def get_adb_bl(self, api_key):
"""Retrieves the black list from the Abuse IP DB.
Required Input:
api_key - An Abuse IP DB API key.
Output:
response.status_code - The HTTP code returned by the block list
API endpoint.
Exceptions:
HTTPError - Occurs when a non-200 response is generated by the
Abuse IP DB block list endpoint.
Timeout - Occurs when the request to the endpoint times out."""
url = 'https://api.abuseipdb.com/api/v2/blacklist'
headers = {'Accept': 'text/plain', 'Key': api_key}
params = {'limit': '10000'}
try:
response = get(url, headers=headers, params=params, timeout=10)
response.raise_for_status
except Timeout:
self.log.exception('Timeout occurred connecting to', url)
except HTTPError:
self.log.exception('Non-200 response received from', url)
for ip in response.text.split('\n'):
if validateIP(ip):
self.adb_bl.append(ip + '/32')
return response.status_code
def get_nt_ssh_bl(self):
"""Retrieves the SSH block list from nothink.org
Outputs:
self.nt_ssh_bl - Nothink.org's SSH brute force source block
list.
response.status_code - The HTTP response returned from
nothink.org"""
url = (r'http://www.nothink.org/honeypots/' +
r'honeypot_ssh_blacklist_2019.txt')
try:
response = get(url)
data = response.text
for entry in data.split('\n'):
if not entry.startswith('#') and validateIP(entry):
self.nt_ssh_bl.append(entry + '/32')
self.log.info(
'Successfully retrieved list of known ssh brute force ' +
'servers from nothink.org.')
self.log.debug(
'%d hosts are in the ssh_brute force list from nothink.org',
len(self.nt_ssh_bl))
except Exception:
self.log.exception(
'Unable to retrieve list of ssh brute force servers from ' +
'nothink.org')
return response.status_code
def get_talos_list(self):
"""Retrieves the IP block list from Cisco Talos
Outputs:
self.ssl_bl - A list of IP addresses that Talos has determined
are persona non gratta.
response.status_code - The HTTP staus code of the request made
to emerging threats."""
url = 'https://talosintelligence.com/documents/ip-blacklist'
try:
response = get(url)
data = response.text
for entry in data.split('\n'):
if not entry.startswith('#') and validateIP(entry):
self.tbl.append(entry + '/32')
self.log.info('Succesfully retrieved Talos black list.')
self.log.debug('%d hosts are in the Talos black list',
len(self.tbl))
except Exception:
self.log.exception('Unable to retrieve block list from Talos.')
return response.status_code
def get_blde_list(self):
"""Retrieves the block list from blocklist.de
Outputs:
self.bl_de - Blocklist.de's blocklist that is updated every 48
hours.
response.status_code - The HTTP response returned from
blocklist.de"""
url = 'https://lists.blocklist.de/lists/all.txt'
try:
response = get(url)
data = response.text
for entry in data.split('\n'):
if not entry.startswith('#') and validateIP(entry):
self.bl_de.append(entry + '/32')
self.log.info(
'Succesfully retrieved the ban list from blocklist.de')
self.log.debug('%d hosts are in the blocklist.de ban list.',
len(self.bl_de))
except Exception:
self.log.exception(
'Unable to retrieve the ban list from blocklist.de')
return response.status_code
def get_et_ch(self):
"""Retrieves list of compromised hosts from emerging threats.
Outputs:
self.et_ch - A list of IP addresses of compromised hosts that
are spewing evil.
response.status_code - The HTTP staus code of the request made
to emerging threats."""
url = ('https://rules.emergingthreats.net' +
'/blockrules/compromised-ips.txt')
try:
response = get(url)
data = response.text
for entry in data.split('\n'):
if not entry.startswith('#') and validateIP(entry):
self.et_ch.append(entry.strip('\n') + '/32')
self.log.info('Succesfully retrieved compromised IP list from ET.')
self.log.debug('%d IPs are in the compromised IP list from ET.',
len(self.et_ch))
except Exception:
self.log.exception(
'Unable to retrieve compromised IP list from ET.')
return response.status_code
def get_ssl_bl(self):
"""Retrieves the known botnet C2 list from abuse.ch
Outputs:
self.ssl_bl - A list of IP addresses that are known botnet C2
servers.
