def vt(self, domain, conf, verbose): print('## Searching subdomains in Virus Total') if conf["VirusTotal"]["type"] == "public": vt = PublicApi(conf["VirusTotal"]["key"]) else: vt = PrivateApi(conf["VirusTotal"]["key"]) res = vt.get_domain_report(domain) try: for d in res['results']['subdomains']: print(d) except KeyError: pass
def get_private_vt(self): block = self.VTAPI config_dict = self.my_config.get(block, None) if config_dict is None: raise Exception("Missing %s config" % block) if self.PRIVATE in config_dict and \ config_dict.get(self.PRIVATE, False): apikey = config_dict.get(self.API_KEY) return PrivateApi(apikey) raise Exception("Unable to instantiate PrivateApi for VT")
def setup(self): self.vt_key = self.options.get("api_key") self.vt_type = self.options.get("key_type", "") if self.vt_type == "public": self.vt = PublicApi(key=self.vt_key) elif self.vt_type == "": self.vt = PublicApi(key=self.vt_key) elif self.vt_type == "private": self.vt = PrivateApi(key=self.vt_key)
def main(): config = configparser.ConfigParser() if os.path.isfile(os.path.expanduser('~/.pyti')): config.read(os.path.expanduser('~/.pyti')) intelApi = IntelApi(config['VTi']['apikey']) privApi = PrivateApi(config['VTi']['apikey']) allNotes = get_all_notifications(intelApi) keyFunc = lambda f: f['ruleset_name'] dedup = list() dedupHash = list() for s in allNotes: if s['sha1'] not in dedupHash: dedup.append(s) dedupHash.append(s['sha1']) mwr = mwrepo.mwrepo(config['MalwareRepo']['basePath']) toDownload = [s for s in dedup if not mwr.sha1exists(s['sha1'])] printNoteSummary('To Download', groupby(sorted(toDownload, key=keyFunc), key=keyFunc)) print('Downloading {} files...'.format(len(toDownload))) ind = 0 errors = list() for s in toDownload: print('... ({}/{}): {} '.format(ind + 1, len(toDownload), s['sha1']), end='') ss = privApi.get_file(s['sha1']) if type(ss) == dict: print('= Error: {}'.format(ss['error']), end='') errors.append(s['sha1']) else: mwr.savefile(ss) print() ind = ind + 1 idsToRemove = list( set([s['id'] for s in allNotes if s['sha1'] not in errors])) delete_intel_notifications(intelApi, idsToRemove)
def __init__(self): """ The function is a constructor of the Virus Scanner object. """ self._status = None try: self._virus_total_service = PublicApi( Virus_Total_Service_Secret_API) except: try: self._virus_total_service = PrivateApi( Virus_Total_Service_Secret_API) except ApiError as e: print(f'Could not active Virus Total Virus Scanner Service.' f'The error {e} occured.') sys.exit(0) # Stopping the function
def get_VT_name(hashes): try: vt = PrivateApi(api_key = os.environ["VIRUSTOTAL_API_KEY"]) generator = ComputeVtUniqueName() names = [generator.build_unique_name(vt.get_file_report(hash_) or "") for hash_ in hashes] if len(names) >= 2 and all(names[0] == name for name in names[1:]): name = names[0] if name["pup"]: log.error("PUA signatures are not implemented yet. Excpected name was: %s", str(name)) pass else: return "{}.{}.{}".format(name["platform"], name["category"], name["unique_name"]) except KeyError: log.warn("No VIRUSTOTAL_API_KEY specified. Falling back to generic name.") except Exception: log.exception("White trying to compute VT name. Falling back to generic name.") return GENERIC_CLAMAV_MALWARE_NAME
def __init__(self): Analyzer.__init__(self) self.service = self.get_param("config.service", None, "Service parameter is missing") self.virustotal_key = self.get_param("config.key", None, "Missing VirusTotal API key") self.polling_interval = self.get_param("config.polling_interval", 60) self.rescan_hash_older_than_days = self.get_param( "config.rescan_hash_older_than_days", None) self.highlighted_antivirus = self.get_param( "config.highlighted_antivirus", None) self.download_sample = self.get_param("config.download_sample", False) self.download_sample_if_highlighted = self.get_param( "config.download_sample_if_highlighted", False) self.obs_path = None self.proxies = self.get_param("config.proxy", None) if (self.download_sample or self.download_sample_if_highlighted or self.service == "download"): self.vt_pay = PrivateApi(self.virustotal_key, self.proxies) self.vt = PublicApi(self.virustotal_key, self.proxies)
