def run(self):
Analyzer.run(self)
data = self.getData()
try:
# enrichment service
if self.service == 'enrichment':
enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key)
result = enrichment_request.get_enrichment(query=data)
self.report(result)
# malware service
elif self.service == 'malware':
enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key)
result = enrichment_request.get_malware(query=data)
self.report(result)
# osint service
elif self.service == 'osint':
enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key)
result = enrichment_request.get_osint(query=data)
self.report(result)
# passive dns service
elif self.service == 'passive_dns':
dns_request = DnsRequest(username=self.username, api_key=self.api_key)
result = dns_request.get_passive_dns(query=data)
self.report(result)
# ssl certificate details service
elif self.service == 'ssl_certificate_details':
ssl_request = SslRequest(username=self.username, api_key=self.api_key)
result = ssl_request.get_ssl_certificate_details(query=data)
self.report(result)
# ssl certificate history service
elif self.service == 'ssl_certificate_history':
ssl_request = SslRequest(username=self.username, api_key=self.api_key)
result = ssl_request.get_ssl_certificate_history(query=data)
self.report(result)
# unique resolutions service
elif self.service == 'unique_resolutions':
dns_request = DnsRequest(username=self.username, api_key=self.api_key)
result = dns_request.get_unique_resolutions(query=data)
self.report(result)
# whois details service
elif self.service == 'whois_details':
whois_request = WhoisRequest(username=self.username, api_key=self.api_key)
result = whois_request.get_whois_details(query=data)
self.report(result)
else:
self.error('Unknown PassiveTotal service')
except Exception as e:
self.unexpectedError(e)
def get_whois(self, **kwargs):
client = WhoisRequest(self.username, self.apikey)
keys = ['query', 'compact', 'field']
params = self._cleanup_params(keys, **kwargs)
if not params.get('field'):
return client.get_whois_details(**params)
else:
return client.search_whois_by_field(**params)
def load_client(context):
"""Get an instance of a loaded client."""
username = context.getTransformSetting('username')
api_key = context.getTransformSetting('aKey')
test_status = context.getTransformSetting('test_local')
if test_status and test_status == 'True':
server = context.getTransformSetting('server')
version = context.getTransformSetting('version')
return WhoisRequest(username, api_key, server, version)
else:
return WhoisRequest(username, api_key, headers=gen_debug(request))
def get_whois(self, **kwargs):
client = WhoisRequest(self.username, self.apikey)
keys = ['query', 'compact', 'field']
params = self._cleanup_params(keys, **kwargs)
if not params.get('field'):
return client.get_whois_details(**params)
else:
return client.search_whois_by_field(**params)
def __process_result_pt__(self): # passive total
d = self.__get_top_level_domain__()
try:
if d:
client = WhoisRequest.from_config()
raw_results = client.get_whois_details(query=d)
self.raw_whois = raw_results
elif not d:
print("PT, domain null " + str(d) + " " + str(self.id))
except:
print("PT rejects " + str(self.domain) + " ")
def __init__(self):
try:
self.clients = {
'ssl': SslRequest.from_config(),
'dns': DnsRequest.from_config(),
'enrichment': EnrichmentRequest.from_config(),
'whois': WhoisRequest.from_config(),
'attribute': AttributeRequest.from_config(),
}
except Exception:
self.clients = None
def call_whois(args):
"""Abstract call to WHOIS-based queries."""
client = WhoisRequest.from_config()
pruned = prune_args(query=args.query,
compact_record=args.compact,
field=args.field)
if not args.field:
data = client.get_whois_details(**pruned)
else:
data = client.search_whois_by_field(**pruned)
return data
def call_whois(args):
"""Abstract call to WHOIS-based queries."""
