Exemplo n.º 1
0
def do_passive(c):
    print "Rescanning f_c2 ..."
    c.execute("SELECT * FROM f_c2")
    found = c.fetchall()
    for i in range(0, len(found)):
        sid = found[i][0]
        scan_date = found[i][3]
        ip_addr = found[i][4]
        t = 'f_c2'
        
        #   updating ip table from ip_addr in f_c2
        #   checking ... if same ip_addr found
        c.execute("SELECT * FROM ip where ip_addr=?", ((ip_addr),))
        found2 = c.fetchone()
        if found2 is None:
            #   adding ...
            list = (sid, t, S_DATE, S_DATE, ip_addr)
            c.execute("INSERT INTO ip VALUES (NULL,?,?,?,?,?)", (list))
            print "[+] Added record to ip with %s" % ip_addr

    print "Rescanning passive_dns ..."
    c.execute("SELECT * FROM passive_dns")
    found = c.fetchall()
    for i in range(0, len(found)):
        sid = found[i][0]
        scan_date = found[i][3]
        resolve_date = found[i][4]
        dns = found[i][5]
        ip_addr = DNSUtil.retIP(dns)
        t = 'passive_dns'

        #   updating ip table from ip_addr resolved from passive_dns
        #   checking ... if same ip_addr found
        c.execute("SELECT * FROM ip where ip_addr=?", ((ip_addr),))
        found2 = c.fetchone()
        if found2 is None:
            #   adding ...
            list = (sid, t, scan_date, resolve_date, ip_addr)
            c.execute("INSERT INTO ip VALUES (NULL,?,?,?,?,?)", (list))
            print "[+] Added record to ip with %s" % ip_addr

    print "Rescanning passive_ip ..."
    c.execute("SELECT * FROM passive_ip")
    found = c.fetchall()
    for i in range(0, len(found)):
        sid = found[i][0]
        scan_date = found[i][3]
        resolve_date = found[i][4]
        ip_addr = found[i][5]
        t = 'passive_ip'

        #   updating ip table from ip_addr resolved from passive_dns
        #   checking ... if same ip_addr found
        c.execute("SELECT * FROM ip where ip_addr=?", ((ip_addr),))
        found2 = c.fetchone()
        if found2 is None:
            #   adding ...
            list = (sid, t, scan_date, resolve_date, ip_addr)
            c.execute("INSERT INTO ip VALUES (NULL,?,?,?,?,?)", (list))
            print "[+] Added record to ip with %s" % ip_addr
Exemplo n.º 2
0
def main():

    #   parse command line
    parser = OptionParser()
    parser.add_option("-i", action="store_true",dest="init", default=False, help="initialize c2 database [c2_dev.db]")
    parser.add_option("-f", action="store", dest="filename",
        type="string", help="Provide a FILENAME of the sample to check")
    parser.add_option("--md5", action="store", dest="md5",
        type="string", help="Provide a MD5 of the sample to check")
    parser.add_option("-d", action="store", dest="dns",
        type="string", help="Provide a DNSNAME to check")
    parser.add_option("-c", action="store_true",dest="c2", default=False, help="rescanning c2 to update all subsequent tables")
    parser.add_option("-o", action="store_true",dest="owner", default=False, help="rescanning owner table to update all subsequent tables")
    parser.add_option("-p", action="store_true",dest="passive", default=False, help="rescanning passive tables to update ip table")
    parser.add_option("-q", action="store_true",dest="parking", default=False, help="rescanning ip table to update domains & whois tables")
    parser.add_option("-r", action="store_true",dest="rescan", default=False, help="rescanning domains table to update passive_ip table")
    parser.add_option("-s", action="store_true",dest="passiveDomains", default=False, help="rescanning ip table to update passive_domains & passive_whois tables")
    parser.add_option("-t", action="store_true",dest="temp", default=False, help="rescanning and update domains table from malicious hostnames from c2")
    parser.add_option("-w", action="store_true",dest="whois", default=False, help="rescanning and update domains table to update whois")
    parser.add_option("-x", action="store_true",dest="passive_whois", default=False, help="rescanning and update whois table from passive_whois")
        
    (opts, args) = parser.parse_args()

    if opts.init:
        DBUtil.init()
        sys.exit()

    #  open database and create a cursor object
    if not os.path.isfile(DBNAME):
        print "%s does not exist, try initialization first." % DBNAME
        sys.exit()
    conn = sqlite3.connect(DBNAME)
    conn.text_factory = str
    c = conn.cursor()
    domains = []


    #   (-t) script to temp updating tables
    if opts.temp:
        #print "Do nothing ..."
        #   adding domain part of a malicious dns from c2 to domains table
        do_temp(c)
        conn.commit()
        c.close()
        sys.exit()


    #   (-c) script to rescanning c2 and subsequent tables
    if opts.c2:
        do_c2(c)
        conn.commit()
        c.close()
        sys.exit()


    #   (-o) update from owner table to domains (whois), passive_ip and ip tables
    if opts.owner:
        do_owner(c)
        conn.commit()
        c.close()
        sys.exit()


    #   (-p) script to rescanning f_c2, passive_dns, passive_ip to ip
    if opts.passive:
        do_passive(c)
        conn.commit()
        c.close()
        sys.exit()