def run(self, conf, args, plugins): if 'subcommand' in args: if args.subcommand == 'info': if not is_ip(unbracket(args.IP)): print("Invalid IP address") sys.exit(1) # FIXME: move code here in a library ip = unbracket(args.IP) try: ipy = IP(ip) except ValueError: print('Invalid IP format, quitting...') return ipinfo = self.ipinfo(ip) print('MaxMind: Located in %s, %s' % (ipinfo['city'], ipinfo['country'])) if ipinfo['asn'] == 0: print("MaxMind: IP not found in the ASN database") else: print('MaxMind: ASN%i, %s' % (ipinfo['asn'], ipinfo['asn_name'])) asndb2 = pyasn.pyasn(self.asncidr) res = asndb2.lookup(ip) if res[1] is None: print("IP not found in ASN database") else: # Search for name f = open(self.asnname, 'r') found = False line = f.readline() name = '' while not found and line != '': s = line.split('|') if s[0] == str(res[0]): name = s[1].strip() found = True line = f.readline() print('ASN %i - %s (range %s)' % (res[0], name, res[1])) if ipinfo['hostname'] != '': print('Hostname: %s' % ipinfo['hostname']) if ipinfo['specific'] != '': print("Specific: %s" % ipinfo['specific']) if ipy.iptype() == "PRIVATE": "Private IP" print("") if ipy.version() == 4: print("Censys:\t\thttps://censys.io/ipv4/%s" % ip) print("Shodan:\t\thttps://www.shodan.io/host/%s" % ip) print("IP Info:\thttp://ipinfo.io/%s" % ip) print("BGP HE:\t\thttps://bgp.he.net/ip/%s" % ip) print( "IP Location:\thttps://www.iplocation.net/?query=%s" % ip) elif args.subcommand == "intel": if not is_ip(unbracket(args.IP)): print("Invalid IP address") sys.exit(1) # Start with MISP and OTX to get Intelligence Reports print('###################### %s ###################' % unbracket(args.IP)) passive_dns = [] urls = [] malware = [] files = [] # OTX otx_e = plugins['otx'].test_config(conf) if otx_e: print('[+] Downloading OTX information....') otx = OTXv2(conf["AlienVaultOtx"]["key"]) res = otx.get_indicator_details_full( IndicatorTypes.IPv4, unbracket(args.IP)) otx_pulses = res["general"]["pulse_info"]["pulses"] # Get Passive DNS if "passive_dns" in res: for r in res["passive_dns"]["passive_dns"]: passive_dns.append({ "domain": r['hostname'], "first": parse(r["first"]), "last": parse(r["last"]), "source": "OTX" }) if "url_list" in res: for r in res["url_list"]["url_list"]: urls.append(r) # RobTex print('[+] Downloading Robtex information....') rob = Robtex() res = rob.get_ip_info(unbracket(args.IP)) for d in ["pas", "pash", "act", "acth"]: if d in res: for a in res[d]: passive_dns.append({ 'first': a['date'], 'last': a['date'], 'domain': a['o'], 'source': 'Robtex' }) # PT pt_e = plugins['pt'].test_config(conf) if pt_e: out_pt = False print('[+] Downloading Passive Total information....') client = DnsRequest(conf['PassiveTotal']['username'], conf['PassiveTotal']['key']) raw_results = client.get_passive_dns( query=unbracket(args.IP)) if "results" in raw_results: for res in raw_results["results"]: passive_dns.append({ "first": parse(res["firstSeen"]), "last": parse(res["lastSeen"]), "domain": res["resolve"], "source": "PT" }) if "message" in raw_results: if "quota_exceeded" in raw_results["message"]: print("Quota exceeded for Passive Total") out_pt = True pt_osint = {} if not out_pt: client2 = EnrichmentRequest( conf["PassiveTotal"]["username"], conf["PassiveTotal"]['key']) # Get OSINT # TODO: add PT projects here pt_osint = client2.get_osint(query=unbracket(args.IP)) # Get