def main():
# print "Content-type: xml\n\n";
# MaltegoXML_in = sys.stdin.read()
# logging.debug(MaltegoXML_in)
# if MaltegoXML_in <> '':
# m = MaltegoMsg(MaltegoXML_in)
#Custom query per transform, but apply filter with and_(*filters) from transformCommon.
# s = select([proxs.c.drone], and_(*filters)).distinct()
s = select([sess.c.drone], and_(*filters)).distinct()
logging.debug(filters)
logging.debug(s)
r = db.execute(s)
results = r.fetchall()
results = [t[0] for t in results]
TRX = MaltegoTransform()
for drone in results:
logging.debug(drone)
NewEnt=TRX.addEntity("snoopy.Drone", drone)
NewEnt.addAdditionalFields("properties.drone","drone", "strict",drone)
NewEnt.addAdditionalFields("start_time", "start_time", "strict", start_time)
NewEnt.addAdditionalFields("end_time", "end_time", "strict", end_time)
#NewEnt.addAdditionalFields("drone", "drone", "strict", drone)
#NewEnt.addAdditionalFields("location", "location", "strict", location)
TRX.returnOutput()
def main(argv):
if argv[1] == "caseyso":
namesList = ["bobbyo", "jjc", "alf", "courtp"]
elif argv[1] == "jjc":
namesList = ["caseyso", "jjc", "alf", "courtp", "mrclean"]
elif argv[1] == "alf":
namesList = ["mrclean", "jjc", "alf", "courtp", "joe"]
elif argv[1] == "bobbyo":
namesList = ["jjc", "caseyso", "brat322"]
else:
users = twitterSearch.getFollowers(argv[1])
if DEBUG:
print users
searchString = ""
for i in range(len(users["users"])):
searchString += str(users["users"][i]["id"]) + ","
if DEBUG:
print searchString[:-1]
names = twitterSearch.idToUsername(searchString[:-1])
namesList = []
for name in names:
namesList.append(name["screen_name"])
if DEBUG:
print namesList
mt = MaltegoTransform()
for user_name in namesList:
if DEBUG:
print user_name
mt.addEntity("maltego.Twit", user_name)
mt.returnOutput()
def main():
# print "Content-type: xml\n\n";
# MaltegoXML_in = sys.stdin.read()
# logging.debug(MaltegoXML_in)
# if MaltegoXML_in <> '':
# m = MaltegoMsg(MaltegoXML_in)
#Custom query per transform, but apply filter with and_(*filters) from transformCommon.
filters = []
filters.append(cookies.c.client_mac==mac)
#s = select([cookies.c.baseDomain], and_(*filters)) #Bug: baseDomain being returned as full URL.
s = select([cookies.c.host], and_(*filters))
logging.debug(s)
logging.debug(mac)
#s = select([ssids.c.ssid]).where(ssids.c.mac==mac).distinct()
r = db.execute(s)
results = r.fetchall()
results = [t[0] for t in results]
TRX = MaltegoTransform()
illegal_xml_re = re.compile(u'[\x00-\x08\x0b-\x1f\x7f-\x84\x86-\x9f\ud800-\udfff\ufdd0-\ufddf\ufffe-\uffff]')
for domain in results:
domain = illegal_xml_re.sub('', domain)
NewEnt=TRX.addEntity("maltego.Domain", domain)
NewEnt.addAdditionalFields("fqdn","Domain", "strict",domain)
NewEnt.addAdditionalFields("mac","Client Mac", "strict",mac)
TRX.returnOutput()
def main():
# print "Content-type: xml\n\n";
# MaltegoXML_in = sys.stdin.read()
# logging.debug(MaltegoXML_in)
# if MaltegoXML_in <> '':
# m = MaltegoMsg(MaltegoXML_in)
#Custom query per transform, but apply filter with and_(*filters) from transformCommon.
