def handler(q=False):
if q is False:
return False
request = json.loads(q)
if request.get('hostname'):
toquery = request['hostname']
elif request.get('domain'):
toquery = request['domain']
elif request.get('ip-src'):
toquery = request['ip-src']
elif request.get('ip-dst'):
toquery = request['ip-dst']
else:
misperrors['error'] = "Unsupported attributes type"
return misperrors
if (request.get('config')):
if (request['config'].get('username') is
None) or (request['config'].get('password') is None):
misperrors['error'] = 'CIRCL Passive DNS authentication is missing'
return misperrors
x = pypdns.PyPDNS(basic_auth=(request['config']['username'],
request['config']['password']))
res = x.query(toquery)
out = ''
for v in res:
out = out + "{} ".format(v['rdata'])
r = {'results': [{'types': mispattributes['output'], 'values': out}]}
return r
def run(self):
# You should save CIRCL credentials with this template: "<user>|<pwd>"
if not self.__credentials:
raise AnalyzerRunException("no credentials retrieved")
split_credentials = self.__credentials.split("|")
if len(split_credentials) != 2:
raise AnalyzerRunException(
"CIRCL credentials not properly configured."
"Template to use: '<user>|<pwd>'")
user = split_credentials[0]
pwd = split_credentials[1]
pdns = pypdns.PyPDNS(basic_auth=(user, pwd))
try:
result = pdns.query(self.domain, timeout=5)
except pypdns.errors.UnauthorizedError as e:
raise AnalyzerRunException(
f"Credentials are not valid: UnauthorizedError: {e}")
for result_item in result:
keys_to_decode = ["time_first", "time_last"]
for key_to_decode in keys_to_decode:
time_extracted = result_item.get(key_to_decode, None)
if time_extracted and isinstance(time_extracted,
datetime.datetime):
result_item[key_to_decode] = time_extracted.strftime(
"%Y-%m-%d %H:%M:%S")
return result
def __init__(self):
Analyzer.__init__(self)
self.pdns = pypdns.PyPDNS(
basic_auth=(self.get_param('config.user', None,
'No passiveDNS username given.'),
self.get_param('config.password', None,
'No passiveDNS password given.')))
def _api(self):
"""Instantiates PyPDNS API"""
credentials = self.api_key.split(":")
pdns = pypdns.PyPDNS(basic_auth=(credentials[0], credentials[1]))
return pdns
def run(self):
# You should save CIRCL credentials with this template: "<user>|<pwd>"
if not self.__credentials:
raise AnalyzerRunException("no credentials retrieved")
split_credentials = self.__credentials.split("|")
if len(split_credentials) != 2:
raise AnalyzerRunException(
"CIRCL credentials not properly configured."
"Template to use: '<user>|<pwd>'")
user = split_credentials[0]
pwd = split_credentials[1]
pdns = pypdns.PyPDNS(basic_auth=(user, pwd))
domain = self.observable_name
if self.observable_classification == "url":
domain = urlparse(self.observable_name).hostname
result = pdns.query(domain, timeout=5)
for result_item in result:
keys_to_decode = ["time_first", "time_last"]
for key_to_decode in keys_to_decode:
time_extracted = result_item.get(key_to_decode, None)
if time_extracted and isinstance(time_extracted,
datetime.datetime):
result_item[key_to_decode] = time_extracted.strftime(
"%Y-%m-%d %H:%M:%S")
return result
def run(analyzer_name, job_id, observable_name, observable_classification,
additional_config_params):
logger.info("started analyzer {} job_id {} observable {}"
"".format(analyzer_name, job_id, observable_name))
report = general.get_basic_report_template(analyzer_name)
try:
# You should save CIRCL credentials with this template: "<user>|<pwd>"
credentials = secrets.get_secret("CIRCL_CREDENTIALS")
if not credentials:
raise AnalyzerRunException("no credentials retrieved")
split_credentials = credentials.split('|')
if len(split_credentials) != 2:
raise AnalyzerRunException(
"CIRCL credentials not properly configured."