malware raw_results = client2.get_malware( query=unbracket(args.IP)) if "results" in raw_results: for r in raw_results["results"]: malware.append({ 'hash': r["sample"], 'date': parse(r['collectionDate']), 'source': 'PT (%s)' % r["source"] }) # VT vt_e = plugins['vt'].test_config(conf) if vt_e: if conf["VirusTotal"]["type"] != "public": print('[+] Downloading VT information....') vt = PrivateApi(conf["VirusTotal"]["key"]) res = vt.get_ip_report(unbracket(args.IP)) if "results" in res: if "resolutions" in res['results']: for r in res["results"]["resolutions"]: passive_dns.append({ "first": parse(r["last_resolved"]), "last": parse(r["last_resolved"]), "domain": r["hostname"], "source": "VT" }) if "undetected_downloaded_samples" in res[ 'results']: for r in res['results'][ 'undetected_downloaded_samples']: files.append({ 'hash': r['sha256'], 'date': parse(r['date']), 'source': 'VT' }) if "undetected_referrer_samples" in res['results']: for r in res['results'][ 'undetected_referrer_samples']: files.append({ 'hash': r['sha256'], 'date': parse(r['date']), 'source': 'VT' }) if "detected_downloaded_samples" in res['results']: for r in res['results'][ 'detected_downloaded_samples']: malware.append({ 'hash': r['sha256'], 'date': parse(r['date']), 'source': 'VT' }) if "detected_referrer_samples" in res['results']: for r in res['results'][ 'detected_referrer_samples']: if "date" in r: malware.append({ 'hash': r['sha256'], 'date': parse(r['date']), 'source': 'VT' }) else: vt_e = False print('[+] Downloading GreyNoise information....') gn = GreyNoise() try: greynoise = gn.query_ip(unbracket(args.IP)) except GreyNoiseError: greynoise = [] tg_e = plugins['threatgrid'].test_config(conf) if tg_e: print('[+] Downloading Threat Grid....') tg = ThreatGrid(conf['ThreatGrid']['key']) res = tg.search_samples(unbracket(args.IP), type='ip') already = [] if 'items' in res: for r in res['items']: if r['sample_sha256'] not in already: d = parse(r['ts']) d = d.replace(tzinfo=None) malware.append({ 'hash': r["sample_sha256"], 'date': d, 'source': 'TG' }) already.append(r['sample_sha256']) # TODO: Add MISP print('----------------- Intelligence Report') if otx_e: if len(otx_pulses): print('OTX:') for p in otx_pulses: print(' -%s (%s - %s)' % (p['name'], p['created'][:10], "https://otx.alienvault.com/pulse/" + p['id'])) else: print('OTX: Not found in any pulse') if len(greynoise) > 0: print("GreyNoise: IP identified as") for r in greynoise: print("\t%s (%s -> %s)" % (r["name"], r["first_seen"], r["last_updated"])) else: print("GreyNoise: Not found") if pt_e: if "results" in pt_osint: if len(pt_osint["results"]): if len(pt_osint["results"]) == 1: if "name" in pt_osint["results"][0]: print( "PT: %s %s" % (pt_osint["results"][0]["name"], pt_osint["results"][0]["sourceUrl"])) else: print("PT: %s" % pt_osint["results"][0]["sourceUrl"]) else: print("PT:") for r in pt_osint["results"]: if "name" in r: print("-%s %s" % (r["name"], r["sourceUrl"])) else: print("-%s" % r["sourceUrl"]) else: print("PT: Nothing found!") else: print("PT: Nothing found!") if len(malware) > 0: print('----------------- Malware') for r in sorted(malware, key=lambda x: x["date"]): print("[%s] %s %s" % (r["source"], r["hash"], r["date"].strftime("%Y-%m-%d"))) if len(files) > 0: print('----------------- Files') for r in sorted(files, key=lambda x: x["date"]): print("[%s] %s %s" % (r["source"], r["hash"], r["date"].strftime("%Y-%m-%d"))) if len(passive_dns) > 0: print('----------------- Passive DNS') for r in sorted(passive_dns, key=lambda x: x["first"], reverse=True): print("[+] %-40s (%s -> %s)(%s)" % (r["domain"], r["first"].strftime("%Y-%m-%d"), r["last"].strftime("%Y-%m-%d"), r["source"])) else: self.parser.print_help() else: self.parser.print_help()