client = WhoisRequest.from_config()
pruned = prune_args(
query=args.query,
compact_record=args.compact,
field=args.field
)
if not args.field:
data = client.get_whois_details(**pruned)
else:
data = client.search_whois_by_field(**pruned)
return data
def run(self, conf, args, plugins):
if 'subcommand' in args:
if args.subcommand == 'whois':
client = WhoisRequest(conf['PassiveTotal']['username'],
conf['PassiveTotal']['key'])
if args.domain:
raw_results = client.search_whois_by_field(query=unbracket(
args.domain.strip()),
field="domain")
print(
json.dumps(raw_results,
sort_keys=True,
indent=4,
separators=(',', ': ')))
elif args.file:
with open(args.file, 'r') as infile:
data = infile.read().split()
print(
"Domain|Date|Registrar|name|email|Phone|organization|Street|City|Postal Code|State|Country"
)
for d in data:
do = unbracket(d.strip())
# FIXME: bulk request here
raw_results = client.search_whois_by_field(
query=do, field="domain")
if "results" not in raw_results:
print("%s|||||||||||" % bracket(do))
else:
if len(raw_results["results"]) == 0:
print("%s|||||||||||" % bracket(do))
else:
r = raw_results["results"][0]
if "registered" in r:
dd = datetime.datetime.strptime(
r["registered"],
"%Y-%m-%dT%H:%M:%S.%f%z")
ddo = dd.strftime("%m/%d/%Y %H:%M:%S")
else:
ddo = ""
print(
"%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s" %
(bracket(do), ddo, r["registrar"]
if "registrar" in r else "",
r["registrant"]["name"]
if "name" in r["registrant"] else "",
r["registrant"]["email"]
if "email" in r["registrant"] else "",
r["registrant"]["telephone"]
if "telephone" in r["registrant"] else "",
r["registrant"]["organization"] if
"organization" in r["registrant"] else "",
r["registrant"]["street"]
if "street" in r["registrant"] else "",
r["registrant"]["city"]
if "city" in r["registrant"] else "",
r["registrant"]["postalCode"] if
"postalCode" in r["registrant"] else "",
r["registrant"]["state"]
if "state" in r["registrant"] else "",
r["registrant"]["country"]
if "country" in r["registrant"] else ""))
elif args.email:
raw_results = client.search_whois_by_field(
query=args.email.strip(), field="email")
print(
json.dumps(raw_results,
sort_keys=True,
indent=4,
separators=(',', ': ')))
else:
self.parser.print_help()
elif args.subcommand == "dns":
client = DnsRequest(conf['PassiveTotal']['username'],
conf['PassiveTotal']['key'])
raw_results = client.get_passive_dns(query=unbracket(
args.DOMAIN), )
print(
json.dumps(raw_results,
sort_keys=True,
indent=4,
separators=(',', ': ')))
elif args.subcommand == "malware":
client = EnrichmentRequest(conf["PassiveTotal"]["username"],
conf["PassiveTotal"]['key'])
if args.domain:
raw_results = client.get_malware(query=args.domain)
print(
json.dumps(raw_results,
sort_keys=True,
indent=4,
separators=(',', ': ')))
elif args.file:
with open(args.file, 'r') as infile:
data = infile.read().split()
domain_list = list(set([a.strip() for a in data]))
if len(domain_list) < 51:
raw_results = client.get_bulk_malware(
query=domain_list)
if "results" not in raw_results or not raw_results[
"success"]:
print("Request failed")
print(
json.dumps(raw_results,
sort_keys=True,
indent=4,
separators=(',', ': ')))
sys.exit(1)
else:
results = raw_results["results"]
else:
results = {}
bulk_size = 50
i = 0
while i * bulk_size < len(domain_list):
raw_results = client.get_bulk_malware(
query=domain_list[i * bulk_size:(i + 1) *
bulk_size])
if "results" not in raw_results or not raw_results[
"success"]:
print("Request failed")
print(
json.dumps(raw_results,
sort_keys=True,
indent=4,
separators=(',', ': ')))
sys.exit(1)
else:
results.update(raw_results["results"])
i += 1
if args.raw:
print(
json.dumps(results,
sort_keys=True,
indent=4,
separators=(',', ': ')))
else:
print("Domain|Date|Sample|Source|Source URL")
for domain in results:
if "results" in results[domain]:
for sample in results[domain]["results"]:
print("%s|%s|%s|%s|%s" %
(domain, sample["collectionDate"],
sample["sample"], sample["source"],
sample["sourceUrl"]))
else:
self.parser.print_help()
elif args.subcommand == "osint":
# FIXME: add research of projects
client = EnrichmentRequest(conf["PassiveTotal"]["username"],
conf["PassiveTotal"]['key'])
if args.domain:
raw_results = client.get_osint(query=args.domain)
print(
json.dumps(raw_results,
sort_keys=True,
indent=4,
separators=(',', ': ')))
elif args.file:
with open(args.file, 'r') as infile:
data = infile.read().split()
domain_list = list(set([a.strip() for a in data]))
if len(domain_list) < 51:
raw_results = client.get_bulk_osint(query=domain_list)
if "results" not in raw_results or not raw_results[
"success"]:
print("Request failed")
print(
json.dumps(raw_results,
sort_keys=True,
indent=4,
separators=(',', ': ')))
sys.exit(1)
else:
results = raw_results["results"]
else:
results = {}
bulk_size = 50
i = 0
while i * bulk_size < len(domain_list):
raw_results = client.get_bulk_osint(
query=domain_list[i * bulk_size:(i + 1) *
bulk_size])
if "results" not in raw_results or not raw_results[
"success"]:
print("Request failed")
print(
json.dumps(raw_results,
sort_keys=True,
indent=4,
separators=(',', ': ')))
sys.exit(1)
else:
results.update(raw_results["results"])
i += 1
if args.raw:
print(
json.dumps(results,
sort_keys=True,
indent=4,
separators=(',', ': ')))
else:
print("Domain|Source|URL|Tags")
for domain in results:
if "results" in results[domain]:
for report in results[domain]["results"]:
print("%s|%s|%s|%s" %
(domain, report["source"],
report["source_url"], " / ".join(
report["tags"])))
else:
self.parser.print_help()
else:
self.parser.print_help()
else:
self.parser.print_help()
import sys
from passivetotal.libs.dns import DnsRequest
from passivetotal.libs.dns import DnsUniqueResponse
from passivetotal.libs.whois import WhoisRequest
from passivetotal.libs.whois import WhoisResponse
from passivetotal.common.utilities import is_ip
query = sys.argv[1]
if not is_ip(query):
raise Exception("This script only accepts valid IP addresses!")