filters = []
filters.append(weblogs.c.client_ip==ip)
s = select([weblogs.c.full_url, weblogs.c.cookies], and_(*filters))
logging.debug(s)
#s = select([ssids.c.ssid]).where(ssids.c.mac==mac).distinct()
r = db.execute(s)
results = r.fetchall()
#logging.debug(results)
#results = [t[0] for t in results]
TRX = MaltegoTransform()
illegal_xml_re = re.compile(u'[\x00-\x08\x0b-\x1f\x7f-\x84\x86-\x9f\ud800-\udfff\ufdd0-\ufddf\ufffe-\uffff]')
for res in results:
logging.debug(res)
url, cookies = res
#logging.debug(cookies)
NewEnt=TRX.addEntity("maltego.URL", url)
NewEnt.addAdditionalFields("url","URL", "strict",url)
TRX.returnOutput()
def main():
# print "Content-type: xml\n\n";
# MaltegoXML_in = sys.stdin.read()
# logging.debug(MaltegoXML_in)
# if MaltegoXML_in <> '':
# m = MaltegoMsg(MaltegoXML_in)
#Custom query per transform, but apply filter with and_(*filters) from transformCommon.
filters.append(ssids.c.mac==mac)
s = select([ssids.c.ssid], and_(*filters))
#s = select([ssids.c.ssid]).where(ssids.c.mac==mac).distinct()
r = db.execute(s)
results = r.fetchall()
results = [t[0] for t in results]
TRX = MaltegoTransform()
illegal_xml_re = re.compile(u'[\x00-\x08\x0b-\x1f\x7f-\x84\x86-\x9f\ud800-\udfff\ufdd0-\ufddf\ufffe-\uffff]')
for ssid in results:
#ssid = b64decode(ssid)
ssid=escape(ssid)
ssid = illegal_xml_re.sub('', ssid)
if not ssid.isspace() and ssid:
NewEnt=TRX.addEntity("snoopy.SSID", ssid)
NewEnt.addAdditionalFields("properties.ssid","ssid", "strict",ssid)
TRX.returnOutput()
def main():
# print "Content-type: xml\n\n";
# MaltegoXML_in = sys.stdin.read()
# logging.debug(MaltegoXML_in)
# if MaltegoXML_in <> '':
# m = MaltegoMsg(MaltegoXML_in)
#Custom query per transform, but apply filter with and_(*filters) from transformCommon.
filters = []
filters.extend((cookies.c.client_mac==mac, cookies.c.baseDomain==domain))
s = select([cookies.c.name, cookies.c.value], and_(*filters))
logging.debug(s)
#s = select([ssids.c.ssid]).where(ssids.c.mac==mac).distinct()
r = db.execute(s)
results = r.fetchall()
logging.debug(results)
#results = [t[0] for t in results]
TRX = MaltegoTransform()
illegal_xml_re = re.compile(u'[\x00-\x08\x0b-\x1f\x7f-\x84\x86-\x9f\ud800-\udfff\ufdd0-\ufddf\ufffe-\uffff]')
for cookie in results:
logging.debug(cookie)
name, value = cookie
NewEnt=TRX.addEntity("snoopy.Cookie", name)
NewEnt.addAdditionalFields("value","Value", "strict",value)
NewEnt.addAdditionalFields("fqdn","Domain", "strict",domain)
NewEnt.addAdditionalFields("mac","Client Mac", "strict",mac)
TRX.returnOutput()
def main():
# print "Content-type: xml\n\n";
# MaltegoXML_in = sys.stdin.read()
# logging.debug(MaltegoXML_in)
# if MaltegoXML_in <> '':
# m = MaltegoMsg(MaltegoXML_in)
#Custom query per transform, but apply filter with and_(*filters) from transformCommon.