"Template to use: '<user>|<pwd>'")
user = split_credentials[0]
pwd = split_credentials[1]
pdns = pypdns.PyPDNS(basic_auth=(user, pwd))
domain = observable_name
if observable_classification == 'url':
domain = urlparse(observable_name).hostname
result = pdns.query(domain)
for result_item in result:
keys_to_decode = ['time_first', 'time_last']
for key_to_decode in keys_to_decode:
time_extracted = result_item.get(key_to_decode, None)
if time_extracted and isinstance(time_extracted,
datetime.datetime):
result_item[key_to_decode] = time_extracted.strftime(
"%Y-%m-%d %H:%M:%S")
# pprint.pprint(result)
report['report'] = result
except AnalyzerRunException as e:
error_message = "job_id:{} analyzer:{} observable_name:{} Analyzer error {}" \
"".format(job_id, analyzer_name, observable_name, e)
logger.error(error_message)
report['errors'].append(error_message)
report['success'] = False
except Exception as e:
traceback.print_exc()
error_message = "job_id:{} analyzer:{} observable_name:{} Unexpected error {}" \
"".format(job_id, analyzer_name, observable_name, e)
logger.exception(error_message)
report['errors'].append(str(e))
report['success'] = False
else:
report['success'] = True
general.set_report_and_cleanup(job_id, report, logger)
logger.info("ended analyzer {} job_id {} observable {}"
"".format(analyzer_name, job_id, observable_name))
return report
def run(self, conf, args, plugins):
x = pypdns.PyPDNS(basic_auth=(conf['Circl']['user'],
conf['Circl']['pass']))
res = x.query(unbracket(args.DOMAIN))
print(
json.dumps(res,
sort_keys=True,
indent=4,
separators=(',', ': '),
default=json_serial))
def passivedns_data(uri):
global CIRCL_USER
global CIRCL_PASS
if w_network == 1:
uri = re.sub(r'^www\.', '', uri)
try:
logging.debug("querying circl.lu for " + str(uri))
r = pypdns.PyPDNS('https://www.circl.lu/pdns/query', (CIRCL_USER, CIRCL_PASS), enable_cache=True)
q = r.query(uri)
logging.debug("q " + str(q))
return q
except Exception, e:
return "Passive DNS: error " + str(e)
def intel(self, type, query, data, conf):
if type == "domain":
print("[+] Downloading CIRCL passive DNS information....")
x = pypdns.PyPDNS(basic_auth=(conf["Circl"]["user"],
conf["Circl"]["pass"]))
res = x.query(query)
for answer in res:
data["passive_dns"].append({
"ip":
answer["rdata"],
"first":
answer["time_first"].astimezone(pytz.utc),
"last":
answer["time_last"].astimezone(pytz.utc),
"source":
"CIRCL",
})
def run(self, conf, args, plugins):
if 'subcommand' in args:
if args.subcommand == "intel":
# Start with MISP and OTX to get Intelligence Reports
print('###################### %s ###################' % args.DOMAIN)
passive_dns = []
urls = []
malware = []
files = []
# MISP
misp_e = plugins['misp'].test_config(conf)
if misp_e:
print('[+] Downloading MISP information...')
server = ExpandedPyMISP(conf['Misp']['url'], conf['Misp']['key'])
misp_results = server.search('attributes', value=unbracket(args.DOMAIN))
# OTX
otx_e = plugins['otx'].test_config(conf)
if otx_e:
print('[+] Downloading OTX information....')