def run(self, args): config_path = os.path.join(os.path.expanduser("~"), ".vtapi") if hasattr(args, 'subcommand'): if args.subcommand in ('check', 'similar'): if not os.path.isfile(config_path): print( "Invalid configuration file, please use pe vt config to configure your VT account" ) sys.exit(1) cf = self.read_config(config_path) if cf['type'] == 'private': vt = PrivateApi(cf['apikey']) else: vt = PublicApi(cf['apikey']) if args.subcommand == 'check': with open(args.PEFILE, 'rb') as f: data = f.read() m = hashlib.sha256() m.update(data) sha256 = m.hexdigest() response = vt.get_file_report(sha256) if args.raw: print(json.dumps(response, sort_keys=False, indent=4)) else: if response["response_code"] != 200: print("Error with the request (reponse code %i)" % response["response_code"]) sys.exit(1) if response["results"]["response_code"] == 0: print("File not found") else: print("[+] Detection: %i / %i" % (response["results"]["positives"], response["results"]["total"])) print("[+] MD5: %s" % response["results"]["md5"]) print("[+] SHA1: %s" % response["results"]["sha1"]) print("[+] SHA256: %s" % response["results"]["sha256"]) if "first_seen" in response['results']: print("[+] First Seen: %s" % response["results"]["first_seen"]) if "last_seen" in response['results']: print("[+] Last Seen: %s" % response["results"]["last_seen"]) print("[+] Link: %s" % response["results"]["permalink"]) elif args.subcommand == 'similar': if cf['type'] != 'private': print( 'I am sorry, you need a private VT access to do that' ) sys.exit(1) with open(args.PEFILE, 'rb') as f: data = f.read() m = hashlib.sha256() m.update(data) sha256 = m.hexdigest() # Check if this PE file is in VT first response = vt.get_file_report(sha256) if response["results"]["response_code"] == 0: print("File not in VT, computing imphash, ssdeep only") pe = pefile.PE(data=data) imphash = pe.get_imphash() ssd = ssdeep.hash(data) vhash = None authentihash = None dbg_filename = debug_filename(pe) dbg_guid = debug_guid(pe) if is_dot_net_assembly(pe): res = get_guid(pe, data) dotnet_mvid = res["mvid"] dotnet_typelib = res["typelib_id"] else: dotnet_mvid = None dotnet_typelib = None else: print("File identified in VT: {}".format( response['results']['permalink'])) vhash = response['results']['vhash'] ssd = response['results']['ssdeep'] authentihash = response['results']['authentihash'] imphash = response['results']['additional_info'][ "pe-imphash"] dbg_guid = None dbg_filename = None if "pe-debug" in response['results'][ 'additional_info']: if "codeview" in response['results'][ 'additional_info']["pe-debug"][0]: if "guid" in response['results'][ 'additional_info']["pe-debug"][0][ "codeview"]: dbg_guid = response['results'][ 'additional_info']["pe-debug"][0][ "codeview"]["guid"] if "name" in response['results'][ 'additional_info']["pe-debug"][0][ "codeview"]: dbg_filename = response['results'][ 'additional_info']['pe-debug'][0][ 'codeview']['name'] if "netguids" in response['results'][ 'additional_info']: dotnet_mvid = response['results'][ 'additional_info']['netguids']['mvid'] dotnet_typelib = response['results'][ 'additional_info']['netguids']['typelib_id'] else: dotnet_mvid = None dotnet_typelib = None # Start with imphash print("# Searching for imphash: {}".format(imphash)) res = vt.file_search('imphash:"{}"'.format(imphash)) self.print_results(res, sha256) # ssdeep print("# Searching for ssdeep: {}".format(ssd)) res = vt.file_search('ssdeep:"{}"'.format(ssd)) self.print_results(res, sha256) # authentihash if authentihash: print("# Searching for authentihash: {}".format( authentihash)) res = vt.file_search( 'authentihash:"{}"'.format(authentihash)) self.print_results(res, sha256) # vhash if vhash: print("# Searching for vhash: {}".format(vhash)) res = vt.file_search('vhash:"{}"'.format(vhash)) self.print_results(res, sha256) # .NET