filters = []
filters.append(weblogs.c.client_ip==ip)
s = select([weblogs.c.useragent], and_(*filters))
logging.debug(s)
#s = select([ssids.c.ssid]).where(ssids.c.mac==mac).distinct()
r = db.execute(s)
results = r.fetchall()
logging.debug(results)
#results = [t[0] for t in results]
TRX = MaltegoTransform()
illegal_xml_re = re.compile(u'[\x00-\x08\x0b-\x1f\x7f-\x84\x86-\x9f\ud800-\udfff\ufdd0-\ufddf\ufffe-\uffff]')
for ua in results:
logging.debug(ua)
if str(ua).find('None') < 1:
NewEnt=TRX.addEntity("snoopy.useragent", str(ua))
NewEnt.addAdditionalFields("ip","Client IP", "strict",ip)
TRX.returnOutput()
def main(argv):
myURLs = LinkedIn(sys.argv[1])
mt = MaltegoTransform();
for urls in myURLs:
mt.addEntity("maltego.Alias", urls)
mt.returnOutput()
def selectEvent(eventID):
s = shelve.open(eventDB)
s['id'] = eventID
s['age'] = datetime.today()
s.close()
mt = MaltegoTransform()
mt.addUIMessage("[Info] Event with ID %s selected for insert" % eventID)
mt.returnOutput()
def main():
filters.append(wigle.c.ssid == ssid)
filters.append(wigle.c.overflow == 0)
s = select([wigle], and_(*filters)).distinct().limit(limit)
#s = select([ssids.c.ssid]).where(ssids.c.mac==mac).distinct()
r = db.execute(s)
results = r.fetchall()
logging.debug(results)
TRX = MaltegoTransform()
illegal_xml_re = re.compile(u'[\x00-\x08\x0b-\x1f\x7f-\x84\x86-\x9f\ud800-\udfff\ufdd0-\ufddf\ufffe-\uffff]')
for address in results:
if len(results) > 20:
break
#ssid = b64decode(ssid)
#ssid=escape(ssid)
#ssid = illegal_xml_re.sub('', ssid)
logging.debug(type(address))
street_view_url1 = "http://maps.googleapis.com/maps/api/streetview?size=800x800&sensor=false&location=%s,%s" % (str(address['lat']),str(address['long']))
street_view_url2 = "https://maps.google.com/maps?q=&layer=c&cbp=11,0,0,0,0&cbll=%s,%s " % (str(address['lat']),str(address['long']))
map_url = "http://maps.google.com/maps?t=h&q=%s,%s"%(str(address['lat']),str(address['long']))
flag_img = "http://www.geognos.com/api/en/countries/flag/%s.png" % str(address['code']).upper()
#NewEnt=TRX.addEntity("maltego.Location", address['shortaddress'].encode('utf-8'))
NewEnt=TRX.addEntity("snoopy.ssidLocation", address['shortaddress'].encode('utf-8'))
NewEnt.addAdditionalFields("city","city", "strict", address['city'].encode('utf-8'))
NewEnt.addAdditionalFields("countrycode","countrycode", "strict", address['code'].encode('utf-8'))
NewEnt.addAdditionalFields("country","country", "strict", address['country'].encode('utf-8'))
NewEnt.addAdditionalFields("lat","lat", "strict", str(address['lat']))
NewEnt.addAdditionalFields("long","long", "strict", str(address['long']))
NewEnt.addAdditionalFields("longaddress","longaddress", "strict", address['longaddress'].encode('utf-8'))
NewEnt.addAdditionalFields("location.areacode","Area Code", "strict", address['postcode'])
NewEnt.addAdditionalFields("road","Road", "strict", address['road'].encode('utf-8'))
NewEnt.addAdditionalFields("streetaddress","streetaddress", "strict", address['shortaddress'].encode('utf-8'))
NewEnt.addAdditionalFields("ssid","SSID", "strict", address['ssid'])
NewEnt.addAdditionalFields("state","State", "strict", address['state'].encode('utf-8'))
NewEnt.addAdditionalFields("area","Area", "strict", address['suburb'].encode('utf-8'))
NewEnt.addAdditionalFields("googleMap", "Google map", "nostrict", map_url)
NewEnt.addAdditionalFields("streetView", "Street View", "nostrict", street_view_url2)
#NewEnt.setIconURL(flag_img)
logging.debug(street_view_url1)
NewEnt.setIconURL(street_view_url1)
NewEnt.addDisplayInformation("<a href='%s'>Click for map </a>" % street_view_url2, "Street view")
NewEnt.addDisplayInformation("one","two")
#try:
TRX.returnOutput()
def parsereport(page):
xform = MaltegoTransform()
try:
for element in page.findAll(text=re.compile("^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$")):
entity = xform.addEntity("maltego.IPv4Address", element)
except:
sys.exit("Report contains no IPs.")
xform.returnOutput()
def parsereport(page):
xform = MaltegoTransform()
table = page.find("div", {"id" : "network_hosts"}).findNext('table')
elements = table.findAll('td', {"class" : "row"})
for element in elements:
text = element.find(text=True)
entity = xform.addEntity("maltego.IPv4Address", text)
xform.returnOutput()
def main():
# init Maltego
me = MaltegoTransform()
# open database and create a cursor object
if not os.path.isfile(DBNAME):
#print "Collecting intelligence from the Internet ..."
me.addEntity("maltego.Phrase", "Database file not found " + DBNAME)
conn = sqlite3.connect(DBNAME)
conn.text_factory = str
c = conn.cursor()
# reading samples table ...
c.execute("SELECT * FROM samples")
found = c.fetchall()
if found is not None:
for i in range(0, len(found)):
# adding Sample entity
name = found[i][2]
me.addEntity("ran2.Sample", name)
else:
#print "Collecting intelligence from the Internet ..."
