Example #1
0
    def _parse_resolv(self):
        if not self._servers:
            try:
                with open('/etc/resolv.conf', 'r') as f:
                    content = f.readlines()
                    for line in content:
                        line = line.strip()
                        if not line:
                            continue

                        if not line.startswith('nameserver'):
                            continue

                        parts = line.split()
                        if not len(parts) < 2:
                            continue

                        server = parts[1]
                        if common.is_ip(server) == socket.AF_INET:
                            self._servers.append((server, 53))
            except IOError:
                pass
        # insert default dns
        if not self._servers:
            self._servers = [('8.8.4.4', 53), ('8.8.8.8', 53)]
        logging.info('dns server: %s' % (self._servers,))
Example #2
0
    def _parse_hosts(self):
        try:
            with open('/etc/hosts', 'r') as f:
                content = f.readlines()
                for line in content:
                    line = line.strip()
                    if not line:
                        continue

                    __index = line.find('#')
                    if __index == 0:
                        continue

                    if __index > 0:
                        line = line[:__index]
                    parts = line.split()
                    if not len(parts) < 2:
                        continue

                    ip = parts[0]
                    if not common.is_ip(ip):
                        continue

                    for i in range(1, len(parts)):
                        hostname = parts[i]
                        if hostname:
                            self._hosts[hostname] = ip
        except IOError:
            pass
        # insert default host
        if not self._hosts:
            self._hosts['localhost'] = '127.0.0.1'
 def resolve(self, hostname, callback):
     if type(hostname) != bytes:
         hostname = hostname.encode('utf8')
     if not hostname:
         callback(None, Exception('empty hostname'))
     elif common.is_ip(hostname):
         callback((hostname, hostname), None)
     elif hostname in self._hosts:
         logging.debug('hit hosts: %s', hostname)
         ip = self._hosts[hostname]
         callback((hostname, ip), None)
     elif hostname in self._cache:
         logging.debug('hit cache: %s', hostname)
         ip = self._cache[hostname]
         callback((hostname, ip), None)
     else:
         if not is_valid_hostname(hostname):
             callback(None, Exception('invalid hostname: %s' % hostname))
             return
         arr = self._hostname_to_cb.get(hostname, None)
         if not arr:
             self._hostname_status[hostname] = STATUS_IPV4
             self._send_req(hostname, QTYPE_A)
             self._hostname_to_cb[hostname] = [callback]
             self._cb_to_hostname[callback] = hostname
         else:
             arr.append(callback)
             # TODO send again only if waited too long
             self._send_req(hostname, QTYPE_A)
Example #4
0
 def resolve(self, hostname, callback):
     if type(hostname) != bytes:
         hostname = hostname.encode('utf8')
     if not hostname:
         callback(None, Exception('empty hostname'))
     elif common.is_ip(hostname):
         callback((hostname, hostname), None)
     elif hostname in self._hosts:
         logging.debug('hit hosts: %s', hostname)
         ip = self._hosts[hostname]
         callback((hostname, ip), None)
     elif hostname in self._cache:
         logging.debug('hit cache: %s', hostname)
         ip = self._cache[hostname]
         callback((hostname, ip), None)
     else:
         if not is_valid_hostname(hostname):
             callback(None, Exception('invalid hostname: %s' % hostname))
             return
         arr = self._hostname_to_cb.get(hostname, None)
         if not arr:
             self._hostname_status[hostname] = STATUS_IPV4
             self._send_req(hostname, QTYPE_A)
             self._hostname_to_cb[hostname] = [callback]
             self._cb_to_hostname[callback] = hostname
         else:
             arr.append(callback)
             # TODO send again only if waited too long
             self._send_req(hostname, QTYPE_A)
Example #5
0
def iocs_type(command_line_input):
    """Determine which kind of IOCs we deal with and call the right function
	   Input:  - The command line input
	   Output: - Dictionnary containing all the types
	"""
    iocs_type = {}
    for argument in sys.argv:

        if is_ip(argument):
            iocs_type['IP_ADDRESS'] = 'IP'
            ip(argument)
            honeypot_parser()

        if is_url(argument):

            iocs_type['URL_LINK'] = 'URL'
            virus_total_parser(argument)
Example #6
0
 def resolve(self, hostname, callback):
     if type(hostname) != bytes:
         hostname = hostname.encode('utf8')
     if not hostname:
         callback(None, Exception('empty hostname'))
     elif common.is_ip(hostname):
         callback((hostname, hostname), None)
     elif hostname in self._hosts:
         logging.debug('hit hosts: %s', hostname)
         ip = self._hosts[hostname]
         callback((hostname, ip), None)
     elif hostname in self._cache:
         logging.debug('hit cache: %s', hostname)
         ip = self._cache[hostname]
         callback((hostname, ip), None)
     else:
         if not is_valid_hostname(hostname):
             callback(None, Exception('invalid hostname: %s' % hostname))
             return
         if False:
             addrs = socket.getaddrinfo(hostname, 0, 0,
                                    socket.SOCK_DGRAM, socket.SOL_UDP)
             if addrs:
                 af, socktype, proto, canonname, sa = addrs[0]
                 logging.debug('DNS resolve %s %s' % (hostname, sa[0]) )
                 self._cache[hostname] = sa[0]
                 callback((hostname, sa[0]), None)
                 return
         arr = self._hostname_to_cb.get(hostname, None)
         if not arr:
             if IPV6_CONNECTION_SUPPORT:
                 self._hostname_status[hostname] = STATUS_IPV6
                 self._send_req(hostname, QTYPE_AAAA)
             else:
                 self._hostname_status[hostname] = STATUS_IPV4
                 self._send_req(hostname, QTYPE_A)
             self._hostname_to_cb[hostname] = [callback]
             self._cb_to_hostname[callback] = hostname
         else:
             arr.append(callback)
             # TODO send again only if waited too long
             if IPV6_CONNECTION_SUPPORT:
                 self._send_req(hostname, QTYPE_AAAA)
             else:
                 self._send_req(hostname, QTYPE_A)
Example #7
0
 def _parse_hosts(self):
     etc_path = '/etc/hosts'
     if 'WINDIR' in os.environ:
         etc_path = os.environ['WINDIR'] + '/system32/drivers/etc/hosts'
     try:
         with open(etc_path, 'rb') as f:
             for line in f.readlines():
                 line = line.strip()
                 parts = line.split()
                 if len(parts) >= 2:
                     ip = parts[0]
                     if common.is_ip(ip):
                         for i in range(1, len(parts)):
                             hostname = parts[i]
                             if hostname:
                                 self._hosts[hostname] = ip
     except IOError:
         self._hosts['localhost'] = '127.0.0.1'
 def _parse_hosts(self):
     etc_path = '/etc/hosts'
     if 'WINDIR' in os.environ:
         etc_path = os.environ['WINDIR'] + '/system32/drivers/etc/hosts'
     try:
         with open(etc_path, 'rb') as f:
             for line in f.readlines():
                 line = line.strip()
                 parts = line.split()
                 if len(parts) >= 2:
                     ip = parts[0]
                     if common.is_ip(ip):
                         for i in range(1, len(parts)):
                             hostname = parts[i]
                             if hostname:
                                 self._hosts[hostname] = ip
     except IOError:
         self._hosts['localhost'] = '127.0.0.1'
Example #9
0
 def _parse_resolv(self):
     self._servers = []
     try:
         with open('/etc/resolv.conf', 'rb') as f:
             content = f.readlines()
             for line in content:
                 line = line.strip()
                 if line:
                     if line.startswith(b'nameserver'):
                         parts = line.split()
                         if len(parts) >= 2:
                             server = parts[1]
                             if common.is_ip(server) == socket.AF_INET:
                                 if type(server) != str:
                                     server = server.decode('utf8')
                                 self._servers.append(server)
     except IOError:
         pass
     if not self._servers:
         self._servers = ['8.8.4.4', '8.8.8.8']
 def _parse_resolv(self):
     self._servers = []
     try:
         with open('/etc/resolv.conf', 'rb') as f:
             content = f.readlines()
             for line in content:
                 line = line.strip()
                 if line:
                     if line.startswith(b'nameserver'):
                         parts = line.split()
                         if len(parts) >= 2:
                             server = parts[1]
                             if common.is_ip(server) == socket.AF_INET:
                                 if type(server) != str:
                                     server = server.decode('utf8')
                                 self._servers.append(server)
     except IOError:
         pass
     if not self._servers:
         self._servers = ['8.8.4.4', '8.8.8.8']
Example #11
0
def virus_total_parser(argument):
    """ Parse the data from virustotal """

