def run(self): Analyzer.run(self) data = self.getData() try: # enrichment service if self.service == 'enrichment': enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key) result = enrichment_request.get_enrichment(query=data) self.report(result) # malware service elif self.service == 'malware': enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key) result = enrichment_request.get_malware(query=data) self.report(result) # osint service elif self.service == 'osint': enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key) result = enrichment_request.get_osint(query=data) self.report(result) # passive dns service elif self.service == 'passive_dns': dns_request = DnsRequest(username=self.username, api_key=self.api_key) result = dns_request.get_passive_dns(query=data) self.report(result) # ssl certificate details service elif self.service == 'ssl_certificate_details': ssl_request = SslRequest(username=self.username, api_key=self.api_key) result = ssl_request.get_ssl_certificate_details(query=data) self.report(result) # ssl certificate history service elif self.service == 'ssl_certificate_history': ssl_request = SslRequest(username=self.username, api_key=self.api_key) result = ssl_request.get_ssl_certificate_history(query=data) self.report(result) # unique resolutions service elif self.service == 'unique_resolutions': dns_request = DnsRequest(username=self.username, api_key=self.api_key) result = dns_request.get_unique_resolutions(query=data) self.report(result) # whois details service elif self.service == 'whois_details': whois_request = WhoisRequest(username=self.username, api_key=self.api_key) result = whois_request.get_whois_details(query=data) self.report(result) else: self.error('Unknown PassiveTotal service') except Exception as e: self.unexpectedError(e)
def get_whois(self, **kwargs): client = WhoisRequest(self.username, self.apikey) keys = ['query', 'compact', 'field'] params = self._cleanup_params(keys, **kwargs) if not params.get('field'): return client.get_whois_details(**params) else: return client.search_whois_by_field(**params)
def load_client(context): """Get an instance of a loaded client.""" username = context.getTransformSetting('username') api_key = context.getTransformSetting('aKey') test_status = context.getTransformSetting('test_local') if test_status and test_status == 'True': server = context.getTransformSetting('server') version = context.getTransformSetting('version') return WhoisRequest(username, api_key, server, version) else: return WhoisRequest(username, api_key, headers=gen_debug(request))
def get_whois(self, **kwargs): client = WhoisRequest(self.username, self.apikey) keys = ['query', 'compact', 'field'] params = self._cleanup_params(keys, **kwargs) if not params.get('field'): return client.get_whois_details(**params) else: return client.search_whois_by_field(**params)
def __process_result_pt__(self): # passive total d = self.__get_top_level_domain__() try: if d: client = WhoisRequest.from_config() raw_results = client.get_whois_details(query=d) self.raw_whois = raw_results elif not d: print("PT, domain null " + str(d) + " " + str(self.id)) except: print("PT rejects " + str(self.domain) + " ")
def __init__(self): try: self.clients = { 'ssl': SslRequest.from_config(), 'dns': DnsRequest.from_config(), 'enrichment': EnrichmentRequest.from_config(), 'whois': WhoisRequest.from_config(), 'attribute': AttributeRequest.from_config(), } except Exception: self.clients = None
def call_whois(args): """Abstract call to WHOIS-based queries.""" client = WhoisRequest.from_config() pruned = prune_args(query=args.query, compact_record=args.compact, field=args.field) if not args.field: data = client.get_whois_details(**pruned) else: data = client.search_whois_by_field(**pruned) return data
def call_whois(args): """Abstract call to WHOIS-based queries.""" client = WhoisRequest.from_config() pruned = prune_args( query=args.query, compact_record=args.compact, field=args.field ) if not args.field: data = client.get_whois_details(**pruned) else: data = client.search_whois_by_field(**pruned) return data