me.addEntity("maltego.Phrase", name + " is not found")
me.returnOutput()
conn.commit()
c.close()
def main():
# print "Content-type: xml\n\n";
# MaltegoXML_in = sys.stdin.read()
# logging.debug(MaltegoXML_in)
# if MaltegoXML_in <> '':
# m = MaltegoMsg(MaltegoXML_in)
global TRX
ip = TRX.getVar("properties.client_ip")
if TRX.getVar("client_ip"):
ip = TRX.getVar("client_ip")
domain = TRX.getVar("domain")
filters = []
if ip:
filters.append(sslstrip.c.client == ip)
if domain:
filters.append(sslstrip.c.domain == domain)
s = select([sslstrip.c.key, sslstrip.c.value], and_(*filters)).distinct()
results = db.execute(s).fetchall()
for res in results:
key, value = res
NewEnt = TRX.addEntity("snoopy.sslstripResult", key)
NewEnt.addAdditionalFields("key", "key", "strict", value)
NewEnt.addAdditionalFields("value", "Value", "strict", value)
TRX.returnOutput()
# Custom query per transform, but apply filter with and_(*filters) from transformCommon.
filters = []
filters.extend((leases.c.mac == mac, sslstrip.c.client == leases.c.ip))
if domain:
filters.append(sslstrip.c.domain == domain)
s = select([sslstrip.c.domain, leases.c.mac, leases.c.ip], and_(*filters))
r = db.execute(s)
results = r.fetchall()
TRX = MaltegoTransform()
illegal_xml_re = re.compile(u"[\x00-\x08\x0b-\x1f\x7f-\x84\x86-\x9f\ud800-\udfff\ufdd0-\ufddf\ufffe-\uffff]")
for res in results:
domain, client_mac, client_ip = res
NewEnt = TRX.addEntity("snoopy.Site", domain)
NewEnt.addAdditionalFields("domain", "domain", "strict", domain)
NewEnt.addAdditionalFields("mac", "Client Mac", "strict", client_mac)
NewEnt.addAdditionalFields("client_ip", "Client IP", "strict", client_ip)
TRX.returnOutput()
def createEvent(eventName):
mt = MaltegoTransform()
mt.addUIMessage("[Info] Creating event with the name %s" % eventName)
event = misp.new_event(MISP_DISTRIBUTION, MISP_THREAT, MISP_ANALYSIS, eventName,None,MISP_EVENT_PUBLISH)
eid = event['Event']['id']
einfo = event['Event']['info']
eorgc = event['Event']['orgc_id']
me = MaltegoEntity('maltego.MISPEvent',eid);
me.addAdditionalFields('EventLink', 'EventLink', False, BASE_URL + '/events/view/' + eid )
me.addAdditionalFields('Org', 'Org', False, eorgc)
me.addAdditionalFields('notes', 'notes', False, eorgc + ": " + einfo)
mt.addEntityToMessage(me);
returnSuccess("event", eid, None, mt)
def main():
# print "Content-type: xml\n\n";
# MaltegoXML_in = sys.stdin.read()
# logging.debug(MaltegoXML_in)
# if MaltegoXML_in <> '':
# m = MaltegoMsg(MaltegoXML_in)
#Custom query per transform, but apply filter with and_(*filters) from transformCommon.