    if is_ip(argument):
        data = virus_total_ip(argument)
        threat_intel = data.get('resolutions')

        for info in threat_intel:

            print('')

            # Test on ip adress
            print('Information for Victim IP {}'.format(argument))
            print('hostname {}'.format(info['hostname']))
            print('Connection Type: HTTP GET')
            print('Source: virustotal')
            print('Time stamp {}'.format(info['last_resolved']))

    elif is_url(argument):

        data = virus_total_url(argument)
        data = json.loads(data)
        threat_intel = data.get('scans')

        print('')

        # Test on ip adress
        print('Information for Url {}'.format(data.get('url')))
        for user in threat_intel:
            print('\t{} is a {}'.format(user, threat_intel[user]['result']))

        print('Connection Type: HTTP POST')
        print('Source: virustotal')
        print('Scan date {}'.format(data.get('scan_date')))

        print('')
    def _handle_server(self):
        server = self._server_socket
        data, r_addr = server.recvfrom(BUF_SIZE)
        ogn_data = data
        if not data:
            logging.debug('UDP handle_server: data is empty')
        if self._stat_callback:
            self._stat_callback(self._listen_port, len(data))
        uid = None
        if self._is_local:
            frag = common.ord(data[2])
            if frag != 0:
                logging.warn('drop a message since frag is not 0')
                return
            else:
                data = data[3:]
        else:
            ref_iv = [0]
            data = encrypt.encrypt_all_iv(self._protocol.obfs.server_info.key,
                                          self._method, 0, data, ref_iv)
            # decrypt data
            if not data:
                logging.debug('UDP handle_server: data is empty after decrypt')
                return
            self._protocol.obfs.server_info.recv_iv = ref_iv[0]
            data, uid = self._protocol.server_udp_post_decrypt(data)

        #logging.info("UDP data %s" % (binascii.hexlify(data),))
        if not self._is_local:
            data = pre_parse_header(data)
            if data is None:
                return

        try:
            header_result = parse_header(data)
        except:
            self._handel_protocol_error(r_addr, ogn_data)
            return

        if header_result is None:
            self._handel_protocol_error(r_addr, ogn_data)
            return
        connecttype, addrtype, dest_addr, dest_port, header_length = header_result

        if self._is_local:
            addrtype = 3
            server_addr, server_port = self._get_a_server()
        else:
            server_addr, server_port = dest_addr, dest_port

        if (addrtype & 7) == 3:
            af = common.is_ip(server_addr)
            if af == False:
                handler = common.UDPAsyncDNSHandler(
                    (data, r_addr, uid, header_length))
                handler.resolve(self._dns_resolver, (server_addr, server_port),
                                self._handle_server_dns_resolved)
            else:
                self._handle_server_dns_resolved(
                    "", (server_addr, server_port), server_addr,
                    (data, r_addr, uid, header_length))
        else:
            self._handle_server_dns_resolved(
                "", (server_addr, server_port), server_addr,
                (data, r_addr, uid, header_length))