sys.exit(1)
# look up the unique resolutions
client = DnsRequest.from_config()
raw_results = client.get_unique_resolutions(query=query)
loaded = DnsUniqueResponse(raw_results)
whois_client = WhoisRequest.from_config()
for record in loaded.get_records()[:3]:
raw_whois = whois_client.get_whois_details(query=record.resolve)
whois = WhoisResponse(raw_whois)
print record.resolve, whois.contactEmail
logger.info("Starting command processing")
input_events, dummyresults, settings = splunk.Intersplunk.getOrganizedResults(
)
keywords, options = splunk.Intersplunk.getKeywordsAndOptions()
query_value = options.get("query", "")
logger.info("Query target: %s" % query_value)
logger.debug("Raw options: %s" % str(options))
configuration = get_config("passivetotal", "api-setup")
username = configuration.get('username', None)
api_key = configuration.get('apikey', None)
output_events = list()
whois = WhoisRequest(username, api_key,
headers=build_headers()).get_whois_details(
query=query_value, compact_record=True)
if 'error' in whois:
raise Exception(
"Whoa there, looks like you reached your quota for today! Please come back tomorrow to resume your investigation or contact support for details on enterprise plans."
)
fields = [
'contactEmail', 'nameServers', 'registered', 'registryUpdatedAt',
'expiresAt', 'registrar'
]
for field in fields:
tmp = {'key': gen_label(field), 'value': whois.get(field, '')}
output_events.append(tmp)
for key, value in whois.get('compact', {}).iteritems():
formatted = list()
for item in value.get('values', []):
try:
logger.info("Starting command processing")
input_events, dummyresults, settings = splunk.Intersplunk.getOrganizedResults()
keywords, options = splunk.Intersplunk.getKeywordsAndOptions()
query_value = options.get("query", "")
logger.info("Query target: %s" % query_value)
logger.debug("Raw options: %s" % str(options))
configuration = get_config("passivetotal", "api-setup")
username = configuration.get('username', None)
api_key = configuration.get('apikey', None)
output_events = list()
whois = WhoisRequest(username, api_key, headers=build_headers()).get_whois_details(
query=query_value, compact_record=True)
if 'error' in whois:
raise Exception("Whoa there, looks like you reached your quota for today! Please come back tomorrow to resume your investigation or contact support for details on enterprise plans.")
fields = ['contactEmail', 'nameServers', 'registered', 'registryUpdatedAt',
'expiresAt', 'registrar']
for field in fields:
tmp = {'key': gen_label(field), 'value': whois.get(field, '')}
output_events.append(tmp)
for key, value in whois.get('compact', {}).iteritems():
formatted = list()
for item in value.get('values', []):
tmp = "%s (%s)" % (item[0], ', '.join(item[1]))
formatted.append(tmp)
tmp = {'key': gen_label(key), 'value': ', '.join(formatted)}
output_events.append(tmp)
splunk.Intersplunk.outputResults(output_events)
def setup_class(self):
self.patcher = patch('passivetotal.api.Client._get', fake_request)
self.patcher.start()
self.client = WhoisRequest('--No-User--', '--No-Key--')
class WhoisTestCase(unittest.TestCase):
"""Test case for WHOIS methods."""
formats = ['json']
def setup_class(self):
self.patcher = patch('passivetotal.api.Client._get', fake_request)
self.patcher.start()
self.client = WhoisRequest('--No-User--', '--No-Key--')
def teardown_class(self):
self.patcher.stop()
def test_whois_details(self):
"""Test getting WHOIS details."""