#db.echo=True
#Need to implement outer join at some point:
# s=select([cookies.c.client_mac]).outerjoin(vends, cookies.c.client_mac == vends.c.mac) #Outer join
sl = select([leases.c.mac, leases.c.hostname]).distinct()
lease_list = dict ( db.execute(sl).fetchall() )
#filters.append(cookies.c.client_mac == vends.c.mac) # Replaced with JOIN
j = cookies.outerjoin(vends, cookies.c.client_mac == vends.c.mac)
s = select([cookies.c.client_mac,vends.c.vendor, vends.c.vendorLong], and_(*filters)).select_from(j).distinct()
logging.debug(s)
#s = select([cookies.c.client_mac,vends.c.vendor, vends.c.vendorLong], and_(*filters))
if ssid:
nfilters=[]
nfilters.append(ssids.c.ssid == ssid)
nfilters.append(ssids.c.mac == vends.c.mac)
s = select([ssids.c.mac,vends.c.vendor, vends.c.vendorLong], and_(*nfilters))
#logging.debug(s)
#s = select([cookies.c.client_mac,vends.c.vendor, vends.c.vendorLong], and_(cookies.c.client_mac == vends.c.mac, cookies.c.num_probes>1 ) ).distinct()
cwdF = [cookies.c.run_id == sess.c.run_id]
cw = select([cookies.c.client_mac], and_(*cwdF))
logging.debug(cw)
r = db.execute(s)
results = r.fetchall()
TRX = MaltegoTransform()
for mac,vendor,vendorLong in results:
hostname = lease_list.get(mac)
if hostname:
NewEnt=TRX.addEntity("snoopy.Client", "%s\n(%s)" %(vendor,hostname))
else:
NewEnt=TRX.addEntity("snoopy.Client", "%s\n(%s)" %(vendor,mac[6:]))
NewEnt.addAdditionalFields("mac","mac address", "strict",mac)
NewEnt.addAdditionalFields("vendor","vendor", "nostrict", vendor)
NewEnt.addAdditionalFields("vendorLong","vendorLong", "nostrict", vendorLong)
TRX.returnOutput()
def new_transform(arg):
m = MaltegoTransform()
m.parseArguments(arg)
ip = m.getVar('ipv4-address')
wrkspc = m.getVar('workspace')
url = 'http://10.1.99.250:8125/api/v1.0/%s/%s/asn' % (wrkspc, ip)
try:
r = requests.get(url)
j = r.json()
for i in j['items']:
ent = m.addEntity('maltego.AS', i['asn'])
ent.addAdditionalFields('workspace', 'Workspace ID', True, wrkspc)
except Exception as e:
m.addUIMessage(str(e))
m.returnOutput()
def checkAge():
s = shelve.open(eventDB)
try:
age = s['age']
eid = s['id']
except:
age = datetime.today()-timedelta(seconds=6000)
eid = "none"
s.close()
curDate = datetime.today()
if age < curDate - timedelta(seconds=3600):
mt = MaltegoTransform()
mt.addException("[Warning] Selection of Event is over 1 hour old. Please reselect. Current selection: %s" % eid);
mt.throwExceptions()
else:
return eid
def main(argv):
url = sys.argv[1];
html = urllib.urlopen(url).read()
emails = collectAllEmail(html)
#print emails
#myfile = open('emails.csv', 'wb')
#wr = csv.writer(myfile, quoting=csv.QUOTE_ALL)
#wr.writerow(emails)
mt = MaltegoTransform();
for email in emails:
mt.addEntity("maltego.EmailAddress", email)
mt.returnOutput()
def main():
parser = argparse.ArgumentParser(description="Jumpstart Maltego graph of C2 infrastructure off domain or IP.", epilog="spidermal.py -l paloaltonetworks.com -s 2014-09-12 -e 2015-12-1 -r 2 -o pan.mgtx -a PT")
parser.add_argument("-s", "--start", help="Start date for range; \"YYYY-MM-DD\".", metavar="YYYY-MM-DD")
parser.add_argument("-e", "--end", help="End date for range; \"YYYY-MM-DD\".", metavar="YYYY-MM-DD")
parser.add_argument("-l", "--lookup", help="Value you start search with.", required=True, metavar="IP|DOMAIN")
parser.add_argument("-o", "--out", help="Output file name (will append \"mtgx\" if not present.", default="malgraph.mtgx", metavar="filename.mtgx")
parser.add_argument("-r", "--recurse", help="Number of levels to recurse. Default is 1; be careful with hosting sites.", default=1, metavar="LEVEL")
parser.add_argument("-a", "--api", help="Choose API to use. Default is PassiveTotal.", default="PT", choices=["PT"])
parser.add_argument("-t", "--transform", help="Run in Maltego Transform mode (run from inside Maltego client).", action="store_true")
parser.add_argument("-v", "--verbose", help="Print additional data (tags/class/dynamic fields).", action="store_true")
args, unknown = parser.parse_known_args() # Make sure to collect the unknown arguments since Maltego will pass them in "#" format
global verbose
verbose = args.verbose
target_start = datetime.date(1970, 1, 1) # Default start date for range
target_end = datetime.date.today() # Default end date for range
if args.transform == True:
if transform == 0: # Check to make sure the MaltegoTransform.py file is there, otherwise notify user within Maltego
print """<MaltegoMessage><MaltegoTransformResponseMessage><Entities></Entities><UIMessages><UIMessage MessageType="FatalError">MaltegoTransform.py Module Not Found!</UIMessage></UIMessages></MaltegoTransformResponseMessage></MaltegoMessage>"""
sys.exit()
unknownargs = unknown[0].split("#") # Peel off any dates sent by Maltego in the "Before" or "After" fields
for argument in unknownargs:
if argument.startswith("After"):
target_start = date_convert(argument.split("=")[1], "user")
elif argument.startswith("Before"):
target_end = date_convert(argument.split("=")[1], "user")
else:
pass
global maltrans # Build maltego transform to pipe data back if transform is selected
maltrans = MaltegoTransform()
final_list, type = api_query(args.lookup, target_start, target_end, "1", "PT", args.transform)
build_maltego(final_list, type, str(target_start), str(target_end))
maltrans.returnOutput()
else:
if args.start:
target_start = date_convert(args.start, "user")
if args.end:
target_end = date_convert(args.end, "user")
print "[+] Begining search for", args.lookup, "using", args.api, "API between", str(target_start), "and", str(target_end) + "."
