Exemplo n.º 1
0
def hybridAnalysisIP(ipaddr, apikey):
    text.printGreen("HYBRID ANALYSIS: https://www.hybrid-analysis.com/")
    text.printGreen("  * Utilizes the CrowdStrike Falcon Sandbox.")
    url = "https://www.hybrid-analysis.com/api/v2/search/terms"
    payload = 'host=%s' % ipaddr
    headers = {
        'api-key': apikey,
        'User-Agent': 'CrowdStrike Falcon',
        'Content-Type': 'application/x-www-form-urlencoded'
    }

    response = requests.request("POST", url=url, headers=headers, data=payload)
    if response.status_code == 200:
        returned = response.json()
        if returned['count'] > 0:
            text.printGreen("Showing results whose threat score is above 10.")
            threatDict = {}
            for eachresult in returned['result']:
                if eachresult['threat_score'] > 10:
                    jobID = eachresult['job_id']
                    threatScore = eachresult['threat_score']
                    threatDict[jobID] = threatScore
                    sortedThreatDict = sorted(threatDict.items(),
                                              key=lambda item: item[1])
                    for key, value in sortedThreatDict:
                        print("Job ID: " + str(key) +
                              " with threat score of " + str(value) +
                              " and SHA256 hash of " +
                              str(eachresult['sha256']))
        if returned['count'] == 0:
            text.printRed(
                "  * No results for that IP address on Hybrid-Analysis.")
Exemplo n.º 2
0
def proxyCheck(ipaddr):
    text.printGreen("IP2Proxy: https://github.com/ip2location/ip2proxy-python")
    try:
        db = IP2Proxy.IP2Proxy()
        db.open("IP2PROXY-LITE-PX8.BIN")
        record = db.get_all(ipaddr)
        if str(record['is_proxy']) == "1":
            print(
                "  * Determined this is a proxy based on the IP2Proxy database."
            )
            print('Proxy Type: ' + record['proxy_type'])
            print('Country Code: ' + record['country_short'])
            print('Country Name: ' + record['country_long'])
            print('Region Name: ' + record['region'])
            print('City Name: ' + record['city'])
            print('ISP: ' + record['isp'])
            print('Domain: ' + record['domain'])
            print('Usage Type: ' + record['usage_type'])
            print('ASN: ' + record['asn'])
            print('AS Name: ' + record['as_name'])
            print('Last Seen: ' + record['last_seen'])
        elif str(record['is_proxy']) != "1":
            text.printRed(
                "  * Determined this is not a proxy based on the reputation .BIN file referenced."
            )
        else:
            text.printRed(
                "  * Encountered an error while checking if the IP was a proxy."
            )
    except Exception as e:
        print(e)
        return
Exemplo n.º 3
0
def shodanIP(ipaddr, apikey):
    api = shodan.Shodan(apikey)
    text.printGreen("SHODAN: https://www.shodan.io/")
    text.printGreen("  * Maximum associated IPs returned is 100.")
    try:
        print(api.host(ipaddr))
    except:
        text.printRed("No information is available for the IP address.")
Exemplo n.º 4
0
def checkPrivate(ipaddr):

