def geo_query_map(QRY):
# Check if Geolite file exists
geolite_check()
# Used to resolve domains to ip address
resolver = dns.resolver.Resolver()
resolver.nameservers = ['1.1.1.1', '8.8.8.8', '8.8.4.4']
if DOMAIN.findall(QRY):
try:
response = resolver.query(QRY, 'A')
QRY = response.rrset[-1]
map_maxmind(str(QRY))
except dns.resolver.NoAnswer as err:
logger.error(f"[error] {err}")
except Exception as err:
logger.warning(err)
else:
map_maxmind(QRY)
def main():
banner = '''
________ __ ____
/ ____/ /_ ___ _____/ /__ / __ \___ ____
/ / / __ \/ _ \/ ___/ //_/ / /_/ / _ \/ __ \
/ /___/ / / / __/ /__/ ,< / _, _/ __/ /_/ /
\____/_/ /_/\___/\___/_/|_| /_/ |_|\___/ .___/
/_/
'''
print(Fore.CYAN + banner + Style.RESET_ALL)
print("Check IP and Domain Reputation")
parser = argparse.ArgumentParser(
description='Check IP or Domain Reputation',
formatter_class=argparse.RawTextHelpFormatter,
epilog='''
Geolocation Options
--------------------
freegeoip [freegeoip.live] - free/opensource geolocation service
maxmind [dev.maxmind.com] - uses a geolite db file for geolocation
* NOTE:
Use of the VirusTotal option requires an API key.
The service is "free" to use, however you must register
for an account to receive an API key.''')
optional = parser._action_groups.pop()
required = parser.add_argument_group('required arguments')
required.add_argument('-q',
metavar='query',
help='query ip address or domain')
optional.add_argument('--log',
action='store_true',
help='log results to file')
optional.add_argument('--vt', action='store_true', help='check virustotal')
group = optional.add_mutually_exclusive_group()
group.add_argument('--fr',
action='store_true',
help='use freegeoip for geolocation')
group.add_argument('--mm',
action='store_true',
help='use maxmind (geolite) for geolocation')
group.add_argument('--mx',
nargs='+',
metavar='FILE',
help='geolocate multiple ip addresses or domains')
parser._action_groups.append(optional)
args = parser.parse_args()
QRY = args.q
if len(sys.argv[1:]) == 0:
parser.print_help()
parser.exit()
# Initialize utilities
workers = Workers(QRY)
print("\n" + Fore.GREEN + "[+] Running checks..." + Style.RESET_ALL)
if args.log:
if not os.path.exists('logfile'):
os.mkdir('logfile')
dt_stamp = datetime.now().strftime("%Y-%m-%d_%H%M%S")
file_log = logging.FileHandler(f"logfile/logfile_{dt_stamp}.txt")
file_log.setFormatter(
logging.Formatter("[%(asctime)s %(levelname)s] %(message)s",
datefmt="%m/%d/%Y %I:%M:%S"))
logger.addHandler(file_log)
if args.fr:
map_free_geo(QRY)
if args.mm:
geo_query_map(QRY)
if args.mx:
print(
colored.stylize("\n--[ Processing Geolocation Map ]--",
colored.attr("bold")))
multi_map(input_file=args.mx[0])
print(colored.stylize("\n--[ GeoIP Map File ]--",
colored.attr("bold")))
try:
multi_map_file = Path('multi_map.html').resolve(strict=True)
except FileNotFoundError:
logger.info(
"[-] Geolocation map file was not created or does not exist.")