final_list, type = api_query(args.lookup, target_start, target_end, args.recurse, args.api, args.transform)
print "[+] Finished API queries."
print "[+] Building graph (nodes/edges)."
build_graph(final_list, args.out)
print "[+] Building Maltego file named", args.out + "."
zip_file(args.out)
def returnSuccess(etype,value,event=None, mt=None):
if not mt:
mt = MaltegoTransform()
if event:
mt.addUIMessage("[Info] Successful entry of %s with value %s into event %s" % (etype, value, event))
else:
mt.addUIMessage("[Info] Successful entry of %s with ID %s" % (etype, value))
mt.returnOutput()
def main():
# print "Content-type: xml\n\n";
# MaltegoXML_in = sys.stdin.read()
# logging.debug(MaltegoXML_in)
# if MaltegoXML_in <> '':
# m = MaltegoMsg(MaltegoXML_in)
#Custom query per transform, but apply filter with and_(*filters) from transformCommon.
filters = []
filters.append(weblogs.c.client_ip==ip)
s = select([weblogs.c.host, weblogs.c.path, weblogs.c.cookies], and_(*filters))
logging.debug(s)
#s = select([ssids.c.ssid]).where(ssids.c.mac==mac).distinct()
r = db.execute(s)
results = r.fetchall()
logging.debug(results)
#results = [t[0] for t in results]
TRX = MaltegoTransform()
illegal_xml_re = re.compile(u'[\x00-\x08\x0b-\x1f\x7f-\x84\x86-\x9f\ud800-\udfff\ufdd0-\ufddf\ufffe-\uffff]')
for res in results:
#logging.debug(res)
host, path, cookies = res
logging.debug(host)
#logging.debug(path)
logging.debug(cookies)
if len(cookies) > 2:
foo = cookies.split(", ")
for cookie in foo:
name, value = cookie.split(": ")
name = name.split('"')[1]
value = value.split('"')[1]
logging.debug(name)
logging.debug(value)
NewEnt=TRX.addEntity("snoopy.Cookie", name)
NewEnt.addAdditionalFields("value","Value", "strict",value)
NewEnt.addAdditionalFields("fqdn","Domain", "strict",host)
#NewEnt.addAdditionalFields("path","Path", "strict",path)
NewEnt.addAdditionalFields("ip","Client IP", "strict",ip)
TRX.returnOutput()
def main(argv):
url = sys.argv[1];
html = urllib.urlopen(url).read()
emails = collectAllEmail(html)
#print emails
#myfile = open('emails.csv', 'wb')
#wr = csv.writer(myfile, quoting=csv.QUOTE_ALL)
#wr.writerow(emails)
mt = MaltegoTransform();
for email in emails:
index = email.find('@');
alias = email[:index]
mt.addEntity("maltego.Alias", alias)
mt.returnOutput()
def parsereport(page):
xform = MaltegoTransform()
try:
try:
single = page.find(text='To mark the presence in the system, the following Mutex object was created:').findNext('ul').li.text
except:
single = None
try:
multiple = page.find(text='To mark the presence in the system, the following Mutex objects were created:').findNext('ul')
except:
multiple = None
if single is not None:
entity = xform.addEntity("maltego.IPv4Address", single)
if multiple is not None:
for mutex in multiple.findAll('li'):
entity = xform.addEntity("maltego.Phrase", mutex.text)
elif multiple is not None:
for mutex in multiple.findAll('li'):
entity = xform.addEntity("maltego.Phrase", mutex.text)
else:
sys.exit("No Mutexes Reported")
except:
sys.exit("Error finding Mutexes.")