    addr = ipaddress.ip_address(ipaddr)
    if addr.is_private:
        text.printRed(
            "The IP address specified is a private address, defined in RFC1918. \n"
            +
            "Your results would be invalid, as each private network is different and threat intelligence cannot inspect each. \n"
            "  * Stopping execution with exit code 1.")
        exit(1)
    if addr.is_multicast:
        text.printRed(
            "The address specified is a multicast address. We'll continue, but be aware that errors may occur."
        )
Exemplo n.º 5
0
def threatMinerDomain(domain):
    text.printGreen("THREATMINER: https://www.threatminer.org/")
    # API Documentation: https://www.threatminer.org/api.php
    # Request types ("RT") are different between domains, IPs, and hashes!
    # RT 2: Passive DNS
    # RT 4: Related Samples (Hash Only)
    # RT 5: Subdomains
    # RT 6: APTNotes
    url = "https://api.threatminer.org/v2/domain.php"
    # Get Passive DNS.
    params = {'q': domain, 'rt': '2'}
    response = requests.get(url=url, params=params)
    if response.status_code == 200:
        returned = response.json()
        if returned['status_code'] == "200":
            totalAssocIP = 1
            for value in returned['results']:
                print ("Associated IP #" + str(totalAssocIP) + ": " + str(value['ip']))
                totalAssocIP += 1
        else:
            text.printRed("  * No passive DNS records found.")
    # Get associated hash values.
    params = {'q': domain, 'rt': '4'}
    response = requests.get(url=url, params=params)
    if response.status_code == 200:
        returned = response.json()
        if returned['status_code'] == 200:
            totalAssocHash = 1
            for value in returned['results']:
                print("Associated Hash #" + str(totalAssocHash) + ": " + str(value))
                totalAssocHash += 1
        else:
            text.printRed("  * No associated hash values found.")
    # Get associated subdomains.
    params = {'q': domain, 'rt': '5'}
    response = requests.get(url=url, params=params)
    if response.status_code == 200:
        returned = response.json()
        if returned['status_code'] == 200:
            totalAssocSubdomains = 1
            for value in returned['results']:
                print("Associated subdomain #" + str(totalAssocSubdomains) + ": " + str(value))
                totalAssocSubdomains += 1
        else:
            text.printRed("  * No associated subdomains found.")
    # Get associated APTNotes.
        params = {'q': domain, 'rt': '6'}
        response = requests.get(url=url, params=params)
        if response.status_code == 200:
            returned = response.json()
            if returned['status_code'] == 200:
                text.printGreen("  * We found some APTNotes, a collection of public reports on APTs! ThreatMiner provides this through an API.")
                text.printGreen("  * APTNotes is available on GitHub: https://github.com/aptnotes - Full credit to the original authors.")
                totalAssocReports = 1
                for value in returned['results']:
                    print("Associated APTNote #" + str(totalAssocReports) + ": " + str(value['filename'] + " was published in " + str(value['year'])))
                    print("[PDF WARNING] Download available at: " + str(value['URL']))
                    totalAssocReports += 1
            else:
                text.printRed("  * No associated APTNotes found.")
Exemplo n.º 6
0
def readAPIKeys():
    """Opens apiconfig.yaml and reads the API keys into a list. Does not attempt to check formatting or key validity.

    Returns:
        provider_dict [Dictionary] -- A simple dictionary containing the API keys.
    """
    try:
        with open("apiconfig.yaml") as apifile:
            provider_dict = yaml.load(apifile, Loader=yaml.FullLoader)
            return provider_dict
    except:
        text.printRed(
            "Unable to open apiconfig.yaml. Have you created the file? Copy api_config_example.yaml if you need help."
        )
        exit(1)
Exemplo n.º 7
0
def urlhausIP(ipaddr):
    text.printGreen(
        "URLHAUS: https://urlhaus.abuse.ch/ \n" +
        "  * Getting the URLHAUS list. This is large and can take a moment to download based on your connection."
    )
    response = requests.get("https://urlhaus.abuse.ch/downloads/text/")
    if response.status_code == 200:
        returned = response.text
        tryFind = returned.find(ipaddr)
        if tryFind == -1:
            text.printRed("Did not find any results in URLHaus.")
        if tryFind > -1:
            text.printGreen(
                "Found the IP beginning at character #" + str(tryFind) +
                ". Search the full site for the IP here: https://urlhaus.abuse.ch/browse/ \n"
                +
                "No further searching against URLHaus is done to respect the team's wishes."
            )
Exemplo n.º 8
0
def threatMinerHash(filehash):
    text.printGreen("THREATMINER: https://www.threatminer.org/")
    # API Documentation: https://www.threatminer.org/api.php
    # Request types ("RT") are different between domains, IPs, and hashes!
    # RT 1: Metadata
    # RT 2: HTTP Traffic
    # RT 3: Hosts (domains and IPs)
    # RT 5: Registry Keys
    # RT 6: AV Detections
    # RT 7: Report Tagging
    url = "https://api.threatminer.org/v2/sample.php"