try:
otx = OTXv2(conf["AlienVaultOtx"]["key"])
res = otx.get_indicator_details_full(IndicatorTypes.DOMAIN, unbracket(args.DOMAIN))
otx_pulses = res["general"]["pulse_info"]["pulses"]
# Get Passive DNS
if "passive_dns" in res:
for r in res["passive_dns"]["passive_dns"]:
passive_dns.append({
"ip": r['hostname'],
"first": parse(r["first"]).astimezone(pytz.utc),
"last": parse(r["last"]).astimezone(pytz.utc),
"source" : "OTX"
})
if "url_list" in res:
for r in res["url_list"]["url_list"]:
if "result" in r:
urls.append({
"date": parse(r["date"]).astimezone(pytz.utc),
"url": r["url"],
"ip": r["result"]["urlworker"]["ip"] if "ip" in r["result"]["urlworker"] else "" ,
"source": "OTX"
})
else:
urls.append({
"date": parse(r["date"]).astimezone(pytz.utc),
"url": r["url"],
"ip": "",
"source": "OTX"
})
except AttributeError:
print('OTX crashed ¯\_(ツ)_/¯')
# UrlScan
us = UrlScan()
print('[+] Downloading UrlScan information....')
res = us.search(args.DOMAIN)
for r in res['results']:
urls.append({
"date": parse(r["task"]["time"]).astimezone(pytz.utc),
"url": r["page"]["url"],
"ip": r["page"]["ip"] if "ip" in r["page"] else "",
"source": "UrlScan"
})
# UrlHaus
uh_e = plugins['urlhaus'].test_config(conf)
if uh_e:
print("[+] Checking urlhaus...")
try:
urlhaus = UrlHaus(conf["UrlHaus"]["key"])
res = urlhaus.get_host(unbracket(args.DOMAIN))
except UrlHausError:
print("Error with the query")
else:
if "urls" in res:
for r in res['urls']:
urls.append({
"date": parse(r["date_added"]).astimezone(pytz.utc),
"url": r["url"],
"ip":"",
"source": "UrlHaus"
})
# CIRCL
circl_e = plugins['circl'].test_config(conf)
if circl_e:
print('[+] Downloading CIRCL passive DNS information....')
x = pypdns.PyPDNS(
basic_auth=(
conf['Circl']['user'],
conf['Circl']['pass']
)
)
res = x.query(unbracket(args.DOMAIN))
for answer in res:
passive_dns.append({
"ip": answer['rdata'],
"first": answer['time_first'].astimezone(pytz.utc),
"last": answer['time_last'].astimezone(pytz.utc),
"source" : "CIRCL"
})
# BinaryEdge
be_e = plugins['binaryedge'].test_config(conf)
if be_e:
print('[+] Downloading BinaryEdge information....')
try:
be = BinaryEdge(conf['BinaryEdge']['key'])
res = be.domain_dns(unbracket(args.DOMAIN))
for d in res['events']:
if "A" in d:
for a in d['A']:
passive_dns.append({
"ip": a,
"first": parse(d['updated_at']).astimezone(pytz.utc),
"last": parse(d['updated_at']).astimezone(pytz.utc),
"source" : "BinaryEdge"
})
except BinaryEdgeException:
print('You need a paid BinaryEdge subscription for this request')
# RobTex
print('[+] Downloading Robtex information....')
try:
rob = Robtex()
res = rob.get_pdns_domain(args.DOMAIN)
for d in res:
if d['rrtype'] in ['A', 'AAAA']:
passive_dns.append({
'first': d['time_first_o'].astimezone(pytz.utc),
'last': d['time_last_o'].astimezone(pytz.utc),
'ip': d['rrdata'],
'source': 'Robtex'
})
except RobtexError:
print("Robtex query failed")
# PT
pt_e = plugins['pt'].test_config(conf)
if pt_e:
try:
pt_osint = {}
ptout = False
print('[+] Downloading Passive Total information....')