response.status_code - The HTTP staus code of the request made
to emerging threats."""
url = 'https://sslbl.abuse.ch/blacklist/sslipblacklist.txt'
try:
response = get(url)
data = response.text
for entry in data.split('\r\n'):
if not entry.startswith('#') and validateIP(entry):
self.ssl_bl.append(entry + '/32')
self.log.info(
'Successfully retrieved known botnet C2 list from abuse.ch')
self.log.debug(
'%d hosts are indicated as botnet C2 hosts by abuse.ch',
len(self.ssl_bl))
except Exception:
self.log.exception(
'Unable to retrive botnet C2 list from URLHaus.')
return response.status_code
def main():
# Setting up an argument parser.
a_parse = ArgumentParser(description='Open Threat Intel checker.')
a_parse.add_argument('-I',
'--ip',
action='store_true',
help='Check for IP address info.')
a_parse.add_argument('-D',
'--dns',
action='store_true',
help='Check for DNS info.')
a_parse.add_argument('-U',
'--url',
action='store_true',
help='Check for URL info.')
a_parse.add_argument('-F',
'--file',
action='store_true',
help='Check for File info.')
a_parse.add_argument('indicator',
type=str,
help='Indicator to check ' + 'for.')
args = a_parse.parse_args()
# Enabling logging and setting logging configuration.
log = getLogger('csic')
basicConfig(format='%(asctime)s %(name)s %(levelname)s: %(message)s',
datefmt='%m/%d/%Y %H:%M:%S',
level=INFO,
filename='csic_client.log')
# Setting the configuration.
config = ConfigParser()
config.read('config.cnf')
# Specifying API keys.
vt_api_key = config['API']['vt']
fsb_api_key = config['API']['fsb']
adb_api_key = config['API']['aipdb']
smtp_server = config['mail']['server']
rcpts = config['mail']['rcpts']
sender = config['mail']['sender']
# Looking for IP info.
if args.ip:
if not validate.validateIP(args.indicator):
log.error('%s failed IP address input validation', args.indicator)
exit(1)
ip_chck = osintchck.IPOSINT(args.indicator)
try:
vt = ip_chck.VTChck(vt_api_key)
log.debug('Beginning IP CSI check for %s', args.indicator)
if vt == 200:
if ip_chck.vt_response == 1:
vt_results = ip_chck.vt_results
if 'downloads' in vt_results:
vt_mail = (
'IP Owner: %s\n' % (vt_results.get('owner')) +
'Country: %s\n' % (vt_results.get('country')) +
'Malicious URL count: %d\n' %
(vt_results.get('urls')) +
'Malware download count: %d\n' %
(vt_results.get('downloads')) + 'Reference URL: ' +
'https://virustotal.com/gui/ip-address/' +
args.indicator + '/details' + '\n')
else:
vt_mail = ('IP Owner: %s\n' %
(vt_results.get('owner')) +
'Country: %s\n' %
(vt_results.get('country')) +
'Malicious URL count: %d\n' %
(vt_results.get('urls')) +
'Reference URL: ' +
'https://virustotal.com/gui/ip-address/' +
args.indicator + '/details' + '\n')
else:
vt_mail = 'Nothing found on VirusTotal.\n'
else:
vt_mail = ('Unable to successfully connnect to VirusTotal. ' +
'The HTTP error code is %d\n') % vt
except ConnectionError:
print('Unable to connect to VirusTotal due to network ' +
'problems.')
try:
tc = ip_chck.TCChck()
if tc == 200:
tc_mail = 'Associated malware count: %d\n' % ip_chck.tc_mw
elif tc == 500:
tc_mail = 'Error when connecting to ThreatCrowd\n'
else:
tc_mail = 'No results found on ThreatCrowd\n'
except ConnectionError:
print('Unable to connect to ThreatCrowd due to network ' +
'problems.')
try:
tm = ip_chck.TMChck()
if tm == 200:
tm_mail = 'Associated malware count: %d\n' % ip_chck.tm_mw
elif tm == 408:
tm_mail = 'Request timed out.\n'
else:
tm_mail = ('HTTP response code: %d\n' +
'No results found on ThreatMiner.\n') % tm
except ConnectionError:
print('Unable to connect to ThreatMiner due to network ' +
'problems.')