else:
logger.info(f"[>] Geolocation map file saved to: {multi_map_file}")
sys.exit(1)
if args.vt:
print(
colored.stylize("\n--[ VirusTotal Detections ]--",
colored.attr("bold")))
if not config['VIRUS-TOTAL']['api_key']:
logger.warning(
"Please add VirusTotal API key to the 'settings.yml' file, or add it below"
)
user_vt_key = input("Enter key: ")
config['VIRUS-TOTAL']['api_key'] = user_vt_key
with open('settings.yml', 'w') as output:
yaml.dump(config, output)
api_key = config['VIRUS-TOTAL']['api_key']
virustotal = VirusTotalChk(api_key)
if DOMAIN.findall(QRY):
virustotal.vt_run('domains', QRY)
elif IP.findall(QRY):
virustotal.vt_run('ip_addresses', QRY)
elif URL.findall(QRY):
virustotal.vt_run('urls', QRY)
else:
virustotal.vt_run('files', QRY)
print(
colored.stylize("\n--[ Team Cymru Detection ]--",
colored.attr("bold")))
workers.tc_query(qry=QRY)
sys.exit("\n")
if DOMAIN.findall(QRY) and not EMAIL.findall(QRY):
print(
colored.stylize("\n--[ Querying Domain Blacklists ]--",
colored.attr("bold")))
workers.spamhaus_dbl_worker()
workers.blacklist_dbl_worker()
print(
colored.stylize(f"\n--[ WHOIS for {QRY} ]--",
colored.attr("bold")))
workers.whois_query(QRY)
elif IP.findall(QRY):
# Check if cloudflare ip
print(
colored.stylize("\n--[ Using Cloudflare? ]--",
colored.attr("bold")))
if workers.cflare_results(QRY):
logger.info("Cloudflare IP: Yes")
else:
logger.info("Cloudflare IP: No")
print(
colored.stylize("\n--[ Querying DNSBL Lists ]--",
colored.attr("bold")))
workers.dnsbl_mapper()
workers.spamhaus_ipbl_worker()
print(
colored.stylize("\n--[ Querying IP Blacklists ]--",
colored.attr("bold")))
workers.blacklist_ipbl_worker()
elif NET.findall(QRY):
print(
colored.stylize("\n--[ Querying NetBlock Blacklists ]--",
colored.attr("bold")))
workers.blacklist_netblock_worker()
else:
print(Fore.YELLOW +
"[!] Please enter a valid query -- Domain or IP address" +
Style.RESET_ALL)
print("=" * 60, "\n")
parser.print_help()
parser.exit()
# ---[ Results output ]-------------------------------
print(colored.stylize("\n--[ Results ]--", colored.attr("bold")))
TOTALS = workers.DNSBL_MATCHES + workers.BL_MATCHES
BL_TOTALS = workers.BL_MATCHES
if TOTALS == 0:
logger.info(f"[-] {QRY} is not listed in any Blacklists")
else:
color_QRY = Fore.YELLOW + QRY + Style.BRIGHT + Style.RESET_ALL
color_DNSBL_MATCHES = Fore.WHITE + Back.RED + str(
workers.DNSBL_MATCHES) + Style.BRIGHT + Style.RESET_ALL
color_BL_TOTALS = Fore.WHITE + Back.RED + str(
BL_TOTALS) + Style.BRIGHT + Style.RESET_ALL
print(
f"[>] {color_QRY} is listed in {color_DNSBL_MATCHES} DNSBL lists and {color_BL_TOTALS} Blacklists\n"
)
# ---[ Geo Map output ]-------------------------------
if args.fr or args.mm:
print(colored.stylize("\n--[ GeoIP Map File ]--",
colored.attr("bold")))
time_format = "%d %B %Y %H:%M:%S"
try:
ip_map_file = prog_root.joinpath('geomap/ip_map.html').resolve(
strict=True)
except FileNotFoundError:
logger.warning(
"[-] Geolocation map file was not created/does not exist.\n")
else:
ip_map_timestamp = datetime.fromtimestamp(
os.path.getctime(ip_map_file))
logger.info(
f"[>] Geolocation map file created: {ip_map_file} [{ip_map_timestamp.strftime(time_format)}]\n"
)
def main():
banner = r"""
________ __ ____
/ ____/ /_ ___ _____/ /__ / __ \___ ____
/ / / __ \/ _ \/ ___/ //_/ / /_/ / _ \/ __ \
/ /___/ / / / __/ /__/ ,< / _, _/ __/ /_/ /
\____/_/ /_/\___/\___/_/|_| /_/ |_|\___/ .___/
/_/
"""
print(f"{Fore.CYAN}{banner}{Style.RESET_ALL}")
print("Check IP and Domain Reputation")
parser = argparse.ArgumentParser(
description="Check IP or Domain Reputation",
formatter_class=argparse.RawTextHelpFormatter,
epilog="""
Options
--------------------
freegeoip [freegeoip.live] - free/opensource geolocation service
virustotal [virustotal.com] - online multi-antivirus scan engine
* NOTE:
Use of the VirusTotal option requires an API key.
The service is "free" to use, however you must register
for an account to receive an API key.""",
)
optional = parser._action_groups.pop()
required = parser.add_argument_group("required arguments")
required.add_argument("query", help="query ip address or domain")
optional.add_argument("--log",
action="store_true",
help="log results to file")
optional.add_argument("--vt", action="store_true", help="check virustotal")
group = optional.add_mutually_exclusive_group()
group.add_argument("--fg",
action="store_true",
help="use freegeoip for geolocation")
group.add_argument("--mx",
nargs="+",
metavar="FILE",
help="geolocate multiple ip addresses or domains")
parser._action_groups.append(optional)
args = parser.parse_args()
QRY = args.query
if len(sys.argv[1:]) == 0:
parser.print_help()
parser.exit()
# Initialize utilities
workers = Workers(QRY)
print(f"\n{Fore.GREEN}[+] Running checks...{Style.RESET_ALL}")
if args.log:
if not os.path.exists("logfile"):
os.mkdir("logfile")
dt_stamp = datetime.now().strftime("%Y-%m-%d_%H%M%S")
file_log = logging.FileHandler(f"logfile/logfile_{dt_stamp}.txt")
file_log.setFormatter(
logging.Formatter("[%(asctime)s %(levelname)s] %(message)s",
datefmt="%m/%d/%Y %I:%M:%S"))
logger.addHandler(file_log)
if args.fg:
map_free_geo(QRY)
if args.mx:
print(
colored.stylize("\n--[ Processing Geolocation Map ]--",
colored.attr("bold")))
multi_map(input_file=args.mx[0])
print(colored.stylize("\n--[ GeoIP Map File ]--",
colored.attr("bold")))
try:
multi_map_file = Path("multi_map.html").resolve(strict=True)
except FileNotFoundError:
logger.info(
"[-] Geolocation map file was not created or does not exist.")
