def checkAge():
s = shelve.open(eventDB)
try:
age = s['age']
eid = s['id']
except:
age = datetime.today()-timedelta(seconds=6000)
eid = "none"
s.close()
curDate = datetime.today()
if age < curDate - timedelta(seconds=3600):
mt = MaltegoTransform()
mt.addException("[Warning] Selection of Event is over 1 hour old. Please reselect. Current selection: %s" % eid);
mt.throwExceptions()
else:
return eid
def checkAge():
s = shelve.open(eventDB)
try:
age = s['age']
eid = s['id']
except:
age = datetime.today() - timedelta(seconds=6000)
eid = "none"
s.close()
curDate = datetime.today()
if age < curDate - timedelta(seconds=3600):
mt = MaltegoTransform()
mt.addException(
"[Warning] Selection of Event is over 1 hour old. Please reselect. Current selection: %s"
% eid)
mt.throwExceptions()
else:
return eid
def returnFailure(etype, value, reason):
mt = MaltegoTransform()
mt.addException("[Error] Failed to add %s with value %s due to %s" %
(etype, value, reason))
mt.throwExceptions()
def dataError(request):
mt = MaltegoTransform()
mt.addException("[Error] Failure to load function with name %s" % request)
mt.throwExceptions()
import argparse
import re
import shelve
from datetime import datetime, timedelta
from pymisp import PyMISP, MISPEvent, MISPAttribute
from MaltegoTransform import *
from mispego_util import *
try:
misp = PyMISP(BASE_URL, API_KEY, MISP_VERIFYCERT, 'json', MISP_DEBUG)
except Exception as e:
mt = MaltegoTransform()
mt.addException(
"[Error] Cannot connect to MISP instance using %s with API key %s. Please check and try again"
% (BASE_URL, API_KEY))
mt.addException("[Error] %s" % e)
mt.throwExceptions()
eventDB = "event.db"
def addDomain(domainValue):
eid = checkAge()
mispAttribute = MISPAttribute()
mispAttribute.type = 'domain'
mispAttribute.value = domainValue
misp.add_attribute(eid, mispAttribute)
returnSuccess("domain", domainValue, eid)
ent = me.addEntity("nullJaX.GooglePlusActivity", value)
ent.setType("nullJaX.GooglePlusActivity")
ent.setValue(value)
if 'published' in activity:
ent.addAdditionalFields("published", "Published", True,
activity['published'])
if 'updated' in activity:
ent.addAdditionalFields("updated", "Updated", True,
activity['updated'])
ent.addAdditionalFields("AID", "Activity ID", True, activity['id'])
ent.addAdditionalFields("url", "Activity URL", True, activity['url'])
ent.addAdditionalFields("uid", "Publisher UID", True,
activity['actor']['id'])
if 'geocode' in activity:
ent.addAdditionalFields("geocode", "Geocode", True,
activity['geocode'])
if 'address' in activity:
ent.addAdditionalFields("address", "Address", True,
activity['address'])
if 'radius' in activity:
ent.addAdditionalFields("radius", "Radius", True,
activity['radius'])
if 'placeName' in activity:
ent.addAdditionalFields("placeName", "Name of Place", True,
activity['namePlace'])
me.heartbeat()
me.returnOutput()
except:
me.addException("Something went wrong :(")
me.throwExceptions()
def main():
mt = MaltegoTransform()
if len(sys.argv) != 5:
mt.addException(
"You appear to be missing your uid and secret. Here is what was in your path: {s}"
.format(s=sys.argv))
mt.throwExceptions()
censys_uid = sys.argv[1]
censys_secret = sys.argv[2]
cn = sys.argv[3]
auth = (censys_uid, censys_secret)
page = 1
query = {
'query':
'443.https.tls.certificate.parsed.issuer.common_name: {cn}'.format(
cn=cn),
'fields': [
'443.https.tls.certificate.parsed.fingerprint_sha1',
'443.https.tls.certificate.parsed.issuer_dn',
'443.https.tls.certificate.parsed.subject_dn',
'updated_at',
],
'page':
page
}
try:
request = requests.post('https://www.censys.io/api/v1/search/ipv4',
data=json.dumps(query),
auth=auth)
if request.status_code == 200:
results = request.json()
pages = results['metadata']['pages']
if results['metadata']['count'] > 0:
parse_results(results['results'], mt)
if pages > 1 > 4:
mt.addUIMessage(
"Found more than one page. Getting up to the first 100 results"
)
for i in range(2, 5):
page = i
query['page'] = page
request = requests.post(
'https://www.censys.io/api/v1/search/ipv4',
data=json.dumps(query),
auth=auth)
if request.status_code == 200:
results = request.json()
if results['metadata']['count'] > 0:
parse_results(results['results'], mt)
else:
if request.status_code == 400:
results = request.json()
mt.addException(str(results['error']))
if request.status_code == 429:
results = request.json()
mt.addException(str(results['error']))
if request.status_code == 404:
mt.addException(
"No data was found for this issuer cn {cn}"
.format(cn=cn))
if request.status_code == 500:
mt.addException(
"There has been a server error!!!")