try:
fsb = ip_chck.FSBChck(fsb_api_key)
if fsb == 200:
fsb_mail = 'Associated malware count: %d\n' % ip_chck.fsb_mw
else:
fsb_mail = ('Unable to succesfully connect to Hybrid' +
'Analysis. The HTTP error code is: %d\n') % (fsb)
except ConnectionError:
print('Unable to connect to Hybrid Analysis due to network ' +
'problems.')
try:
tbl = ip_chck.TBLChck()
if tbl == 200:
tbl_mail = 'Blacklist status: %s\n' % ip_chck.tbl_status
else:
tbl_mail = 'Talos Return Code: %d\n' % tbl
except ConnectionError:
print('Unable to retrieve the Talos IP blacklist due to ' +
'network problems.')
try:
urlh = ip_chck.UHChck()
if urlh == 'ok':
u_results = ip_chck.uh_results
urlh_mail = ('Malicious URL count: %s\n' %
(u_results.get('mw_count')) +
'SURBL status: %s\n' % u_results.get('surbl') +
'Spamhaus DBL status: %s\n' %
(u_results.get('shbl')) +
'Reference URL: %s\n' % u_results.get('ref_url'))
else:
urlh_mail = 'URLHaus status: %s\n' % urlh
except ConnectionError:
print('Unable to connect to URLHaus due to network ' + 'problems.')
adb = ip_chck.AIDBCheck(adb_api_key)
if adb == 200:
a_results = ip_chck.adb_results
adb_mail = (
'IP Report Count: %s\n' % a_results['report_count'] +
'Abuse Confidence Score: %s\n' % a_results['confidence_score'])
else:
adb_mail = ('%d response code from Abuse IP DB API' % adb)
# Setting the mail body
ip_mail_body = ('Indicator: %s\n' % args.indicator + '*' * 32 + '\n' +
'VT Results:\n' + vt_mail + '*' * 32 + '\n' +
'Threat Crowd Results:\n' + tc_mail + '*' * 32 + '\n' +
'ThreatMiner Results:\n' + tm_mail + '*' * 32 + '\n' +
'FalconSandBox Results:\n' + fsb_mail + '*' * 32 +
'\n' + 'Talos Black List Status:\n' + tbl_mail +
'*' * 32 + '\n' + 'URLHaus Results:\n' + urlh_mail +
'*' * 32 + '\n' + 'Abuse IP DB Results:\n' + adb_mail)
# Sending the mail message
log.debug('Finsihed retrieving IP CSI for %s', args.indicator)
mail_send(sender, rcpts, 'CSIC IP Info', smtp_server, ip_mail_body)
# Looking for domain info.
if args.dns:
if not validate.validateDN(args.indicator):
log.error('%s failed domain name input validation.',
args.indicator)
exit(1)
dns_chck = osintchck.DomainOSINT(args.indicator)
try:
vt = dns_chck.VTChck(vt_api_key)
log.debug('Beginning domain name CSI check for %s.',
args.indicator)
if vt == 200:
vt_results = dns_chck.vt_results
if dns_chck.vt_response == 1:
if 'downloads' in vt_results:
vt_mail = ('Malware downloads: %d \n' %
(vt_results.get('downloads')) +
'URL Categories: %s \n' %
(str(vt_results.get('categories'))) +
'Subdomains: %s \n' %
(str(vt_results.get('subdomains'))) +
'Malicious URL Count: %d\n' %
(vt_results.get('url_count')) +
'Reference URL: ' +
'https://virustotal.com/gui/domain/' +
args.indicator + '/details' + '\n')
else:
vt_mail = ('URL Categories: %s \n' %
(str(vt_results.get('categories'))) +
'Subdomains: %s \n' %
(str(vt_results.get('subdomains'))) +
'Malicious URL Count: %d\n' %
(vt_results.get('url_count')) +
'Reference URL: ' +
'https://virustotal.com/gui/domain/' +
args.indicator + '/details' + '\n')
else:
vt_mail = 'No results found on VirsuTotal.\n'
else:
vt_mail = ('Unable to succesfully connect to VirusTotal. ' +
'The HTTP error code is %d\n') % vt
except ConnectionError:
print('Unable to connect to VirusTotal due to network problems.')
