def do_passive(c):
print "Rescanning f_c2 ..."
c.execute("SELECT * FROM f_c2")
found = c.fetchall()
for i in range(0, len(found)):
sid = found[i][0]
scan_date = found[i][3]
ip_addr = found[i][4]
t = 'f_c2'
# updating ip table from ip_addr in f_c2
# checking ... if same ip_addr found
c.execute("SELECT * FROM ip where ip_addr=?", ((ip_addr),))
found2 = c.fetchone()
if found2 is None:
# adding ...
list = (sid, t, S_DATE, S_DATE, ip_addr)
c.execute("INSERT INTO ip VALUES (NULL,?,?,?,?,?)", (list))
print "[+] Added record to ip with %s" % ip_addr
print "Rescanning passive_dns ..."
c.execute("SELECT * FROM passive_dns")
found = c.fetchall()
for i in range(0, len(found)):
sid = found[i][0]
scan_date = found[i][3]
resolve_date = found[i][4]
dns = found[i][5]
ip_addr = DNSUtil.retIP(dns)
t = 'passive_dns'
# updating ip table from ip_addr resolved from passive_dns
# checking ... if same ip_addr found
c.execute("SELECT * FROM ip where ip_addr=?", ((ip_addr),))
found2 = c.fetchone()
if found2 is None:
# adding ...
list = (sid, t, scan_date, resolve_date, ip_addr)
c.execute("INSERT INTO ip VALUES (NULL,?,?,?,?,?)", (list))
print "[+] Added record to ip with %s" % ip_addr
print "Rescanning passive_ip ..."
c.execute("SELECT * FROM passive_ip")
found = c.fetchall()
for i in range(0, len(found)):
sid = found[i][0]
scan_date = found[i][3]
resolve_date = found[i][4]
ip_addr = found[i][5]
t = 'passive_ip'
# updating ip table from ip_addr resolved from passive_dns
# checking ... if same ip_addr found
c.execute("SELECT * FROM ip where ip_addr=?", ((ip_addr),))
found2 = c.fetchone()
if found2 is None:
# adding ...
list = (sid, t, scan_date, resolve_date, ip_addr)
c.execute("INSERT INTO ip VALUES (NULL,?,?,?,?,?)", (list))
print "[+] Added record to ip with %s" % ip_addr
def updateWhois(domain, s, domain_sid, c, t):
# change below line to use other Whois module derived from WhoisBase
w = retWhois(domain)
xwhois = WhoisGenericRegex()
xwhois.query(domain, w)
cname = DNSUtil.retCName(domain)
tel = xwhois.tel
email = xwhois.email
cdate = xwhois.createdate
name = xwhois.registrar
owner = xwhois.registrant
ns = xwhois.ns
# check if the same record (by scan date) is found in whois table
wlist = (domain, email, owner)
if t == 'whois':
c.execute("SELECT * FROM whois WHERE domain=? and email=? and registrant=?", (wlist))
else:
c.execute("SELECT * FROM passive_whois WHERE domain=? and email=? and registrant=?", (wlist))
found = c.fetchone()
if found is None:
# preparing list record ...
list = (domain_sid, s, domain, S_DATE, cdate, name, ns, email, tel, owner)
return list
else:
return ''
def updateDomains(ip_addr, ip_sid, s, c, t):
d = []
d = DNSUtil.retDomain(ip_addr, d)
print "There are: " + str(len(d)) + " domains parking to " + ip_addr
# filter out if ip_addr parked with > 200 domains
if len(d) > 0 and len(d) < 200:
# update domains
for i in range(0, len(d)):
# init variables
domain = d[i]
# get Cname from (d)
name = DNSUtil.retCName(domain)
# check if the same record is found in domains table
c.execute("SELECT * FROM domains WHERE domain=?", ((domain),))
found = c.fetchone()
# add if not found
if found is None:
# adding record ...
list = (ip_sid, s, S_DATE, domain, name)
if t == 'domains':
c.execute("INSERT INTO domains VALUES (NULL,?,?,?,?,?)", list)
print "[+] Adding to domains... " + domain
else:
c.execute("INSERT INTO passive_domains VALUES (NULL,?,?,?,?,?)", list)
print "[+] Adding to passive_domains..." + domain
else:
print "[-] No records updated..."
