def fqdn(self):
parameters = {'domain': self.artifact['name'], 'apikey': self.api_key}
url = 'https://www.virustotal.com/vtapi/v2/domain/report'
try:
status, response = get(url, params=parameters)
if status:
data = response.json()
if data['response_code'] == 1:
self.artifact['data']['virustotal'] = data
if len(data['resolutions']) > 0:
for host in data['resolutions']:
if detect_type(host['ip_address']) == 'host':
self.artifact['children'].append({
'name':
host['ip_address'],
'type':
'host',
'subtype':
'ipv4',
'source':
'VirusTotal'
})
except:
pass
def machine(self, session, artifact):
""" Run all modules against an artifact of a given type """
is_key, value = lookup_key(session, artifact)
if is_key and value is None:
error('Unable to find artifact key in session (%s)' % artifact)
return
elif is_key and value is not None:
artifact = value
else:
pass
artifact_type = detect_type(artifact)
artifact = self.db.find(artifact_type, {'name': artifact}, one=True)
for key in self.modules.keys():
if artifact['type'] == key:
modules = self.modules[artifact['type']]
elif artifact['subtype'] == key:
modules = self.modules[artifact['subtype']]
results = []
for m in modules:
result = self.run(m, artifact)
if m in result['data'].keys():
if result['data'][m] is not None:
if self.db.exists(artifact['type'],
{'name': artifact['name']}):
for child in result['children']:
child_artifact = create_artifact(
child['name'],
parent=artifact['name'],
_type=child['type'],
source=child['source'],
subtype=child['subtype'])
if not self.db.exists(child['type'],
{'name': child['name']}):
self.db.insert_one(child['type'],
child_artifact)
self.db.update_one(artifact['type'],
{'name': artifact['name']}, result)
if len(result['children']) > 0:
info('Created child artifacts: %d' %
len(result['children']))
results.append({'[%s]' % m: result['data'][m]})
else:
warning('No results found (%s)' % m)
else:
warning('Failed to get module results (%s)' % m)
success('Machine completed')
def create_artifact(artifact_name,
_type=None,
source=None,
subtype=None,
parent=None):
if _type is None:
artifact_type = detect_type(artifact_name)
else:
artifact_type = _type
if artifact_type not in artifact_types:
warning(
'Artifact must be one of: email, ipv4, fqdn, user, hash, bitcoin address'
)
return None
created = Artifact(name=artifact_name,
type=artifact_type,
subtype=subtype,
source=source)
if parent is not None:
created.parent = parent
return created
def ip(self):
url = 'https://api.threatminer.org/v2/host.php?q=%s&rt=2' % self.artifact[
'name']
# check for passive DNS results
try:
status, response = get(url)
if status:
data = response.json()
if data['status_code'] == '200' and 'status_message' == 'Results found.':
self.artifact['data']['threatminer'] = {
'passivedns': data['results']
}
# check for potential children artifacts
if isinstance(self.artifact['data']['threatminer'], dict):
for entry in self.artifact['data']['threatminer'][
'passivedns']:
if detect_type(entry['domain']) == 'host':
self.artifact['children'].append({
'name':
entry['domain'],
'type':
'host',
'subtype':
'fqdn',
'source':
'threatminer'
})
except Exception as err:
warning('Caught exception in module (%s)' % str(err))
def run(self):
domain = self.artifact['name']
self.artifact['data']['dnsresolve'] = {
'A': 'Not Found',
'AAAA': 'Not Found',
'CNAME': 'Not Found',
'NS': 'Not Found',
'MX': 'Not Found',
'TXT': 'Not Found'
}
for key in self.artifact['data']['dnsresolve'].keys():
self.artifact['data']['dnsresolve'][key] = self.get_record(
domain, key)
# self.artifact['data']['dnsresolve']['A'] = self.get_record(domain, 'A')
# self.artifact['data']['dnsresolve']['AAAA'] = self.get_record(domain, 'AAAA')
# self.artifact['data']['dnsresolve']['CNAME'] = self.get_record(domain, 'CNAME')
# self.artifact['data']['dnsresolve']['NS'] = self.get_record(domain, 'NS')
# self.artifact['data']['dnsresolve']['MX'] = self.get_record(domain, 'MX')
# self.artifact['data']['dnsresolve']['TXT'] = self.get_record(domain, 'TXT')
for host in self.artifact['data']['dnsresolve']:
