def get_pt_domains_single_ip(ip):
client = DnsRequest.from_config()
while True:
try:
raw_results = client.get_passive_dns(query=ip)
except requests.exceptions.RequestException:
eprint('Request timeout, retrying')
continue
break
domains = pyjq.all('.[].resolve', raw_results['results'])
return domains
def __init__(self):
try:
self.clients = {
'ssl': SslRequest.from_config(),
'dns': DnsRequest.from_config(),
'enrichment': EnrichmentRequest.from_config(),
'whois': WhoisRequest.from_config(),
'attribute': AttributeRequest.from_config(),
}
except Exception:
self.clients = None
def call_dns(args):
"""Abstract call to DNS-based queries."""
client = DnsRequest.from_config()
pruned = prune_args(query=args.query,
end=args.end,
start=args.start,
timeout=args.timeout,
sources=args.sources)
if args.unique:
data = client.get_unique_resolutions(**pruned)
else:
data = client.get_passive_dns(**pruned)
return data
def main():
"""Perform a passive DNS lookup and save the output."""
if len(sys.argv) <= 1:
print "Usage: python pdns_multiput <query>"
sys.exit(1)
query = sys.argv[1]
output_formats = ['json', 'xml', 'stix', 'csv', 'table']
client = DnsRequest.from_config()
raw_results = client.get_passive_dns(query=query)
pdns_results = DnsResponse(raw_results)
for format_type in output_formats:
save_location = "/tmp/%s.pdns.%s" % (query, format_type)
tmp = open(save_location, "w")
tmp.write(getattr(pdns_results, format_type))
tmp.close()
print "Saved results inside of /tmp/%s" % (query)
def main():
"""Perform a passive DNS lookup and save the output."""
if len(sys.argv) <= 1:
print "Usage: python pdns_multiput <query>"
sys.exit(1)
query = sys.argv[1]
output_formats = ['json', 'xml', 'stix', 'csv', 'table']
client = DnsRequest.from_config()
raw_results = client.get_passive_dns(query=query)
pdns_results = DnsResponse(raw_results)
for format_type in output_formats:
save_location = "/tmp/%s.pdns.%s" % (query, format_type)
tmp = open(save_location, "w")
tmp.write(getattr(pdns_results, format_type))
tmp.close()
print "Saved results inside of /tmp/%s" % (query)
def call_dns(args):
"""Abstract call to DNS-based queries."""
client = DnsRequest.from_config()
pruned = prune_args(
query=args.query,
end=args.end,
start=args.start,
timeout=args.timeout,
sources=args.sources
)
if args.unique:
data = client.get_unique_resolutions(**pruned)
else:
data = client.get_passive_dns(**pruned)
return data
There are times when it's difficult to tell which items have been tagged as something malicious or suspicious. This script will take an initial starting point and print out any tagged items along with their tags. """ __author__ = 'Brandon Dixon ([email protected])' __version__ = '1.0.0' __description__ = "Surface tagged items from a passive DNS query" __keywords__ = ['pdns', 'tags', 'triage', 'analysis'] import sys from passivetotal.libs.dns import DnsRequest from passivetotal.libs.enrichment import EnrichmentRequest query = sys.argv[1] client = DnsRequest.from_config() enricher = EnrichmentRequest.from_config() def main(): """Take an initial seed and identify OSINT tags.""" initial_seed = client.get_unique_resolutions(query=query) all_records = initial_seed.get('results', list()) all_records += query for item in all_records: tmp = enricher.get_enrichment(query=item) tags = tmp.get('tags', list()) if len(tags) > 0: print("%s - %s" % (item, ', '.join(tags)))
import sys
from passivetotal.libs.dns import DnsRequest
from passivetotal.libs.dns import DnsUniqueResponse
from passivetotal.libs.whois import WhoisRequest
from passivetotal.libs.whois import WhoisResponse
from passivetotal.common.utilities import is_ip
query = sys.argv[1]
if not is_ip(query):
raise Exception("This script only accepts valid IP addresses!")
sys.exit(1)
# look up the unique resolutions
client = DnsRequest.from_config()
raw_results = client.get_unique_resolutions(query=query)
loaded = DnsUniqueResponse(raw_results)
whois_client = WhoisRequest.from_config()
for record in loaded.get_records()[:3]:
raw_whois = whois_client.get_whois_details(query=record.resolve)
whois = WhoisResponse(raw_whois)
print record.resolve, whois.contactEmail