xform.returnOutput()
def new_transform(arg):
m = MaltegoTransform()
url = 'http://10.1.99.250:8125/api/v1.0/%s/ip' % arg
try:
r = requests.get(url)
j = r.json()
for i in j['items']:
ent = m.addEntity('maltego.IPv4Address', i['ipaddr'])
ent.addAdditionalFields('workspace', 'Workspace ID', True, arg)
except Exception as e:
m.addUIMessage(str(e))
m.returnOutput()
def main():
# print "Content-type: xml\n\n";
# MaltegoXML_in = sys.stdin.read()
# logging.debug(MaltegoXML_in)
# if MaltegoXML_in <> '':
# m = MaltegoMsg(MaltegoXML_in)
TRX = MaltegoTransform()
TRX.parseArguments(sys.argv)
lat = float(TRX.getVar("latitude"))
lng = float(TRX.getVar("longitude"))
address = TRX.getVar("longaddress")
logging.debug(lat)
logging.debug(address)
try:
f = open("wigle_creds.txt", "r")
user, passw, email,proxy = f.readline().strip().split(":")
except Exception, e:
print "ERROR: Unable to read Wigle user & pass, email (and optional proxy) from wigle_creds.txt"
print e
exit(-1)
#!/usr/bin/env python
# Maltego transform for getting the robots.txt file from websites
from MaltegoTransform import *
import requests
m = MaltegoTransform()
m.parseArguments(sys.argv)
website = m.getVar('fqdn')
port = m.getVar('ports')
port = port.split(',')
ssl = m.getVar('website.ssl-enabled')
robots = []
try:
for c in port:
if ssl == 'true':
url = 'https://' + website + ':' + str(c) + '/robots.txt'
r = requests.get(url)
if r.status_code == 200:
robots = str(r.text).split('\n')
for i in robots:
ent = m.addEntity('maltego.Phrase', i)
ent.addAdditionalFields("url","Original URL",True,url)
else:
m.addUIMessage("No Robots.txt found..")
else:
url = 'http://' + website + ':' + str(c) + '/robots.txt'
r = requests.get(url)
return os.path.normpath(pathname)
configFile = getLocalConfPath()
config = ConfigParser.SafeConfigParser()
config.read(configFile)
username = config.get('credentials', 'username')
password = config.get('credentials', 'password')
auth = config.get('splunk','auth')
searchhead = config.get('splunk','searchhead')
timeframe = config.get('splunk', 'timeframe')
management = config.get('splunk', 'management')
# Setting up Maltego entities and getting initial variables.
me = MaltegoTransform()
sourcetype = sys.argv[1]
# Determine which REST call to make based on authentication setting.
if auth == "1":
output = subprocess.check_output('curl -u ' + username + ':' + password + ' -s -k --data-urlencode search="search index=' + sourcetype + ' earliest=' + timeframe + ' | table sourcetype | dedup sourcetype" -d "output_mode=csv" https://' + searchhead + ':' + management + '/servicesNS/admin/search/search/jobs/export', shell=True)
else:
output = subprocess.check_output('curl -s -k --data-urlencode search="search index=' + sourcetype + ' earliest=' + timeframe + ' | table sourcetype | dedup sourcetype" -d "output_mode=csv" https://' + searchhead + ':' + management + '/servicesNS/admin/search/search/jobs/export', shell=True)
# Regex to find Sourcetype
sourcetype = re.findall(r'.+', output)
sourcetypes = []
for i in sourcetype:
if i[0] == '"':
from MaltegoTransform import *
from mcrits_utils import *
crits = mcrits()
me = MaltegoTransform()
me.parseArguments(sys.argv)
id_ = me.getVar('id')
crits_type = me.getVar('crits_type')
for result in crits.get_related(crits_type, id_, 'Sample'):
me.addEntity(result[0], result[1])
me.returnOutput()
#!/usr/bin/env python
import sys
import urllib2
from MaltegoTransform import *
mt = MaltegoTransform()
mt.parseArguments(sys.argv)
SearchString = mt.getValue()
mt = MaltegoTransform()
url = 'http://api.predator.wtf/resolver/?arguments='+SearchString
ipaddress = urllib2.urlopen(url).read()
mt.addEntity("maltego.IPv4Address",ipaddress)
mt.returnOutput()
import sys