else:
logger.info(f"> Geolocation map file saved to: {multi_map_file}")
sys.exit(1)
if args.vt:
print(
colored.stylize("\n--[ VirusTotal Detections ]--",
colored.attr("bold")))
if not config["VIRUS-TOTAL"]["api_key"]:
logger.warning(
"Please add VirusTotal API key to the 'settings.yml' file, or add it below"
)
user_vt_key = input("Enter key: ")
config["VIRUS-TOTAL"]["api_key"] = user_vt_key
with open("settings.yml", "w") as output:
yaml.dump(config, output)
api_key = config["VIRUS-TOTAL"]["api_key"]
virustotal = VirusTotalChk(api_key)
if DOMAIN.findall(QRY):
virustotal.vt_run("domains", QRY)
elif IP.findall(QRY):
virustotal.vt_run("ip_addresses", QRY)
elif URL.findall(QRY):
virustotal.vt_run("urls", QRY)
else:
virustotal.vt_run("files", QRY)
print(
colored.stylize("\n--[ Team Cymru Detection ]--",
colored.attr("bold")))
workers.tc_query(qry=QRY)
sys.exit("\n")
if DOMAIN.findall(QRY) and not EMAIL.findall(QRY):
print(
colored.stylize("\n--[ Querying Domain Blacklists ]--",
colored.attr("bold")))
workers.spamhaus_dbl_worker()
workers.blacklist_dbl_worker()
print(
colored.stylize(f"\n--[ WHOIS for {QRY} ]--",
colored.attr("bold")))
workers.whois_query(QRY)
elif IP.findall(QRY):
# Check if cloudflare ip
print(
colored.stylize("\n--[ Using Cloudflare? ]--",
colored.attr("bold")))
if workers.cflare_results(QRY):
logger.info("Cloudflare IP: Yes")
else:
logger.info("Cloudflare IP: No")
print(
colored.stylize("\n--[ Querying DNSBL Lists ]--",
colored.attr("bold")))
workers.dnsbl_mapper()
workers.spamhaus_ipbl_worker()
print(
colored.stylize("\n--[ Querying IP Blacklists ]--",
colored.attr("bold")))
workers.blacklist_ipbl_worker()
elif NET.findall(QRY):
print(
colored.stylize("\n--[ Querying NetBlock Blacklists ]--",
colored.attr("bold")))
workers.blacklist_netblock_worker()
else:
print(
f"{Fore.YELLOW}[!] Please enter a valid query -- Domain or IP address{Style.RESET_ALL}"
)
print("=" * 60, "\n")
parser.print_help()
parser.exit()
# ---[ Results output ]-------------------------------
print(colored.stylize("\n--[ Results ]--", colored.attr("bold")))
TOTALS = workers.DNSBL_MATCHES + workers.BL_MATCHES
BL_TOTALS = workers.BL_MATCHES
if TOTALS == 0:
logger.info(f"[-] {QRY} is not listed in any Blacklists\n")
else:
_QRY = Fore.YELLOW + QRY + Style.BRIGHT + Style.RESET_ALL
_DNSBL_MATCHES = f"{Fore.WHITE}{Back.RED}{str(workers.DNSBL_MATCHES)}{Style.BRIGHT}{Style.RESET_ALL}"
_BL_TOTALS = f"{Fore.WHITE}{Back.RED}{str(BL_TOTALS)}{Style.BRIGHT}{Style.RESET_ALL}"
logger.info(
f"> {_QRY} is listed in {_DNSBL_MATCHES} DNSBL lists and {_BL_TOTALS} Blacklists\n"
)
# ---[ Geo Map output ]-------------------------------
if args.fg or args.mx:
print(colored.stylize("--[ GeoIP Map File ]--", colored.attr("bold")))
time_format = "%d %B %Y %H:%M:%S"
try:
ip_map_file = prog_root.joinpath("geomap/ip_map.html").resolve(
strict=True)
except FileNotFoundError:
logger.warning(
"[-] Geolocation map file was not created/does not exist.\n")
else:
ip_map_timestamp = datetime.fromtimestamp(
os.path.getctime(ip_map_file))
logger.info(
f"> Geolocation map file created: {ip_map_file} [{ip_map_timestamp.strftime(time_format)}]\n"
)