    # Get metadata.
    params = {'q': filehash, 'rt': '1'}
    response = requests.get(url=url, params=params)
    if response.status_code == 200:
        returned = response.json()
        if returned['status_code'] == 200:
            for value in returned['results']:
                print("File Type: " + str(value['file_type']))
                print("File Name: " + str(value['file_name']))
                print("Last Analyzed: " + str(value['date_analyzed']))
        else:
            text.printRed("  * No metadata was found.")

    # Get HTTP Traffic.
    params = {'q': filehash, 'rt': '2'}
    response = requests.get(url=url, params=params)
    if response.status_code == 200:
        returned = response.json()
        if returned['status_code'] == 200:
            contactedDomainCount = 1
            for value in returned['results']['http_traffic']:
                contactedDomain = value['domain']
                print("Contacted Domain #" + str(contactedDomainCount) + ": " +
                      contactedDomain)
                contactedDomainCount += 1
        else:
            text.printRed("  * No HTTP traffic records were found.")

    # Get Associated Hosts
    params = {'q': filehash, 'rt': '3'}
    response = requests.get(url=url, params=params)
    if response.status_code == 200:
        returned = response.json()
        if returned['status_code'] == 200:
            contactedDomainCount = 1
            for value in returned['results']['domains']:
                contactedDomain = value['domain']
                resolvedDomain = value['ip']
                print("Contacted Domain #" + str(contactedDomainCount) + ": " +
                      contactedDomain + "at IP " + str(resolvedDomain))
                contactedDomainCount += 1
            contactedIPsCount = 1
            for value in returned['results']['hosts']:
                print("Contacted IP #" + str(contactedIPsCount) + ": " + value)
        else:
            text.printRed("  * No Associated Domains or IPs Found.")
Exemplo n.º 9
0
def threatMinerIP(ipaddr):
    text.printGreen("THREATMINER: https://www.threatminer.org/")
    # API Documentation: https://www.threatminer.org/api.php
    # Request types ("RT") are different between domains, IPs, and hashes!
    # RT 1: WHOIS
    # RT 2: Passive DNS
    # RT 4: Related Samples (Hash Only)
    url = "https://api.threatminer.org/v2/host.php"
    # Get WHOIS.
    params = {'q': ipaddr, 'rt': '1'}
    response = requests.get(url=url, params=params)
    if response.status_code == 200:
        returned = response.json()
        if returned['status_code'] == 200:
            for value in returned['results']:
                print("ORG Name: " + str(value['org_name']))
                print("Registrar: " + str(value['register']))
        else:
            text.printRed("  * No WHOIS information was found.")
    # Get Passive DNS.
    params = {'q': ipaddr, 'rt': '2'}
    response = requests.get(url=url, params=params)
    if response.status_code == 200:
        returned = response.json()
        if returned['status_code'] == 200:
            totalAssoc = 1
            for value in returned['results']:
                assocDomain = value['domain']
                print("Associated Domain #" + str(totalAssoc) + ": " +
                      assocDomain)
                totalAssoc += 1
        else:
            text.printRed("  * No passive DNS records were found.")
    # Get related samples (hash only)
    params = {'q': ipaddr, 'rt': '4'}
    response = requests.get(url=url, params=params)
    if response.status_code == 200:
        returned = response.json()
        if returned['status_code'] == 200:
            totalAssoc = 1
            for assocHash in returned['results']:
                print("Associated Hash #" + str(totalAssoc) + ": " + assocHash)
                totalAssoc += 1
        else:
            text.printRed("  * No related samples were found.")