import emailprotectionslib.spf as spf
from MaltegoTransform import *
mt = MaltegoTransform()
mt.parseArguments(sys.argv)
domain = mt.getValue()
mt = MaltegoTransform()
try:
spf_record = spf.SpfRecord.from_domain(domain)
#print spf_record
mt.addEntity("maltego.Phrase","SPF Record: "+str(spf_record))
except:
mt.addUIMessage("Exception Occured",messageType="PartialError")
mt.returnOutput()
#!/usr/bin/python
#DESC: Transform Meetup group URL into Meetup leader profile URLs
import httplib2, urllib2, lxml, sys, re
from bs4 import BeautifulSoup
from MaltegoTransform import *
baseurl = sys.argv[1]
url = sys.argv[1] + "members/?op=leaders"
opener = urllib2.build_opener()
opener.addheaders = [('User-agent', 'Mozilla/5.0')]
soup = BeautifulSoup(opener.open(url), "lxml")
me = MaltegoTransform()
for thing in soup.find_all("a", "memName"):
NewEnt = me.addEntity("maltego.URL", thing.text + " Meetup")
NewEnt.addAdditionalFields("url", "URL", "", thing['href'])
me.returnOutput()
config.read(configFile)
username = config.get('credentials', 'username')
password = config.get('credentials', 'password')
auth = config.get('splunk','auth')
searchhead = config.get('splunk','searchhead')
timeframe = config.get('splunk', 'timeframe')
status = config.get('splunk', 'status')
management = config.get('splunk', 'management')
proxy = config.get('splunk', 'proxy')
proxy_ip = config.get('splunk','proxy_ip')
proxy_port = config.get('splunk', 'proxy_port')
# Setting up Maltego entities and getting initial variables.
me = MaltegoTransform()
me.parseArguments(sys.argv)
sourcetype = sys.argv[1]
hostip = me.getVar("host")
# Determine which REST call to make based on authentication setting.
if auth == "1":
if proxy == "1":
output = subprocess.check_output('curl -u ' + username + ':' + password + ' -s -k --socks5 ' + proxy_ip + ':' + proxy_port + ' --data-urlencode search="search index=* earliest=' + timeframe + ' sourcetype=' + sourcetype + ' | table host | dedup host" -d "output_mode=csv" https://' + searchhead + ':' + management + '/servicesNS/admin/search/search/jobs/export', shell=True)
else:
output = subprocess.check_output('curl -u ' + username + ':' + password + ' -s -k --data-urlencode search="search index=* earliest=' + timeframe + ' sourcetype=' + sourcetype + ' | table host | dedup host" -d "output_mode=csv" https://' + searchhead + ':' + management + '/servicesNS/admin/search/search/jobs/export', shell=True)
else:
if proxy == "1":
output = subprocess.check_output('curl -s -k --socks5 ' + proxy_ip + ':' + proxy_port + ' --data-urlencode search="search index=* earliest=' + timeframe + ' sourcetype=' + sourcetype + ' | table host | dedup host" -d "output_mode=csv" https://' + searchhead + ':' + management + '/servicesNS/admin/search/search/jobs/export', shell=True)
#!/usr/bin/python
# -*- coding: utf-8 -*-
from MaltegoTransform import *
from ttp import ttp
from urlparse import urlparse
import sys, httplib
# Description: Locally extract URLs from Tweets
# Installation: http://dev.paterva.com/developer/getting_started/building_your_own_local_transform.php
# Author: Michael Henriksen (@michenriksen)
transform = MaltegoTransform()
transform.parseArguments(sys.argv)
tweet = transform.getVar("content").decode('utf-8')
parser = ttp.Parser()
parsed_tweet = parser.parse(tweet)
for url in parsed_tweet.urls:
parsed_url = urlparse(url)
# Expand Twitter shortened URLs
if parsed_url.hostname == "t.co":
transform.addUIMessage("Expanding t.co URL: " + url, "Inform")
# Perform a HEAD request on t.co via secure connection
connection = httplib.HTTPSConnection(parsed_url.hostname)
connection.request("HEAD", parsed_url.path)
response = connection.getresponse()
# Loop through each header until we find the Location header