def run(self, conf, args, plugins): if 'subcommand' in args: if args.subcommand == 'whois': client = WhoisRequest(conf['PassiveTotal']['username'], conf['PassiveTotal']['key']) if args.domain: raw_results = client.search_whois_by_field(query=unbracket( args.domain.strip()), field="domain") print( json.dumps(raw_results, sort_keys=True, indent=4, separators=(',', ': '))) elif args.file: with open(args.file, 'r') as infile: data = infile.read().split() print( "Domain|Date|Registrar|name|email|Phone|organization|Street|City|Postal Code|State|Country" ) for d in data: do = unbracket(d.strip()) # FIXME: bulk request here raw_results = client.search_whois_by_field( query=do, field="domain") if "results" not in raw_results: print("%s|||||||||||" % bracket(do)) else: if len(raw_results["results"]) == 0: print("%s|||||||||||" % bracket(do)) else: r = raw_results["results"][0] if "registered" in r: dd = datetime.datetime.strptime( r["registered"], "%Y-%m-%dT%H:%M:%S.%f%z") ddo = dd.strftime("%m/%d/%Y %H:%M:%S") else: ddo = "" print( "%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s" % (bracket(do), ddo, r["registrar"] if "registrar" in r else "", r["registrant"]["name"] if "name" in r["registrant"] else "", r["registrant"]["email"] if "email" in r["registrant"] else "", r["registrant"]["telephone"] if "telephone" in r["registrant"] else "", r["registrant"]["organization"] if "organization" in r["registrant"] else "", r["registrant"]["street"] if "street" in r["registrant"] else "", r["registrant"]["city"] if "city" in r["registrant"] else "", r["registrant"]["postalCode"] if "postalCode" in r["registrant"] else "", r["registrant"]["state"] if "state" in r["registrant"] else "", r["registrant"]["country"] if "country" in r["registrant"] else "")) elif args.email: raw_results = client.search_whois_by_field( query=args.email.strip(), field="email") print( json.dumps(raw_results, sort_keys=True, indent=4, separators=(',', ': '))) else: self.parser.print_help() elif args.subcommand == "dns": client = DnsRequest(conf['PassiveTotal']['username'], conf['PassiveTotal']['key']) raw_results = client.get_passive_dns(query=unbracket( args.DOMAIN), ) print( json.dumps(raw_results, sort_keys=True, indent=4, separators=(',', ': '))) elif args.subcommand == "malware": client = EnrichmentRequest(conf["PassiveTotal"]["username"], conf["PassiveTotal"]['key']) if args.domain: raw_results = client.get_malware(query=args.domain) print( json.dumps(raw_results, sort_keys=True, indent=4, separators=(',', ': '))) elif args.file: with open(args.file, 'r') as infile: data = infile.read().split() domain_list = list(set([a.strip() for a in data])) if len(domain_list) < 51: raw_results = client.get_bulk_malware( query=domain_list) if "results" not in raw_results or not raw_results[ "success"]: print("Request failed") print( json.dumps(raw_results, sort_keys=True, indent=4, separators=(',', ': '))) sys.exit(1) else: results = raw_results["results"] else: results = {} bulk_size = 50 i = 0 while i * bulk_size < len(domain_list): raw_results = client.get_bulk_malware( query=domain_list[i * bulk_size:(i + 1) * bulk_size]) if "results" not in raw_results or not raw_results[ "success"]: print("Request failed") print( json.dumps(raw_results, sort_keys=True, indent=4, separators=(',', ': '))) sys.exit(1) else: results.update(raw_results["results"]) i += 1 if args.raw: print( json.dumps(results, sort_keys=True, indent=4, separators=(',', ': '))) else: print("Domain|Date|Sample|Source|Source URL") for domain in results: if "results" in results[domain]: for sample in results[domain]["results"]: print("%s|%s|%s|%s|%s" % (domain, sample["collectionDate"], sample["sample"], sample["source"], sample["sourceUrl"])) else: self.parser.print_help() elif args.subcommand == "osint": # FIXME: add research of projects client = EnrichmentRequest(conf["PassiveTotal"]["username"], conf["PassiveTotal"]['key']) if args.domain: raw_results = client.get_osint(query=args.domain) print( json.dumps(raw_results, sort_keys=True, indent=4, separators=(',', ': '))) elif args.file: with open(args.file, 'r') as infile: data = infile.read().split() domain_list = list(set([a.strip() for a in data])) if len(domain_list) < 51: raw_results = client.get_bulk_osint(query=domain_list) if "results" not in raw_results or not raw_results[ "success"]: print("Request failed") print( json.dumps(raw_results, sort_keys=True, indent=4, separators=(',', ': '))) sys.exit(1) else: results = raw_results["results"] else: results = {} bulk_size = 50 i = 0 while i * bulk_size < len(domain_list): raw_results = client.get_bulk_osint( query=domain_list[i * bulk_size:(i + 1) * bulk_size]) if "results" not in raw_results or not raw_results[ "success"]: print("Request failed") print( json.dumps(raw_results, sort_keys=True, indent=4, separators=(',', ': '))) sys.exit(1) else: results.update(raw_results["results"]) i += 1 if args.raw: print( json.dumps(results, sort_keys=True, indent=4, separators=(',', ': '))) else: print("Domain|Source|URL|Tags") for domain in results: if "results" in results[domain]: for report in results[domain]["results"]: print("%s|%s|%s|%s" % (domain, report["source"], report["source_url"], " / ".join( report["tags"]))) else: self.parser.print_help() else: self.parser.print_help() else: self.parser.print_help()
