)
req_whoxy = requests.get(
"https://api.whoxy.com/?key=" + key + "&reverse=whois&email=" + self.email_address)
json_whoxy = json.loads(req_whoxy.content)
output = {self.email_address: {}}
if json_whoxy['status'] == 0:
print(json_whoxy['status_reason'])
sys.exit()
guard = 0
# with open('whois_history.json') as f:
# data = json.load(f)
print("Found " + bcolors.OKGREEN + str(json_whoxy[
'total_results']) + bcolors.ENDC + " results for email: " + bcolors.HEADER + self.email_address + bcolors.ENDC)
if json_whoxy['total_results'] > 0:
for i in json_whoxy['search_result']:
print("[*] Domain " + bcolors.HEADER + i[
'domain_name'] + bcolors.ENDC + " was registered on " + bcolors.OKGREEN + i[
'create_date'] + bcolors.ENDC)
output[self.email_address][guard] = {i['domain_name']: {}}
output[self.email_address][guard]['domain_name'] = i['domain_name']
output[self.email_address][guard]['create_date'] = i['create_date']
try:
output[self.email_address][guard]['dns'] = i['name_servers']
output[self.email_address][guard]['contact'] = i['registrant_contact']
# output[self.email_address][i['domain_name']]['create_date']= i['create_date']
# output[self.email_address][i['domain_name']]['contact'] = i['registrant_contact']
# output[self.email_address][i['domain_name']]['dns'] = i['name_servers']
print("[*] Name servers:")
for j in i['name_servers']:
print(bcolors.OKBLUE + j + bcolors.ENDC)
print("[*] Contact: ")
for k in i['registrant_contact']:
print(bcolors.OKBLUE + i['registrant_contact'][k] + bcolors.ENDC)
except KeyError as e:
guard = guard - 1
print(e)
print("No more info")
guard = guard + 1
if guard == 3: # first three if there are 4000
break
else:
print("No records found")
# domain_name : create_date : xxx, dn
# output = { self.email :{domain : xxx, create_date : xxx, contact : {xxx : xxx}, dns : [xxx]}
if elastic_output:
tools.elast('reverse_whois', 'email', json_whoxy)
tools.json_output(self.email_address, "/reverse_whois", json_whoxy)
return output
def virustotal(self, key, elastic_output):
help = 0
output = {self.ip_address: {'detected': {}, 'hostname': {}}}
print "----------------VirusTotal module---------------------------"
req_virustotal = requests.get(
"https://www.virustotal.com/vtapi/v2/ip-address/report?apikey=" +
key + "&ip=" + self.ip_address)
if req_virustotal.status_code == 403:
print "Wrong API key, no more info can be gathered"
sys.exit()
if req_virustotal.status_code == 204:
print "API limit, putting into sleep for 70 sec"
time.sleep(70)
req_virustotal = requests.get(
"https://www.virustotal.com/vtapi/v2/ip-address/report?apikey="
+ key + "&ip=" + self.ip_address)
json_virustotal = json.loads(req_virustotal.content)
print "[*] Following url(s) was/were hosted on ip " + bcolors.HEADER + self.ip_address + bcolors.ENDC + ' and consider as dangerous: '
try:
for i in json_virustotal['detected_urls']:
# output[self.ip_address]['detected']['url'] = i['url']
output[self.ip_address]['detected'][i['url']] = i['scan_date']
print i['url'] + " on " + bcolors.OKGREEN + i[
'scan_date'] + bcolors.ENDC
help = help + 1
if help == 3:
break
except KeyError:
print "Nothing found"
return False
sorted_json_virustotal = sorted(json_virustotal['resolutions'],
key=lambda k: k['last_resolved'],
reverse=True)
help = 0
print "[*] Newest resolution from VirusTotal"
for i in sorted_json_virustotal:
if help < 3:
print bcolors.HEADER + self.ip_address + bcolors.ENDC + " was resolved to " + bcolors.OKGREEN + i[
'hostname'] + bcolors.ENDC + " on " + bcolors.OKGREEN + i[
'last_resolved'] + bcolors.ENDC
output[self.ip_address]['hostname'][
i['hostname']] = i['last_resolved']
help = help + 1
else:
break
# output = {self.ip : { detected {url:scan_date}, hostname : {xxx.xxx.xxx.xxx: xxxx-xx-xx}}
# output.append([json_virustotal['detected_urls']])
if elastic_output:
tools.elast('virustotal_ip', 'ip', json_virustotal)
tools.json_output(self.ip_address, "/virustotal",
sorted_json_virustotal)
return output
def whoxy(self, key, elastic_output):
print bcolors.UNDERLINE + "------------Reverse whoxy module-----------------------" + bcolors.ENDC
req_whoxy = requests.get(
"https://api.whoxy.com/?key=" + key + "&reverse=whois&email=" + self.email_address)
json_whoxy = json.loads(req_whoxy.content)
output = {self.email_address: {}}
if json_whoxy['status'] == 0:
print json_whoxy['status_reason']
sys.exit()
guard = 0
# with open('whois_history.json') as f:
# data = json.load(f)
print "Found " + bcolors.OKGREEN + str(json_whoxy[
'total_results']) + bcolors.ENDC + " results for email: " + bcolors.HEADER + self.email_address + bcolors.ENDC
if json_whoxy['total_results'] > 0:
for i in json_whoxy['search_result']:
print "[*] Domain " + bcolors.HEADER + i[
'domain_name'] + bcolors.ENDC + " was registered on " + bcolors.OKGREEN + i[
'create_date'] + bcolors.ENDC
output[self.email_address][guard] = {i['domain_name']: {}}
output[self.email_address][guard]['domain_name'] = i['domain_name']
output[self.email_address][guard]['create_date'] = i['create_date']
try:
output[self.email_address][guard]['dns'] = i['name_servers']
output[self.email_address][guard]['contact'] = i['registrant_contact']
# output[self.email_address][i['domain_name']]['create_date']= i['create_date']
# output[self.email_address][i['domain_name']]['contact'] = i['registrant_contact']
# output[self.email_address][i['domain_name']]['dns'] = i['name_servers']
print "[*] Name servers:"
for j in i['name_servers']:
print bcolors.OKBLUE + j + bcolors.ENDC
print "[*] Contact: "
for k in i['registrant_contact']:
print bcolors.OKBLUE + i['registrant_contact'][k] + bcolors.ENDC
except KeyError as e:
guard = guard - 1
print e
print "No more info"
guard = guard + 1
if guard == 3: # first three if there are 4000
break
else:
print "No records found"
# domain_name : create_date : xxx, dn
# output = { self.email :{domain : xxx, create_date : xxx, contact : {xxx : xxx}, dns : [xxx]}
if elastic_output:
tools.elast('reverse_whois', 'email', json_whoxy)
tools.json_output(self.email_address, "/reverse_whois", json_whoxy)
return output