try:
tc = dns_chck.TCChck()
if tc == 200:
tc_mail = 'Resolve count: %d\n' % (dns_chck.tc_rc)
for entry in dns_chck.tc_ips:
tc_mail = tc_mail + 'IP: %s Resolved Date: %s\n' % (
entry.get('ip_address'), entry.get('r_time'))
else:
tc_mail = 'No results found on ThreatCrowd\n'
except ConnectionError:
print('Unable to connect to ThreatCrowd due to network ' +
'problems')
try:
tm = dns_chck.TMChck()
if tm == 200:
tm_mail = 'Associated malware count: %d\n' % dns_chck.tm_mw
elif tm == 408:
print('Request tiimed out.')
elif tm == 500:
print('Received HTTP 500 error.')
else:
tm_mail = ('HTTP respone code: %d' +
'No results found on ThreatMiner.\n') % tm
except ConnectionError:
print('Unable to connect to ThreatMiner due to network problems.')
try:
fsb = dns_chck.FSBChck(fsb_api_key)
if fsb == 200:
fsb_mail = 'Related sample count: %d\n' % dns_chck.fsb_mw
if dns_chck.fsb_mw > 0:
fsb_mail = (fsb_mail +
('Average sample threat score: %d\n' %
dns_chck.fsb_ts_avg))
else:
fsb_mail = ('Unable to succesfully connect to Hybrid ' +
'Analysis. The HTTP error code is %d\n') % fsb
except ConnectionError:
print('Unable to connect to HybridAnalyis due to network ' +
'problems.')
try:
urlh = dns_chck.UHChck()
if urlh == 'ok':
u_results = dns_chck.uh_results
urlh_mail = ('Associated malware count: %s\n' %
(u_results.get('mw_count')) +
'SURBL status: %s \n' % u_results.get('surbl') +
'Spamhaus DBL status: %s \n' %
(u_results.get('shbl')) +
'Reference URL: %s\n' % u_results.get('ref_url'))
else:
urlh_mail = 'URLHaus status: %s' % urlh
except ConnectionError:
print('Unable to connect to URLHaus due to network problems.')
# Setting the mail message
dns_mail_body = ('Indicator: %s\n' % args.indicator + '*' * 32 + '\n' +
'VT Results:\n' + vt_mail + '*' * 32 + '\n' +
'Threat Crowd Results:\n' + tc_mail + '*' * 32 +
'\n' + 'ThreatMiner Results:\n' + tm_mail + '*' * 32 +
'\n' + 'FalconSandBox Results:\n' + fsb_mail +
'*' * 32 + '\n' + 'URLHaus Results:\n' + urlh_mail)
# Sending the mail message.
log.debug('Finished domain name CSI check for %s.', args.indicator)
mail_send(sender, rcpts, 'CSIC DNS Info', smtp_server, dns_mail_body)
# Looking for URL related info.
if args.url:
if not validate.validateURL(args.indicator):
log.error('%s failed URL input validation.', args.indicator)
exit(1)
domain = args.indicator.split('/')[2]
if not validate.validateDN(domain):
log.error(
'The domain name in %s failed domain name input validation',
args.indicator)
exit(1)
u_chck = osintchck.URLOSINT(args.indicator)
try:
vt = u_chck.VTChck(vt_api_key)
log.debug('Beginning URL CSI check for %s.', args.indicator)
if vt == 200:
if u_chck.vt_response == 1:
v_results = u_chck.vc_results
vt_mail = ('Last Scan Date: %s\n' %
(v_results.get('scan_date')) +
'AV Vendor Malicious Detections: %d\n' %
(v_results.get('positives')) +
'Reference URL: %s\n' %
(v_results.get('ref_url')))
else:
vt_mail = 'Nothing found on VirusTotal for this URL.'
else:
vt_mail = ('Unable to succesfully connect to VirusTotal. ' +
'HTTP error code is %d\n') % vt
except ConnectionError:
print('Unable to connect to VirusTotal due to network problems.')