if pages < 5 > 1:
mt.addUIMessage(
"Found more than one page. Getting up to the first 100 results"
)
for i in range(2, pages):
page = i
query['page'] = page
request = requests.post(
'https://www.censys.io/api/v1/search/ipv4',
data=json.dumps(query),
auth=auth)
if request.status_code == 200:
results = request.json()
if results['metadata']['count'] > 0:
parse_results(results['results'], mt)
else:
if request.status_code == 400:
results = request.json()
mt.addException(str(results['error']))
if request.status_code == 429:
results = request.json()
mt.addException(str(results['error']))
if request.status_code == 404:
mt.addException(
"No data was found for this issuer cn {cn}"
.format(cn=cn))
if request.status_code == 500:
mt.addException(
"There has been a server error!!!")
else:
mt.addUIMessage(
"No additional cert data was found with this ssl cert subject cn: {cn}"
.format(cn=cn))
mt.returnOutput()
else:
if request.status_code == 400:
results = request.json()
mt.addException(str(results['error']))
if request.status_code == 429:
results = request.json()
mt.addException(str(results['error']))
if request.status_code == 404:
mt.addException(
"No data was found for this issuer cn {cn}".format(cn=cn))
if request.status_code == 500:
mt.addException("There has been a server error!!!")
mt.throwExceptions()
except requests.exceptions.RequestException as e:
mt.addException(str(e))
mt.throwExceptions()
def main():
mt = MaltegoTransform()
if len(sys.argv) != 5:
mt.addException("You appear to be missing your uid and secret. Here is what was in your path: {s}".format(
s=sys.argv))
mt.throwExceptions()
sha1 = sys.argv[3]
censys_uid = sys.argv[1]
censys_secret = sys.argv[2]
auth = (censys_uid, censys_secret)
page = 1
query = {'query': '443.https.tls.certificate.parsed.fingerprint_sha1: \"{s}\"'.format(s=sha1),
'fields': ['ip', '443.https.tls.certificate.parsed.subject.common_name',
'443.https.tls.certificate.parsed.issuer.common_name', 'updated_at'], 'page': page}
try:
request = requests.post('https://www.censys.io/api/v1/search/ipv4', data=json.dumps(query), auth=auth)
if request.status_code == 200:
results = request.json()
pages = results['metadata']['pages']
if results['metadata']['count'] > 0:
process_results(results['results'], mt)
if pages > 1 > 4:
mt.addUIMessage("Found more than one page. Getting up to the first 100 results")
for i in range(2, 5):
page = i
query['page'] = page
request = requests.post('https://www.censys.io/api/v1/search/ipv4', data=json.dumps(query),
auth=auth)
if request.status_code == 200:
results = request.json()
if results['metadata']['count'] > 0:
process_results(results['results'], mt)
else:
if request.status_code == 400:
results = request.json()
mt.addException(str(results['error']))
if request.status_code == 429:
results = request.json()
mt.addException(str(results['error']))
if request.status_code == 404:
mt.addException("No info found")
if request.status_code == 500:
mt.addException("There has been a server error!!!")
if pages < 5 > 1:
for i in range(2, pages):
page = i
query['page'] = page
request = requests.post('https://www.censys.io/api/v1/search/ipv4', data=json.dumps(query),
auth=auth)
if request.status_code == 200:
results = request.json()
if results['metadata']['count'] > 0:
process_results(results['results'], mt)
else:
if request.status_code == 400:
results = request.json()
mt.addException(str(results['error']))
if request.status_code == 429:
results = request.json()
mt.addException(str(results['error']))
if request.status_code == 404:
mt.addException("No info found")
if request.status_code == 500:
mt.addException("There has been a server error!!!")