if isinstance(host, str):
if detect_type(host) == 'host':
entry = {
'name': host,
'type': 'host',
'source': 'DNS resolution',
'subtype': None
}
self.artifact['children'].append(entry)
elif isinstance(host, list):
for h in host:
if detect_type(h) == 'host':
entry = {
'name': h,
'type': 'host',
'source': 'DNS resolution',
'subtype': None
}
self.artifact['children'].append(entry)
def run(self):
domain = self.artifact['name']
self.artifact['data']['dnsresolve'] = {
'A': None,
'AAAA': None,
'CNAME': None,
'NS': None,
'MX': None,
'TXT': None
}
self.artifact['data']['dnsresolve']['A'] = self.get_record(domain, 'A')
self.artifact['data']['dnsresolve']['AAAA'] = self.get_record(
domain, 'AAAA')
self.artifact['data']['dnsresolve']['CNAME'] = self.get_record(
domain, 'CNAME')
self.artifact['data']['dnsresolve']['NS'] = self.get_record(
domain, 'NS')
self.artifact['data']['dnsresolve']['MX'] = self.get_record(
domain, 'MX')
self.artifact['data']['dnsresolve']['TXT'] = self.get_record(
domain, 'TXT')
for item in self.artifact['data']['dnsresolve']:
if isinstance(item, str):
if detect_type(item) == 'host':
entry = {
'name': item,
'type': 'host',
'source': 'DNS resolution',
'subtype': None
}
self.artifact['children'].append(entry)
elif isinstance(item, list):
for i in item:
if detect_type(i) == 'host':
entry = {
'name': i,
'type': 'host',
'source': 'DNS resolution',
'subtype': None
}
self.artifact['children'].append(entry)
def submit(self, session, module, artifact, no_argument=False):
""" Run a single module against an artifact """
if no_argument:
module_result = self.run(module, None)
return module_result
is_key, value = lookup_key(session, artifact)
if is_key and value is None:
error('Unable to find artifact key in session (%s)' % artifact)
return
elif is_key and value is not None:
artifact = value
else:
pass
artifact_type = detect_type(artifact)
artifact = self.db.find(artifact_type, {'name': artifact}, one=True)
if artifact is None:
warning('Unable to find artifact in database (%s)' % artifact['name'])
return None
if module in self.modules[artifact['type']] or module in self.modules[artifact['subtype']]:
pass
else:
warning('Artifact is not supported by module (%s)' % (artifact['name']))
return None
result = self.run(module, artifact)
if module in result['data'].keys():
if result['data'][module] is not None:
if self.db.exists(artifact['type'], {'name': artifact['name']}):
for child in result['children']:
child_artifact = create_artifact(child['name'], parent=artifact['name'],
_type=child['type'], source=child['source'], subtype=child['subtype'])
if not self.db.exists(child['type'], {'name': child['name']}):
self.db.insert_one(child['type'], child_artifact)
self.db.update_one(artifact['type'], {'name': artifact['name']}, result)
if len(result['children']) > 0:
info('Created child artifacts: %d' % len(result['children']))
return result['data'][module]
else:
warning('No results found (%s)' % module)
return None
else:
warning('Failed to get module results (%s)' % module)
def ip(self):
parameters = {'ip': self.artifact['name'], 'apikey': self.api_key}
url = 'https://www.virustotal.com/vtapi/v2/ip-address/report'
try:
status, response = get(url, params=parameters)
if status:
data = response.json()
if data['response_code'] == 1:
self.artifact['data']['virustotal'] = data
if len(data['resolutions']) > 0:
for host in data['resolutions']:
if detect_type(host['hostname']) == 'host':
self.artifact['children'].append({
'name': host['hostname'],
'type': 'host',
'subtype': 'fqdn',
'source': 'VirusTotal'
})
except Exception as err:
warning('Caught exception in module (%s)' % str(err))