try:
fsb = u_chck.FSBChck(fsb_api_key)
if fsb == 200:
fsb_mail = 'Associated Sample Count: %d\n' % u_chck.fsb_mw
else:
fsb_mail = ('Unable to successfully connect to Hybrid ' +
' Analysis. The HTTP error code is: %d\n') % fsb
except ConnectionError:
print('Unable to connect to HybridAnalysis due to ' +
'network problems.')
try:
urlh = u_chck.UHChck()
if urlh == 'ok':
u_results = u_chck.uh_results
urlh_mail = ('Threat Category: %s\n' %
(u_results.get('status')) +
'Google Safe Browsing: %s\n' %
(u_results.get('gsb')) +
'SURBL: %s\n' % u_results.get('surbl') +
'Spamhaus BL: %s\n' %
(u_results.get('spamhaus_dbl')) +
'Reference URL: %s\n' % u_results.get('ref_url'))
else:
urlh_mail = 'URLHaus status: %s' % urlh
except ConnectionError:
print('Unable to connect to URL Haus due to network problems.')
# Setting the mail message
url_mail_body = ('Indicator: %s\n' % args.indicator + '*' * 32 + '\n' +
'VT Results:\n' + vt_mail + '*' * 32 + '\n' +
'FalconSandBox Results:\n' + fsb_mail + '*' * 32 +
'\n' + 'URLHaus Results:\n' + urlh_mail)
# Sending the mail message.
mail_send(sender, rcpts, 'CSIC URL Info', smtp_server, url_mail_body)
log.debug('Finished URL CSI check for %s.', args.indicator)
# Looking for file realted info.
if args.file:
file_hash = hash_file(args.indicator)
f_chck = osintchck.FileOSINT(file_hash)
try:
vt = f_chck.VTChck(vt_api_key)
log.debug('Beginning file related CSI chek for this hash: %s',
args.indicator)
if vt == 200:
if f_chck.vt_response == 1:
vt_results = f_chck.vt_results
vt_mail = ('AV Vendor Count: %d\n' %
(vt_results.get('av_detect')) +
'Vendor detection percentage: %d\n' %
(vt_results.get('av_percentage')) +
'Reference URL: %s\n' %
(vt_results.get('ref_url')))
else:
vt_mail = 'Nothing found for the given hash on VirusTotal'
else:
vt_mail = ('Unable to succsefully connect to Virus Total. ' +
'The HTTP error code is %d\n' % vt)
except ConnectionError:
print('Unable to connect to VirusTotal due to network problems.')
try:
fsb = f_chck.FSBChck(fsb_api_key)
if fsb == 200:
if f_chck.fsb_r_code == 1:
f_results = f_chck.fsb_results
fsb_mail = ('File verdict: %s\n' %
(f_results.get('verdict')) +
'Malware family: %s\n' %
(f_results.get('m_family')))
else:
fsb_mail = ('Nothing found on the given hash on ' +
'HybridAnalysis.')
else:
fsb_mail = ('Unable to succesfully connect to Hybrid ' +
'Analysis. The HTTP error code is: %d\n' % fsb)
except ConnectionError:
print('Unable to connect to HybridAnalysis due to network ' +
'problems.')
# Setting the mail message
file_mail_body = ('Indicator: %s\n' % args.indicator +
'File Hash: %s\n' % file_hash + '*' * 32 + '\n' +
'VT Results:\n' + vt_mail + '*' * 32 + '\n' +
'FalconSandBox Results:\n' + fsb_mail)
# Sending the mail message.
log.debug('Completed file related CSI chek for this hash: %s',
args.indicator)
mail_send(sender, rcpts, 'CSIC File Info', smtp_server, file_mail_body)
def main():
# Setting up an argument parser.
a_parse = ArgumentParser(description='Open Threat Intel checker.')
a_parse.add_argument('-I',
'--ip',
action='store_true',
help='Check for IP address info.')
a_parse.add_argument('-D',
'--dns',
action='store_true',
help='Check for DNS info.')
a_parse.add_argument('-U',
'--url',
action='store_true',
help='Check for URL info.')
a_parse.add_argument('-F',
'--file',
action='store_true',
help='Check for File info.')