client = DnsRequest(conf['PassiveTotal']['username'], conf['PassiveTotal']['key'])
raw_results = client.get_passive_dns(query=unbracket(args.DOMAIN))
if "results" in raw_results:
for res in raw_results["results"]:
passive_dns.append({
"first": parse(res["firstSeen"]).astimezone(pytz.utc),
"last": parse(res["lastSeen"]).astimezone(pytz.utc),
"ip": res["resolve"],
"source": "PT"
})
if "message" in raw_results:
if "quota_exceeded" in raw_results["message"]:
print("PT quota exceeded")
ptout = True
if not ptout:
client2 = EnrichmentRequest(conf["PassiveTotal"]["username"], conf["PassiveTotal"]['key'])
# Get OSINT
# TODO: add PT projects here
pt_osint = client2.get_osint(query=unbracket(args.DOMAIN))
# Get malware
raw_results = client2.get_malware(query=unbracket(args.DOMAIN))
if "results" in raw_results:
for r in raw_results["results"]:
malware.append({
'hash': r["sample"],
'date': parse(r['collectionDate']).astimezone(pytz.utc),
'source' : 'PT (%s)' % r["source"]
})
except requests.exceptions.ReadTimeout:
print("PT: Time Out")
# VT
vt_e = plugins['vt'].test_config(conf)
if vt_e:
if conf["VirusTotal"]["type"] != "public":
print('[+] Downloading VT information....')
vt = PrivateApi(conf["VirusTotal"]["key"])
res = vt.get_domain_report(unbracket(args.DOMAIN))
if "results" in res:
if "resolutions" in res['results']:
for r in res["results"]["resolutions"]:
passive_dns.append({
"first": parse(r["last_resolved"]).astimezone(pytz.utc),
"last": parse(r["last_resolved"]).astimezone(pytz.utc),
"ip": r["ip_address"],
"source": "VT"
})
if "undetected_downloaded_samples" in res['results']:
for r in res['results']['undetected_downloaded_samples']:
files.append({
'hash': r['sha256'],
'date': parse(r['date']).astimezone(pytz.utc) if 'date' in r else '',
'source' : 'VT'
})
if "undetected_referrer_samples" in res['results']:
for r in res['results']['undetected_referrer_samples']:
files.append({
'hash': r['sha256'],
'date': parse(r['date']).astimezone(pytz.utc) if 'date' in r else '',
'source' : 'VT'
})
if "detected_downloaded_samples" in res['results']:
for r in res['results']['detected_downloaded_samples']:
malware.append({
'hash': r['sha256'],
'date': parse(r['date']).astimezone(pytz.utc),
'source' : 'VT'
})
if "detected_referrer_samples" in res['results']:
for r in res['results']['detected_referrer_samples']:
if "date" in r:
malware.append({
'hash': r['sha256'],
'date': parse(r['date']).astimezone(pytz.utc),
'source' : 'VT'
})
if "detected_urls" in res['results']:
for r in res['results']['detected_urls']:
urls.append({
'date': parse(r['scan_date']).astimezone(pytz.utc),
'url': r['url'],
'ip': '',
'source': 'VT'
})
else:
vt_e = False
tg_e = plugins['threatgrid'].test_config(conf)
if tg_e:
try:
print('[+] Downloading Threat Grid....')
tg = ThreatGrid(conf['ThreatGrid']['key'])
res = tg.search_samples(unbracket(args.DOMAIN), type='domain')
already = []
if 'items' in res:
for r in res['items']:
if r['sample_sha256'] not in already:
d = parse(r['ts']).astimezone(pytz.utc)
malware.append({
'hash': r["sample_sha256"],
'date': d,
'source' : 'ThreatGrid'
})
already.append(r['sample_sha256'])
except ThreatGridError as e:
print("Failed to connect to Threat Grid: %s" % e.message)
print('[+] Downloading ThreatMiner....')