    #   (-q) update parked domains and whois from ip table
    if opts.parking:
        do_parking(c)
        conn.commit()
        c.close()
        sys.exit()


    #   (-r) script to rescan domains registered by owners to update passive_ip table
    if opts.rescan:
        do_rescan(c)
        conn.commit()
        c.close()
        sys.exit()


    #   (-s) script to rescan ip to update passive_domains and passive_whois
    if opts.passiveDomains:
        do_passiveDomains(c)
        conn.commit()
        c.close()
        sys.exit()


    #   (-w) script to rescan domains table to update whois
    if opts.whois:
        do_whois(c)
        conn.commit()
        c.close()
        sys.exit()


    #   (-x) script to udpate passive_whois from passive_domains table
    if opts.passive_whois:
        do_passive_whois(c)
        conn.commit()
        c.close()
        sys.exit()


    #   MAIN script to update samples->detects, samples->c2->Passive_ip->ip,
    #   samples->c2->Passive_dns->ip,
    #   samples->c2->ip->domains->whois from filename & hostname provided

    if opts.filename == None:
        parser.print_help()
        parser.error("You must either provide a sample filename!")
    elif opts.md5 != None:
        if len(opts.md5) != 32:
            parser.error(opts.md5 + " doesn't look like a valid MD5 checksum!")
        else:
            md5sum = opts.md5
        name = opts.filename.split('.')[0]
    else:
        FILE = "./files/" + opts.filename
        name = opts.filename.split('.')[0]
        if not os.path.isfile(FILE):
            parser.error("%s does not exist" % FILE)
        else:
            md5sum = hashlib.md5(open(FILE, 'rb').read()).hexdigest()

    if opts.dns == None:
        parser.print_help()
        parser.error("You must provide a hostname!")

    #   updating samples table & check if same record (by md5 hash) is found
    c.execute("SELECT id FROM samples WHERE md5=?", ((md5sum),))
    found = c.fetchone()
    if found is None:
        #   update samples if not found
        list = (md5sum, name, S_DATE)
        c.execute("INSERT INTO samples VALUES (NULL,?,?,?)", (list))
        sid = c.lastrowid
        print "[+] Added record to samples with ID %d" % sid
    else:
        sid = found[0]
        print "[-] %s found ..." % name

    #   updating detects table
    print "[+] Checking with VirusTotal ....." + md5sum
    vendor, result = retDetects(md5sum)
    for j in range(0,len(vendor)):
        list = (sid, vendor[j], result[j])
        c.execute("INSERT INTO detects VALUES (NULL,?,?,?)", list)

    #   updating c2 table, check if dns and ip found in c2
    ip_addr = DNSUtil.retIP(opts.dns)
    list = (opts.dns, ip_addr)
    c.execute("SELECT dns FROM c2 WHERE dns=? and ip_addr=?", (list))
    found = c.fetchone()

    if found is None:
        
        #   updating c2 table
        #   checking ... if same hostname found
        list = (opts.dns, ip_addr)
        c.execute("SELECT * FROM c2 where dns=? and ip_addr=?", (list))
        found1 = c.fetchone()
        if found1 is None:
            #   adding ...
            list = (sid, S_DATE, opts.dns, ip_addr)
            c.execute("INSERT INTO c2 VALUES (NULL,?,?,?,?)", (list))
            sid = c.lastrowid
            print "[+] Added record to c2 with ID %d" % sid
        else:
            sid = found1[0]

        t = 'c2'

        #   updating passive_ip table from opts.dns in c2
        table = []
        table.append((opts.dns, sid))
        updateVTip(table, t, c)
        
        #   updating passive_dns table from ip_addr in c2
        table = []
        table.append((ip_addr, sid))
        updateVTdns(table, t, c)

        #   updating ip table from ip_addr in c2
        #   checking ... if same ip_addr found
        c.execute("SELECT * FROM ip where ip_addr=?", ((ip_addr),))
        found2 = c.fetchone()
        if found2 is None:
            #   adding ...
            list = (sid, t, S_DATE, S_DATE, ip_addr)
            c.execute("INSERT INTO ip VALUES (NULL,?,?,?,?,?)", (list))
            ip_sid = c.lastrowid
            print "[+] Added record to ip with %s" % ip_addr
        else:
            ip_sid = found2[0]

        #   update domains table from ip_addr in c2
        s = 'ip'
        t = 'domains'
        updateDomains(ip_addr, ip_sid, s, c, t)
        
        #   update whois table from newly created parking domains
        #   checking ...
        c.execute("SELECT * FROM domains where sid=? and source='ip'", ((ip_sid),))
        domains = c.fetchall()

        for i in range (0, len(domains)):

            #   init variables
            domain_sid = domains[i][0]
            domain = domains[i][4]

            #   update Whois records of newly added domains
            s = 'domains'
            t = 'whois'
            list = updateWhois(domain, s, domain_sid, c, t)
            if list != '':
                c.execute("INSERT INTO whois VALUES (NULL,?,?,?,?,?,?,?,?,?,?)", list)
                print "[+] Updating Whois record of ... " + " " + domain
            else:
                print "[-] No whois records updated ..." + " " + domain

    else:
        hostname = found[0]
        print "[-] hostname:" + hostname + "(" + ip_addr + ")" + " has already added"

    conn.commit()
    c.close()