else:
# domains not updated
print "[-] No or too many domain records updated|to be updated..."
def main():
# parse command line
parser = OptionParser()
parser.add_option("-i", action="store_true",dest="init", default=False, help="initialize c2 database [c2_dev.db]")
parser.add_option("-f", action="store", dest="filename",
type="string", help="Provide a FILENAME of the sample to check")
parser.add_option("--md5", action="store", dest="md5",
type="string", help="Provide a MD5 of the sample to check")
parser.add_option("-d", action="store", dest="dns",
type="string", help="Provide a DNSNAME to check")
parser.add_option("-c", action="store_true",dest="c2", default=False, help="rescanning c2 to update all subsequent tables")
parser.add_option("-o", action="store_true",dest="owner", default=False, help="rescanning owner table to update all subsequent tables")
parser.add_option("-p", action="store_true",dest="passive", default=False, help="rescanning passive tables to update ip table")
parser.add_option("-q", action="store_true",dest="parking", default=False, help="rescanning ip table to update domains & whois tables")
parser.add_option("-r", action="store_true",dest="rescan", default=False, help="rescanning domains table to update passive_ip table")
parser.add_option("-s", action="store_true",dest="passiveDomains", default=False, help="rescanning ip table to update passive_domains & passive_whois tables")
parser.add_option("-t", action="store_true",dest="temp", default=False, help="rescanning and update domains table from malicious hostnames from c2")
parser.add_option("-w", action="store_true",dest="whois", default=False, help="rescanning and update domains table to update whois")
parser.add_option("-x", action="store_true",dest="passive_whois", default=False, help="rescanning and update whois table from passive_whois")
(opts, args) = parser.parse_args()
if opts.init:
DBUtil.init()
sys.exit()
# open database and create a cursor object
if not os.path.isfile(DBNAME):
print "%s does not exist, try initialization first." % DBNAME
sys.exit()
conn = sqlite3.connect(DBNAME)
conn.text_factory = str
c = conn.cursor()
domains = []
# (-t) script to temp updating tables
if opts.temp:
#print "Do nothing ..."
# adding domain part of a malicious dns from c2 to domains table
do_temp(c)
conn.commit()
c.close()
sys.exit()
# (-c) script to rescanning c2 and subsequent tables
if opts.c2:
do_c2(c)
conn.commit()
c.close()
sys.exit()
# (-o) update from owner table to domains (whois), passive_ip and ip tables
if opts.owner:
do_owner(c)
conn.commit()
c.close()
sys.exit()
# (-p) script to rescanning f_c2, passive_dns, passive_ip to ip
if opts.passive:
do_passive(c)
conn.commit()
c.close()
sys.exit()
# (-q) update parked domains and whois from ip table
if opts.parking:
do_parking(c)
conn.commit()
c.close()
sys.exit()
# (-r) script to rescan domains registered by owners to update passive_ip table
if opts.rescan:
do_rescan(c)
conn.commit()
c.close()
sys.exit()
# (-s) script to rescan ip to update passive_domains and passive_whois
if opts.passiveDomains:
do_passiveDomains(c)
conn.commit()
c.close()
sys.exit()
# (-w) script to rescan domains table to update whois
if opts.whois:
do_whois(c)
conn.commit()
c.close()
sys.exit()
# (-x) script to udpate passive_whois from passive_domains table
if opts.passive_whois:
do_passive_whois(c)
conn.commit()
c.close()
sys.exit()
# MAIN script to update samples->detects, samples->c2->Passive_ip->ip,
# samples->c2->Passive_dns->ip,
# samples->c2->ip->domains->whois from filename & hostname provided
if opts.filename == None:
parser.print_help()
parser.error("You must either provide a sample filename!")