payload = {'query': 'passivetotal.org'}
response = self.client.get_whois_details(**payload)
assert (response.get('domain')) == 'passivetotal.org'
def test_process_whois_details(self):
"""Test processing WHOIS details."""
payload = {'query': 'passivetotal.org'}
response = self.client.get_whois_details(**payload)
wrapped = Response(response)
for item in self.formats:
assert (getattr(wrapped, item))
def test_property_load(self):
"""Test loading properties on a result."""
payload = {'query': 'passivetotal.org'}
response = self.client.get_whois_details(**payload)
wrapped = Response(response)
for key, value in iteritems(response):
assert (getattr(wrapped, key)) == value
def test_whois_search(self):
"""Test getting a WHOIS search."""
payload = {'query': '18772064254', 'field': 'phone'}
response = self.client.search_whois_by_field(**payload)
assert (response['results'][0].get('domain')) == 'passivetotal.org'
def test_whois_search_bad_field(self):
"""Test sending a bad field in a search."""
with pytest.raises(INVALID_FIELD_TYPE) as excinfo:
def invalid_field():
payload = {'query': '18772064254', 'field': '_'}
self.client.search_whois_by_field(**payload)
invalid_field()
assert 'must be one of the following' in str(excinfo.value)
def test_whois_search_missing_field(self):
"""Test missing a field in a search."""
with pytest.raises(MISSING_FIELD) as excinfo:
def missing_field():
payload = {'query': '18772064254', 'no-field': '_'}
self.client.search_whois_by_field(**payload)
missing_field()
assert 'value is required' in str(excinfo.value)
def test_process_whois_search(self):
"""Test processing search results."""
payload = {'query': '18772064254', 'field': 'phone'}
response = self.client.search_whois_by_field(**payload)
results = Response(response)
assert (Response(results.results[0]).domain) == 'passivetotal.org'
def run(self):
data = self.get_data()
try:
# enrichment service
if self.service == 'enrichment':
enrichment_request = EnrichmentRequest(username=self.username,
api_key=self.api_key)
result = enrichment_request.get_enrichment(query=data)
self.report(result)
# malware service
elif self.service == 'malware':
enrichment_request = EnrichmentRequest(username=self.username,
api_key=self.api_key)
result = enrichment_request.get_malware(query=data)
self.report(result)
# osint service
elif self.service == 'osint':
enrichment_request = EnrichmentRequest(username=self.username,
api_key=self.api_key)
result = enrichment_request.get_osint(query=data)
self.report(result)
# passive dns service
elif self.service == 'passive_dns':
dns_request = DnsRequest(username=self.username,
api_key=self.api_key)
result = dns_request.get_passive_dns(query=data)
self.report(result)
# ssl certificate details service
elif self.service == 'ssl_certificate_details':
ssl_request = SslRequest(username=self.username,
api_key=self.api_key)
result = ssl_request.get_ssl_certificate_details(query=data)
self.report(result)
# ssl certificate history service
elif self.service == 'ssl_certificate_history':
ssl_request = SslRequest(username=self.username,
api_key=self.api_key)
result = ssl_request.get_ssl_certificate_history(query=data)
print(len(result['results']))
if len(result['results']
) == 1 and result['results'][0]['ipAddresses'] == 'N/A':
print("ok")
self.report({'results': []})
else:
self.report(result)
# unique resolutions service
elif self.service == 'unique_resolutions':
dns_request = DnsRequest(username=self.username,
api_key=self.api_key)
result = dns_request.get_unique_resolutions(query=data)
self.report(result)
# whois details service
elif self.service == 'whois_details':
whois_request = WhoisRequest(username=self.username,
api_key=self.api_key)
result = whois_request.get_whois_details(query=data)
self.report(result)
# components service
elif self.service == 'components':
host_attr_request = HostAttributeRequest(
username=self.username, api_key=self.api_key)
result = host_attr_request.get_components(query=data)
self.report(result)
# trackers service
elif self.service == 'trackers':
host_attr_request = HostAttributeRequest(
username=self.username, api_key=self.api_key)
result = host_attr_request.get_trackers(query=data)
self.report(result)
# host pairs service
elif self.service == 'host_pairs':
host_attr_request = HostAttributeRequest(
username=self.username, api_key=self.api_key)
result = host_attr_request.get_host_pairs(query=data,
direction='parents')
children = host_attr_request.get_host_pairs(
query=data, direction='children')
result['totalRecords'] += children['totalRecords']
result['results'] = result['results'] + children['results']
self.report(result)
else:
self.error('Unknown PassiveTotal service')
except Exception as e:
self.unexpectedError(e)