a_parse.add_argument('indicator',
type=str,
help='Indicator to check ' + 'for.')
args = a_parse.parse_args()
# Enabling logging and setting logging configuration.
log = getLogger('csic')
basicConfig(format='%(asctime)s %(name)s %(levelname)s: %(message)s',
datefmt='%m/%d/%Y %H:%M:%S',
level=INFO,
filename='csic_client.log')
# Setting the configuration.
config = ConfigParser()
config.read('config.cnf')
# config = get_config('config.cnf')
# Specifying API keys.
vt_api_key = config['API']['vt']
fsb_api_key = config['API']['fsb']
adb_api_key = config['API']['aipdb']
# Looking for IP info.
if args.ip:
if not validate.validateIP(args.indicator):
print('Invalid IP address provided as input.')
log.error('IP address %s failed input validation.', args.indicator)
exit(1)
ip_chck = osintchck.IPOSINT(args.indicator)
try:
log.debug('Retrieving CSI for %s', args.indicator)
vt = ip_chck.VTChck(vt_api_key)
if vt == 200:
print('*' * 32)
print('VT Results:')
if ip_chck.vt_response == 1:
vt_results = ip_chck.vt_results
if 'downloads' in vt_results:
print('IP Owner: %s' % vt_results.get('owner'))
print('Country: %s' % vt_results.get('country'))
print('Malicious URL count: %d' %
(vt_results.get('urls')))
print('Malware download count: %d' %
(vt_results.get('downloads')))
print('Reference URL: ' +
'https://virustotal.com/gui/ip-address/' +
args.indicator + '/details')
else:
print('IP Owner: %s' % vt_results.get('owner'))
print('Country: %s' % vt_results.get('country'))
print('Malicious URL count: %d' %
(vt_results.get('urls')))
print('Reference URL: ' +
'https://virustotal.com/gui/ip-address/' +
args.indicator + '/details')
else:
print('Nothing found on VirusTotal.')
else:
print('Unable to successfully connnect to VirusTotal. ' +
'The HTTP error code is %d\n') % vt
except ConnectionError:
print('Unable to connect to VirusTotal due to network ' +
'problems.')
try:
tc = ip_chck.TCChck()
print('*' * 32)
print('ThreatCrowd Results:')
if tc == 200:
print('Associated malware count: %d' % ip_chck.tc_mw)
elif tc == 500:
print('Error connecting to ThreatCrowd')
else:
print('No results found on ThreatCrowd')
except ConnectionError:
print('Unable to connect to ThreatCrowd due to network ' +
'problems.')
try:
tm = ip_chck.TMChck()
print('*' * 32)
print('ThreatMiner Results:')
if tm == 200:
print('Associated malware count: %d' % ip_chck.tm_mw)
elif tm == 408:
print('Request timed out')
else:
print('ThreatMiner API status code: %d' % tm)
print('No results found on ThreatMiner.')
except ConnectionError:
print('Unable to connect to ThreatMiner due to network ' +
'problems.')
try:
fsb = ip_chck.FSBChck(fsb_api_key)
if fsb == 200:
print('*' * 32)
print('HybridAnalysis Results:')
print('Associated malware count: %d' % ip_chck.fsb_mw)
else:
print('Unable to succesfully connect to Hybrid' +
'Analysis. The HTTP error code is: %d\n' % fsb)
except ConnectionError:
print('Unable to connect to Hybrid Analysis due to network ' +
'problems.')
try:
tbl = ip_chck.TBLChck()
print('*' * 32)
print('Talos Blacklist Check:')
if tbl == 200:
print('Blacklist status: %s' % ip_chck.tbl_status)
else:
print('Talos Return Code: %d' % tbl)
except ConnectionError:
print('Unable to retrieve the Talos IP blacklist due to ' +
'network problems.')
try:
urlh = ip_chck.UHChck()
print('*' * 32)
print('URLHaus Results:')
if urlh == 'ok':
u_results = ip_chck.uh_results
print('Malicious URL count: %s' % u_results.get('mw_count'))
print('SURBL status: %s' % u_results.get('surbl'))
print('Spamhaus DBL status: %s' % u_results.get('shbl'))
print('Reference URL: %s' % u_results.get('ref_url'))
else:
print('URLHaus status: %s' % urlh)
except ConnectionError:
print('Unable to connect to URLHaus due to network ' + 'problems.')