tm = ThreatMiner()
response = tm.get_report(unbracket(args.DOMAIN))
if response['status_code'] == '200':
tmm = response['results']
else:
tmm = []
if response['status_code'] == '404':
print("Request to ThreatMiner failed: {}".format(response['status_message']))
response = tm.get_related_samples(unbracket(args.DOMAIN))
if response['status_code'] == '200':
for r in response['results']:
malware.append({
'hash': r,
'date': None,
'source': 'ThreatMiner'
})
print('----------------- Intelligence Report')
if misp_e:
if len(misp_results['Attribute']) > 0:
print('MISP:')
for event in misp_results['Attribute']:
print("- {} - {}".format(
event['Event']['id'],
event['Event']['info']
))
if otx_e:
if len(otx_pulses):
print('OTX:')
for p in otx_pulses:
print('- %s (%s - %s)' % (
p['name'],
p['created'][:10],
"https://otx.alienvault.com/pulse/" + p['id']
)
)
else:
print('OTX: Not found in any pulse')
if pt_e:
if "results" in pt_osint:
if len(pt_osint["results"]):
if len(pt_osint["results"]) == 1:
if "name" in pt_osint["results"][0]:
print("PT: %s %s" % (pt_osint["results"][0]["name"], pt_osint["results"][0]["sourceUrl"]))
else:
print("PT: %s" % (pt_osint["results"][0]["sourceUrl"]))
else:
print("PT:")
for r in pt_osint["results"]:
if "name" in r:
print("- %s %s" % (r["name"], r["sourceUrl"]))
else:
print("- %s" % (r["sourceUrl"]))
else:
print("PT: Nothing found!")
else:
print("PT: Nothing found!")
# ThreatMiner
if len(tmm) > 0:
print("ThreatMiner:")
for r in tmm:
print("- {} {} - {}".format(
r['year'],
r['filename'],
r['URL']
))
if len(malware) > 0:
print('----------------- Malware')
for r in malware:
print("[%s] %s %s" % (
r["source"],
r["hash"],
r["date"].strftime("%Y-%m-%d") if r["date"] else ""
)
)
if len(files) > 0:
print('----------------- Files')
for r in files:
if r['date'] != '':
print("[%s] %s (%s)" % (
r["source"],
r["hash"],
r["date"].strftime("%Y-%m-%d")
)
)
else:
print("[%s] %s" % (
r["source"],
r["hash"],
)
)
if len(urls) > 0:
print('----------------- Urls')
for r in sorted(urls, key=lambda x: x["date"], reverse=True):
print("[%s] %s - %s %s" % (
r["source"],
r["url"],
r["ip"],
r["date"].strftime("%Y-%m-%d")
)
)
# TODO: add ASN + location info here
if len(passive_dns) > 0:
print('----------------- Passive DNS')
for r in sorted(passive_dns, key=lambda x: x["first"], reverse=True):
print("[+] %-40s (%s -> %s)(%s)" % (
r["ip"],
r["first"].strftime("%Y-%m-%d"),
r["last"].strftime("%Y-%m-%d"),
r["source"]
)
)
else:
self.parser.print_help()
else:
self.parser.print_help()
def __init__(self, attribute, authentication):
self.misp_event = MISPEvent()
self.attribute = MISPAttribute()
self.attribute.from_dict(**attribute)
self.misp_event.add_attribute(**self.attribute)
self.pdns = pypdns.PyPDNS(basic_auth=authentication)
def run(self, conf, args, plugins):
if 'subcommand' in args:
if args.subcommand == 'info':
print("Not implemented yet")
elif args.subcommand == "intel":
# Start with MISP and OTX to get Intelligence Reports
print('###################### %s ###################' % args.DOMAIN)
passive_dns = []
urls = []
malware = []
files = []
# OTX
otx_e = plugins['otx'].test_config(conf)
if otx_e:
print('[+] Downloading OTX information....')
otx = OTXv2(conf["AlienVaultOtx"]["key"])
res = otx.get_indicator_details_full(IndicatorTypes.DOMAIN, unbracket(args.DOMAIN))
otx_pulses = res["general"]["pulse_info"]["pulses"]
# Get Passive DNS
if "passive_dns" in res:
for r in res["passive_dns"]["passive_dns"]:
passive_dns.append({
"ip": r['hostname'],
"first": parse(r["first"]),
"last": parse(r["last"]),
"source" : "OTX"
})
if "url_list" in res:
for r in res["url_list"]["url_list"]:
if "result" in r:
urls.append({
"date": parse(r["date"]),
"url": r["url"],
"ip": r["result"]["urlworker"]["ip"] if "ip" in r["result"]["urlworker"] else "" ,
"source": "OTX"
})
else:
urls.append({
"date": parse(r["date"]),
"url": r["url"],
"ip": "",
"source": "OTX"
})
# CIRCL
circl_e = plugins['circl'].test_config(conf)
if circl_e:
print('[+] Downloading CIRCL passive DNS information....')