elif opts.md5 != None:
if len(opts.md5) != 32:
parser.error(opts.md5 + " doesn't look like a valid MD5 checksum!")
else:
md5sum = opts.md5
name = opts.filename.split('.')[0]
else:
FILE = "./files/" + opts.filename
name = opts.filename.split('.')[0]
if not os.path.isfile(FILE):
parser.error("%s does not exist" % FILE)
else:
md5sum = hashlib.md5(open(FILE, 'rb').read()).hexdigest()
if opts.dns == None:
parser.print_help()
parser.error("You must provide a hostname!")
# updating samples table & check if same record (by md5 hash) is found
c.execute("SELECT id FROM samples WHERE md5=?", ((md5sum),))
found = c.fetchone()
if found is None:
# update samples if not found
list = (md5sum, name, S_DATE)
c.execute("INSERT INTO samples VALUES (NULL,?,?,?)", (list))
sid = c.lastrowid
print "[+] Added record to samples with ID %d" % sid
else:
sid = found[0]
print "[-] %s found ..." % name
# updating detects table
print "[+] Checking with VirusTotal ....." + md5sum
vendor, result = retDetects(md5sum)
for j in range(0,len(vendor)):
list = (sid, vendor[j], result[j])
c.execute("INSERT INTO detects VALUES (NULL,?,?,?)", list)
# updating c2 table, check if dns and ip found in c2
ip_addr = DNSUtil.retIP(opts.dns)
list = (opts.dns, ip_addr)
c.execute("SELECT dns FROM c2 WHERE dns=? and ip_addr=?", (list))
found = c.fetchone()
if found is None:
# updating c2 table
# checking ... if same hostname found
list = (opts.dns, ip_addr)
c.execute("SELECT * FROM c2 where dns=? and ip_addr=?", (list))
found1 = c.fetchone()
if found1 is None:
# adding ...
list = (sid, S_DATE, opts.dns, ip_addr)
c.execute("INSERT INTO c2 VALUES (NULL,?,?,?,?)", (list))
sid = c.lastrowid
print "[+] Added record to c2 with ID %d" % sid
else:
sid = found1[0]
t = 'c2'
# updating passive_ip table from opts.dns in c2
table = []
table.append((opts.dns, sid))
updateVTip(table, t, c)
# updating passive_dns table from ip_addr in c2
table = []
table.append((ip_addr, sid))
updateVTdns(table, t, c)
# updating ip table from ip_addr in c2
# checking ... if same ip_addr found
c.execute("SELECT * FROM ip where ip_addr=?", ((ip_addr),))
found2 = c.fetchone()
if found2 is None:
# adding ...
list = (sid, t, S_DATE, S_DATE, ip_addr)
c.execute("INSERT INTO ip VALUES (NULL,?,?,?,?,?)", (list))
ip_sid = c.lastrowid
print "[+] Added record to ip with %s" % ip_addr
else:
ip_sid = found2[0]
# update domains table from ip_addr in c2
s = 'ip'
t = 'domains'
updateDomains(ip_addr, ip_sid, s, c, t)
# update whois table from newly created parking domains
# checking ...
c.execute("SELECT * FROM domains where sid=? and source='ip'", ((ip_sid),))
domains = c.fetchall()
for i in range (0, len(domains)):
# init variables
domain_sid = domains[i][0]
domain = domains[i][4]
# update Whois records of newly added domains
s = 'domains'
t = 'whois'
list = updateWhois(domain, s, domain_sid, c, t)
if list != '':
c.execute("INSERT INTO whois VALUES (NULL,?,?,?,?,?,?,?,?,?,?)", list)
print "[+] Updating Whois record of ... " + " " + domain
else:
print "[-] No whois records updated ..." + " " + domain
else:
hostname = found[0]
print "[-] hostname:" + hostname + "(" + ip_addr + ")" + " has already added"
conn.commit()
c.close()