log.debug('Finished retrieving CSI for %s', args.indicator)
adb = ip_chck.AIDBCheck(adb_api_key)
print('*' * 32)
print('Abuse IP DB Results:')
if adb == 200:
a_results = ip_chck.adb_results
print('IP Report Count: %s' % a_results['report_count'])
print('Abuse Confidence Score: %s' % a_results['confidence_score'])
else:
print('%d response code from Abuse IP DB API' % adb)
# Looking for domain info.
if args.dns:
if not validate.validateDN(args.indicator):
print('Invalid DNS name. DNS names must be RFC 1035 compliant.')
log.error('%s failed DNS name input validation', args.indicator)
exit(1)
dns_chck = osintchck.DomainOSINT(args.indicator)
try:
vt = dns_chck.VTChck(vt_api_key)
log.debug('Beginning retrieving domain name CSI for %s',
args.indicator)
if vt == 200:
vt_results = dns_chck.vt_results
print('*' * 32)
print('VT Results:')
if dns_chck.vt_response == 1:
if 'downloads' in vt_results:
print('Malware downloads: %d' %
(vt_results.get('downloads')))
print('URL Categories: %s' %
(str(vt_results.get('categories'))))
print('Subdomains: %s' %
(str(vt_results.get('subdomains'))))
print('Malicious URL Count: %d' %
(vt_results.get('url_count')))
print('Refernce URL: ' +
'https://virustotal.com/gui/domain/' +
args.indicator + '/details')
else:
print('URL Categories: %s' %
(str(vt_results.get('categories'))))
print('Subdomains: %s' %
(str(vt_results.get('subdomains'))))
print('Malicious URL Count: %d' %
(vt_results.get('url_count')))
print('Refernce URL: ' +
'https://virustotal.com/gui/domain/' +
args.indicator + '/details')
else:
print('No results found on VirsuTotal.')
else:
print('Unable to succesfully connect to VirusTotal. The ' +
'HTTP error code is %d\n' % vt)
except ConnectionError:
print('Unable to connect to VirusTotal due to network problems.')
try:
tc = dns_chck.TCChck()
print('*' * 32)
print('ThreatCrowd Results')
if tc == 200:
print('Resolve count: %d' % dns_chck.tc_rc)
for entry in dns_chck.tc_ips:
print('IP: %s Resolved Date: %s' %
(entry.get('ip_address'), entry.get('r_time')))
else:
print('No results found on ThreatCrowd')
except ConnectionError:
print('Unable to connect to ThreatCrowd due to network ' +
'problems')
try:
tm = dns_chck.TMChck()
print('*' * 32)
print('ThreatMiner Results')
if tm == 200:
print('Associated malware count: %d' % dns_chck.tm_mw)
elif tm == 408:
print('Request timed out.')
else:
print('ThreatMiner response code: %d' % tm)
print('No results found on ThreatMiner.')
except ConnectionError:
print('Unable to connect to ThreatMiner due to network problems.')
try:
fsb = dns_chck.FSBChck(fsb_api_key)
if fsb == 200:
print('*' * 32)
print('HybridAnalysis Results:')
print('Related sample count: %d' % dns_chck.fsb_mw)
if dns_chck.fsb_mw > 0:
print('Average sample threat score: %d' %
dns_chck.fsb_ts_avg)
else:
print('Unable to succesfully connect to HybridAnalysis. ' +
'The HTTP error code is %d\n' % fsb)
except ConnectionError:
print('Unable to connect to HybridAnalyis due to network ' +
'problems.')
try:
urlh = dns_chck.UHChck()
print('*' * 32)
print('URLHaus Results')
if urlh == 'ok':
u_results = dns_chck.uh_results
print('Associated malware count: %s' %
u_results.get('mw_count'))
print('SURBL status: %s' % u_results.get('surbl'))
print('Spamhaus DBL status: %s' % u_results.get('shbl'))
print('Reference URL: %s' % u_results.get('ref_url'))
else:
print('URLHaus status: %s' % urlh)
except ConnectionError:
print('Unable to connect to URLHaus due to network problems.')