else:
mt.addUIMessage("No IP addresses found with this ssl cert")
mt.returnOutput()
else:
if request.status_code == 400:
results = request.json()
mt.addException(str(results['error']))
if request.status_code == 429:
results = request.json()
mt.addException(str(results['error']))
if request.status_code == 404:
mt.addException("No info found")
if request.status_code == 500:
mt.addException("There has been a server error!!!")
mt.throwExceptions()
except requests.exceptions.RequestException as e:
mt.addException(str(e))
mt.throwExceptions()
if ssid is None:
ssid = m.AdditionalFields.get('ssid')
if domain is None:
domain = m.AdditionalFields.get('fqdn')
if observation is None:
observation = m.AdditionalFields.get('observation')
#If no start and end times specified fetch all.
#It might make more sense to just remove the time filter.
if start_time is None:
start_time = "2000-01-01 00:00:00.0"
if end_time is None:
end_time = "2037-01-01 00:00:00.0"
if not shadowKey or shadowKey == ' ':
TRX.addException("Bad shadow key entered! Please obtain it via your www.ShadowLightly.com account.")
TRX.throwExceptions()
exit(0)
ss = select([mtk.c.mtkey]).where(mtk.c.mtkey == shadowKey)
r = db.execute(ss).fetchall()
logging.debug("Key is %s" %shadowKey)
logging.debug("Query is %s" %str(ss))
logging.debug("Results of R: %s" %str(r))
logging.debug( "Length of R: %d" %len(r))
if len(r) < 1:
TRX.addException("Bad shadow key entered! Please obtain it via your www.ShadowLightly.com account.")
TRX.throwExceptions()
exit(0)
#loging.error(len(r))
# The dirtiest hack of dirty hacks.
ssid = m.AdditionalFields.get('ssid')
if domain is None:
domain = m.AdditionalFields.get('fqdn')
if observation is None:
observation = m.AdditionalFields.get('observation')
#If no start and end times specified fetch all.
#It might make more sense to just remove the time filter.
if start_time is None:
start_time = "2000-01-01 00:00:00.0"
if end_time is None:
end_time = "2037-01-01 00:00:00.0"
if not shadowKey or shadowKey == ' ':
TRX.addException(
"Bad shadow key entered! Please obtain it via your www.ShadowLightly.com account."
)
TRX.throwExceptions()
exit(0)
ss = select([mtk.c.mtkey]).where(mtk.c.mtkey == shadowKey)
r = db.execute(ss).fetchall()
logging.debug("Key is %s" % shadowKey)
logging.debug("Query is %s" % str(ss))
logging.debug("Results of R: %s" % str(r))
logging.debug("Length of R: %d" % len(r))
if len(r) < 1:
TRX.addException(
"Bad shadow key entered! Please obtain it via your www.ShadowLightly.com account."
)
TRX.throwExceptions()
exit(0)
def dataError(request):
mt = MaltegoTransform()
mt.addException("[Error] Failure to load function with name %s" % request)
mt.throwExceptions()
def returnFailure(etype, value, reason):
mt = MaltegoTransform()
mt.addException("[Error] Failed to add %s with value %s due to %s" % (etype, value, reason));
mt.throwExceptions()
# MISP_Maltego)
# Date: 09/03/2016
######################################################
from pymisp import PyMISP
from MaltegoTransform import *
from mispego_util import *
from datetime import datetime, timedelta
import shelve
import re
try:
misp = PyMISP(BASE_URL, API_KEY, MISP_VERIFYCERT, 'json', MISP_DEBUG)
except Exception as e:
mt = MaltegoTransform()
mt.addException("[Error] Cannot connect to MISP instance using %s with API key %s. Please check and try again" % (BASE_URL, API_KEY))
mt.addException("[Error] %s" % e)
mt.throwExceptions()
eventDB = "event.db"
def addDomain(domainValue):
eid = checkAge()
event = misp.get(eid)
misp.add_domain(event, domainValue, to_ids=MISP_TO_IDS)
returnSuccess("domain",domainValue,eid)
def addIP(ipValue):
eid = checkAge()
event = misp.get(eid)
misp.add_ipdst(event, ipValue, to_ids=MISP_TO_IDS)