import sys from passivetotal.libs.dns import DnsRequest from passivetotal.libs.dns import DnsUniqueResponse from passivetotal.libs.whois import WhoisRequest from passivetotal.libs.whois import WhoisResponse from passivetotal.common.utilities import is_ip query = sys.argv[1] if not is_ip(query): raise Exception("This script only accepts valid IP addresses!") sys.exit(1) # look up the unique resolutions client = DnsRequest.from_config() raw_results = client.get_unique_resolutions(query=query) loaded = DnsUniqueResponse(raw_results) whois_client = WhoisRequest.from_config() for record in loaded.get_records()[:3]: raw_whois = whois_client.get_whois_details(query=record.resolve) whois = WhoisResponse(raw_whois) print record.resolve, whois.contactEmail
logger.info("Starting command processing") input_events, dummyresults, settings = splunk.Intersplunk.getOrganizedResults( ) keywords, options = splunk.Intersplunk.getKeywordsAndOptions() query_value = options.get("query", "") logger.info("Query target: %s" % query_value) logger.debug("Raw options: %s" % str(options)) configuration = get_config("passivetotal", "api-setup") username = configuration.get('username', None) api_key = configuration.get('apikey', None) output_events = list() whois = WhoisRequest(username, api_key, headers=build_headers()).get_whois_details( query=query_value, compact_record=True) if 'error' in whois: raise Exception( "Whoa there, looks like you reached your quota for today! Please come back tomorrow to resume your investigation or contact support for details on enterprise plans." ) fields = [ 'contactEmail', 'nameServers', 'registered', 'registryUpdatedAt', 'expiresAt', 'registrar' ] for field in fields: tmp = {'key': gen_label(field), 'value': whois.get(field, '')} output_events.append(tmp) for key, value in whois.get('compact', {}).iteritems(): formatted = list() for item in value.get('values', []):
try: logger.info("Starting command processing") input_events, dummyresults, settings = splunk.Intersplunk.getOrganizedResults() keywords, options = splunk.Intersplunk.getKeywordsAndOptions() query_value = options.get("query", "") logger.info("Query target: %s" % query_value) logger.debug("Raw options: %s" % str(options)) configuration = get_config("passivetotal", "api-setup") username = configuration.get('username', None) api_key = configuration.get('apikey', None) output_events = list() whois = WhoisRequest(username, api_key, headers=build_headers()).get_whois_details( query=query_value, compact_record=True) if 'error' in whois: raise Exception("Whoa there, looks like you reached your quota for today! Please come back tomorrow to resume your investigation or contact support for details on enterprise plans.") fields = ['contactEmail', 'nameServers', 'registered', 'registryUpdatedAt', 'expiresAt', 'registrar'] for field in fields: tmp = {'key': gen_label(field), 'value': whois.get(field, '')} output_events.append(tmp) for key, value in whois.get('compact', {}).iteritems(): formatted = list() for item in value.get('values', []): tmp = "%s (%s)" % (item[0], ', '.join(item[1])) formatted.append(tmp) tmp = {'key': gen_label(key), 'value': ', '.join(formatted)} output_events.append(tmp) splunk.Intersplunk.outputResults(output_events)
def setup_class(self): self.patcher = patch('passivetotal.api.Client._get', fake_request) self.patcher.start() self.client = WhoisRequest('--No-User--', '--No-Key--')