log.debug('Finished retrieving domain name CSI for %s', args.indicator)
# Looking for URL related info.
if args.url:
if not validate.validateURL(args.indicator):
log.error('URL %s failed input validation.', args.indicator)
exit(1)
domain = args.indicator.split('/')[2]
if not validate.validateDN(domain):
print('Domain name is not compliant with RFC 1035.')
exit(1)
log.error('Domain in URL %s failed input validation.',
args.indicator)
u_chck = osintchck.URLOSINT(args.indicator)
try:
vt = u_chck.VTChck(vt_api_key)
log.debug('Retrieving URL CSI for %s', args.indicator)
if vt == 200:
print('*' * 32)
print('VirusTotal Results:')
if u_chck.vt_response == 1:
v_results = u_chck.vc_results
print('Last Scan Date: %s' % v_results.get('scan_date'))
print('AV Vendor Malicious Detections: %d' %
v_results.get('positives'))
print('Reference URL: %s' % v_results.get('ref_url'))
else:
print('Nothing found on VirusTotal for this URL.')
else:
print('Unable to succesfully connect to VirusTotal. ' +
'HTTP error code is %d\n' % vt)
except ConnectionError:
print('Unable to connect to VirusTotal due to network problems.')
try:
fsb = u_chck.FSBChck(fsb_api_key)
if fsb == 200:
print('*' * 32)
print('HybridAnalysis Results:')
print('Associated Sample Count: %d' % u_chck.fsb_mw)
else:
print('Unable to successfully connect to HybridAnalysis. ' +
'The HTTP error code is: %d\n' % fsb)
except ConnectionError:
print('Unable to connect to HybridAnalysis due to ' +
'network problems.')
try:
urlh = u_chck.UHChck()
print('*' * 32)
print('URLHaus Results:')
if urlh == 'ok':
u_results = u_chck.uh_results
print('Threat Category: %s' % u_results.get('status'))
print('Google Safe Browsing: %s' % u_results.get('gsb'))
print('SURBL: %s' % u_results.get('surbl'))
print('Spamhaus BL: %s' % u_results.get('spamhaus_dbl'))
print('Reference URL: %s' % u_results.get('ref_url'))
else:
print('URLHaus status: %s' % urlh)
except ConnectionError:
print('Unable to connect to URL Haus due to network problems')
log.debug('Finished retrieving URL CSI for %s', args.indicator)
# Looking for file realted info.
if args.file:
file_hash = hash_file(args.indicator)
print('The hash we are looking for is below.\n%s' % file_hash)
f_chck = osintchck.FileOSINT(file_hash)
try:
vt = f_chck.VTChck(vt_api_key)
log.debug('Retrieving file related CSI for %s', args.indicator)
if vt == 200:
print('*' * 32)
print('VirusTotal Results:')
if f_chck.vt_response == 1:
vt_results = f_chck.vt_results
print('AV Vendor Count: %d' % vt_results.get('av_detect'))
print('Vendor detection percentage: %d' %
vt_results.get('av_percentage'))
print('Reference URL: %s' % vt_results.get('ref_url'))
else:
print('Nothing found for the given hash on VirusTotal')
else:
print('Unable to succsefully connect to Virus Total. The ' +
'HTTP error code is %d\n' % vt)
except ConnectionError:
print('Unable to connect to VirusTotal due to network problems.')
try:
fsb = f_chck.FSBChck(fsb_api_key)
if fsb == 200:
print('*' * 32)
print('HybridAnalysis Results:')
if f_chck.fsb_r_code == 1:
f_results = f_chck.fsb_results
print('File verdict: %s' % f_results.get('verdict'))
print('Malware family: %s' % f_results.get('m_family'))
else:
print('Nothing found on the given hash on ' +
'HybridAnalysis.')
else:
print('Unable to succesfully connect to HybridAnalysis. ' +
'The HTTP error code is: %d\n' % fsb)
except ConnectionError:
print('Unable to connect to HybridAnalysis due to network ' +
'problems.')
log.debug('Finished retrieving file related CSI for %s',
args.indicator)