x = pypdns.PyPDNS(
basic_auth=(
conf['Circl']['user'],
conf['Circl']['pass']
)
)
res = x.query(unbracket(args.DOMAIN))
for answer in res:
passive_dns.append({
"ip": answer['rdata'],
"first": answer['time_first'],
"last": answer['time_last'],
"source" : "CIRCL"
})
# BinaryEdge
be_e = plugins['binaryedge'].test_config(conf)
if be_e:
print('[+] Downloading BinaryEdge information....')
be = BinaryEdge(conf['BinaryEdge']['key'])
res = be.domain_dns(unbracket(args.DOMAIN))
for d in res['events']:
if "A" in d:
for a in d['A']:
passive_dns.append({
"ip": a,
"first": parse(d['updated_at']),
"last": parse(d['updated_at']),
"source" : "BinaryEdge"
})
# RobTex
print('[+] Downloading Robtex information....')
rob = Robtex()
res = rob.get_pdns_domain(args.DOMAIN)
for d in res:
if d['rrtype'] in ['A', 'AAAA']:
passive_dns.append({
'first': d['time_first_o'],
'last': d['time_last_o'],
'ip': d['rrdata'],
'source': 'Robtex'
})
# PT
pt_e = plugins['pt'].test_config(conf)
if pt_e:
try:
pt_osint = {}
ptout = False
print('[+] Downloading Passive Total information....')
client = DnsRequest(conf['PassiveTotal']['username'], conf['PassiveTotal']['key'])
raw_results = client.get_passive_dns(query=unbracket(args.DOMAIN))
if "results" in raw_results:
for res in raw_results["results"]:
passive_dns.append({
"first": parse(res["firstSeen"]),
"last": parse(res["lastSeen"]),
"ip": res["resolve"],
"source": "PT"
})
if "message" in raw_results:
if "quota_exceeded" in raw_results["message"]:
print("PT quota exceeded")
ptout = True
if not ptout:
client2 = EnrichmentRequest(conf["PassiveTotal"]["username"], conf["PassiveTotal"]['key'])
# Get OSINT
# TODO: add PT projects here
pt_osint = client2.get_osint(query=unbracket(args.DOMAIN))
# Get malware
raw_results = client2.get_malware(query=unbracket(args.DOMAIN))
if "results" in raw_results:
for r in raw_results["results"]:
malware.append({
'hash': r["sample"],
'date': parse(r['collectionDate']),
'source' : 'PT (%s)' % r["source"]
})
except requests.exceptions.ReadTimeout:
print("PT: Time Out")
# VT
vt_e = plugins['vt'].test_config(conf)
if vt_e:
if conf["VirusTotal"]["type"] != "public":
print('[+] Downloading VT information....')