class WhoisTestCase(unittest.TestCase): """Test case for WHOIS methods.""" formats = ['json'] def setup_class(self): self.patcher = patch('passivetotal.api.Client._get', fake_request) self.patcher.start() self.client = WhoisRequest('--No-User--', '--No-Key--') def teardown_class(self): self.patcher.stop() def test_whois_details(self): """Test getting WHOIS details.""" payload = {'query': 'passivetotal.org'} response = self.client.get_whois_details(**payload) assert (response.get('domain')) == 'passivetotal.org' def test_process_whois_details(self): """Test processing WHOIS details.""" payload = {'query': 'passivetotal.org'} response = self.client.get_whois_details(**payload) wrapped = Response(response) for item in self.formats: assert (getattr(wrapped, item)) def test_property_load(self): """Test loading properties on a result.""" payload = {'query': 'passivetotal.org'} response = self.client.get_whois_details(**payload) wrapped = Response(response) for key, value in iteritems(response): assert (getattr(wrapped, key)) == value def test_whois_search(self): """Test getting a WHOIS search.""" payload = {'query': '18772064254', 'field': 'phone'} response = self.client.search_whois_by_field(**payload) assert (response['results'][0].get('domain')) == 'passivetotal.org' def test_whois_search_bad_field(self): """Test sending a bad field in a search.""" with pytest.raises(INVALID_FIELD_TYPE) as excinfo: def invalid_field(): payload = {'query': '18772064254', 'field': '_'} self.client.search_whois_by_field(**payload) invalid_field() assert 'must be one of the following' in str(excinfo.value) def test_whois_search_missing_field(self): """Test missing a field in a search.""" with pytest.raises(MISSING_FIELD) as excinfo: def missing_field(): payload = {'query': '18772064254', 'no-field': '_'} self.client.search_whois_by_field(**payload) missing_field() assert 'value is required' in str(excinfo.value) def test_process_whois_search(self): """Test processing search results.""" payload = {'query': '18772064254', 'field': 'phone'} response = self.client.search_whois_by_field(**payload) results = Response(response) assert (Response(results.results[0]).domain) == 'passivetotal.org'
def run(self): data = self.get_data() try: # enrichment service if self.service == 'enrichment': enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key) result = enrichment_request.get_enrichment(query=data) self.report(result) # malware service elif self.service == 'malware': enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key) result = enrichment_request.get_malware(query=data) self.report(result) # osint service elif self.service == 'osint': enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key) result = enrichment_request.get_osint(query=data) self.report(result) # passive dns service elif self.service == 'passive_dns': dns_request = DnsRequest(username=self.username, api_key=self.api_key) result = dns_request.get_passive_dns(query=data) self.report(result) # ssl certificate details service elif self.service == 'ssl_certificate_details': ssl_request = SslRequest(username=self.username, api_key=self.api_key) result = ssl_request.get_ssl_certificate_details(query=data) self.report(result) # ssl certificate history service elif self.service == 'ssl_certificate_history': ssl_request = SslRequest(username=self.username, api_key=self.api_key) result = ssl_request.get_ssl_certificate_history(query=data) print(len(result['results'])) if len(result['results'] ) == 1 and result['results'][0]['ipAddresses'] == 'N/A': print("ok") self.report({'results': []}) else: self.report(result) # unique resolutions service elif self.service == 'unique_resolutions': dns_request = DnsRequest(username=self.username, api_key=self.api_key) result = dns_request.get_unique_resolutions(query=data) self.report(result) # whois details service elif self.service == 'whois_details': whois_request = WhoisRequest(username=self.username, api_key=self.api_key) result = whois_request.get_whois_details(query=data) self.report(result) # components service elif self.service == 'components': host_attr_request = HostAttributeRequest( username=self.username, api_key=self.api_key) result = host_attr_request.get_components(query=data) self.report(result) # trackers service elif self.service == 'trackers': host_attr_request = HostAttributeRequest( username=self.username, api_key=self.api_key) result = host_attr_request.get_trackers(query=data) self.report(result) # host pairs service elif self.service == 'host_pairs': host_attr_request = HostAttributeRequest( username=self.username, api_key=self.api_key) result = host_attr_request.get_host_pairs(query=data, direction='parents') children = host_attr_request.get_host_pairs( query=data, direction='children') result['totalRecords'] += children['totalRecords'] result['results'] = result['results'] + children['results'] self.report(result) else: self.error('Unknown PassiveTotal service') except Exception as e: self.unexpectedError(e)