vt = PrivateApi(conf["VirusTotal"]["key"])
res = vt.get_domain_report(unbracket(args.DOMAIN))
if "results" in res:
if "resolutions" in res['results']:
for r in res["results"]["resolutions"]:
passive_dns.append({
"first": parse(r["last_resolved"]),
"last": parse(r["last_resolved"]),
"ip": r["ip_address"],
"source": "VT"
})
if "undetected_downloaded_samples" in res['results']:
for r in res['results']['undetected_downloaded_samples']:
files.append({
'hash': r['sha256'],
'date': parse(r['date']) if 'date' in r else '',
'source' : 'VT'
})
if "undetected_referrer_samples" in res['results']:
for r in res['results']['undetected_referrer_samples']:
files.append({
'hash': r['sha256'],
'date': parse(r['date']) if 'date' in r else '',
'source' : 'VT'
})
if "detected_downloaded_samples" in res['results']:
for r in res['results']['detected_downloaded_samples']:
malware.append({
'hash': r['sha256'],
'date': parse(r['date']),
'source' : 'VT'
})
if "detected_referrer_samples" in res['results']:
for r in res['results']['detected_referrer_samples']:
if "date" in r:
malware.append({
'hash': r['sha256'],
'date': parse(r['date']),
'source' : 'VT'
})
if "detected_urls" in res['results']:
for r in res['results']['detected_urls']:
urls.append({
'date': parse(r['scan_date']),
'url': r['url'],
'ip': '',
'source': 'VT'
})
else:
vt_e = False
tg_e = plugins['threatgrid'].test_config(conf)
if tg_e:
try:
print('[+] Downloading Threat Grid....')
tg = ThreatGrid(conf['ThreatGrid']['key'])
res = tg.search_samples(unbracket(args.DOMAIN), type='domain')
already = []
if 'items' in res:
for r in res['items']:
if r['sample_sha256'] not in already:
d = parse(r['ts'])
d = d.replace(tzinfo=None)
malware.append({
'hash': r["sample_sha256"],
'date': d,
'source' : 'ThreatGrid'
})
already.append(r['sample_sha256'])
except ThreatGridError as e:
print("Failed to connect to Threat Grid: %s" % e.message)
# TODO: Add MISP
print('----------------- Intelligence Report')
if otx_e:
if len(otx_pulses):
print('OTX:')
for p in otx_pulses:
print(' -%s (%s - %s)' % (
p['name'],
p['created'][:10],
"https://otx.alienvault.com/pulse/" + p['id']
)
)
else:
print('OTX: Not found in any pulse')
if pt_e:
if "results" in pt_osint:
if len(pt_osint["results"]):
if len(pt_osint["results"]) == 1:
if "name" in pt_osint["results"][0]:
print("PT: %s %s" % (pt_osint["results"][0]["name"], pt_osint["results"][0]["sourceUrl"]))
else:
print("PT: %s" % (pt_osint["results"][0]["sourceUrl"]))
else:
print("PT:")
for r in pt_osint["results"]:
if "name" in r:
print("-%s %s" % (r["name"], r["sourceUrl"]))
else:
print("-%s" % (r["sourceUrl"]))
else:
print("PT: Nothing found!")
else:
print("PT: Nothing found!")
if len(malware) > 0:
print('----------------- Malware')
for r in sorted(malware, key=lambda x: x["date"]):
print("[%s] %s %s" % (
r["source"],
r["hash"],
r["date"].strftime("%Y-%m-%d")
)
)
if len(files) > 0:
print('----------------- Files')
for r in files:
if r['date'] != '':
print("[%s] %s (%s)" % (
r["source"],
r["hash"],
r["date"].strftime("%Y-%m-%d")
)
)
else:
print("[%s] %s" % (
r["source"],
r["hash"],
)
)
if len(urls) > 0:
print('----------------- Urls')
for r in sorted(urls, key=lambda x: x["date"], reverse=True):
print("[%s] %s - %s %s" % (
r["source"],
r["url"],
r["ip"],
r["date"].strftime("%Y-%m-%d")
)
)
# TODO: add ASN + location info here
if len(passive_dns) > 0:
print('----------------- Passive DNS')
for r in sorted(passive_dns, key=lambda x: x["first"], reverse=True):
print("[+] %-40s (%s -> %s)(%s)" % (
r["ip"],
r["first"].strftime("%Y-%m-%d"),
r["last"].strftime("%Y-%m-%d"),
r["source"]
)
)
else:
self.parser.print_help()
else:
self.parser.print_help()
def query(domain):
x = pypdns.PyPDNS(basic_auth=(username, password))
#print(x.query(domain))
return x.query(domain)
def init():
return pypdns.PyPDNS(url=BASE_URL, basic_auth=(LOGIN, PASSWORD))