GUIDs if dotnet_mvid: print("# Searching for .NET Module Version id: {}". format(dotnet_mvid)) res = vt.file_search( 'netguid:"{}"'.format(dotnet_mvid)) self.print_results(res, sha256) if dotnet_typelib: print("# Searching for .NET TypeLib id: {}".format( dotnet_typelib)) res = vt.file_search( 'netguid:"{}"'.format(dotnet_typelib)) self.print_results(res, sha256) # Debug if dbg_filename: print("# Searching for Debug Filename: {}".format( dbg_filename)) res = vt.file_search('"{}"'.format(dbg_filename)) self.print_results(res, sha256) if dbg_guid: print( "# Searching for Debug GUID: {}".format(dbg_guid)) res = vt.file_search('"{}"'.format(dbg_guid)) self.print_results(res, sha256) elif args.subcommand == 'config': config = configparser.ConfigParser() if args.type == 'public': config['vt'] = { 'intelligence': False, 'engines': '', 'timeout': 60, 'apikey': args.APIKEY, 'type': 'public' } else: config['vt'] = { 'intelligence': True, 'engines': '', 'timeout': 60, 'apikey': args.APIKEY, 'type': 'private' } with open(config_path, 'w') as configfile: config.write(configfile) print("Config file {} updated".format(config_path)) else: self.parser.print_help() else: self.parser.print_help()
def run(self, conf, args, plugins): if 'subcommand' in args: if args.subcommand == "intel": # Start with MISP and OTX to get Intelligence Reports print('###################### %s ###################' % args.DOMAIN) passive_dns = [] urls = [] malware = [] files = [] # MISP misp_e = plugins['misp'].test_config(conf) if misp_e: print('[+] Downloading MISP information...') server = ExpandedPyMISP(conf['Misp']['url'], conf['Misp']['key']) misp_results = server.search('attributes', value=unbracket(args.DOMAIN)) # OTX otx_e = plugins['otx'].test_config(conf) if otx_e: print('[+] Downloading OTX information....') try: otx = OTXv2(conf["AlienVaultOtx"]["key"]) res = otx.get_indicator_details_full(IndicatorTypes.DOMAIN, unbracket(args.DOMAIN)) otx_pulses = res["general"]["pulse_info"]["pulses"] # Get Passive DNS if "passive_dns" in res: for r in res["passive_dns"]["passive_dns"]: passive_dns.append({ "ip": r['hostname'], "first": parse(r["first"]).astimezone(pytz.utc), "last": parse(r["last"]).astimezone(pytz.utc), "source" : "OTX" }) if "url_list" in res: for r in res["url_list"]["url_list"]: if "result" in r: urls.append({ "date": parse(r["date"]).astimezone(pytz.utc), "url": r["url"], "ip": r["result"]["urlworker"]["ip"] if "ip" in r["result"]["urlworker"] else "" , "source": "OTX" }) else: urls.append({ "date": parse(r["date"]).astimezone(pytz.utc), "url": r["url"], "ip": "", "source": "OTX" }) except AttributeError: print('OTX crashed ¯\_(ツ)_/¯') # UrlScan us = UrlScan() print('[+] Downloading UrlScan information....') res = us.search(args.DOMAIN) for r in res['results']: urls.append({ "date": parse(r["task"]["time"]).astimezone(pytz.utc), "url": r["page"]["url"], "ip": r["page"]["ip"] if "ip" in r["page"] else "", "source": "UrlScan" }) # UrlHaus uh_e = plugins['urlhaus'].test_config(conf) if uh_e: print("[+] Checking urlhaus...") try: urlhaus = UrlHaus(conf["UrlHaus"]["key"]) res = urlhaus.get_host(unbracket(args.DOMAIN)) except UrlHausError: print("Error with the query") else: if "urls" in res: for r in res['urls']: urls.append({ "date": parse(r["date_added"]).astimezone(pytz.utc), "url": r["url"], "ip":"", "source": "UrlHaus" }) # CIRCL circl_e = plugins['circl'].test_config(conf) if circl_e: print('[+] Downloading CIRCL passive DNS information....') x = pypdns.PyPDNS( basic_auth=( conf['Circl']['user'], conf['Circl']['pass'] ) ) res = x.query(unbracket(args.DOMAIN)) for answer in res: passive_dns.append({ "ip": answer['rdata'], "first": answer['time_first'].astimezone(pytz.utc), "last": answer['time_last'].astimezone(pytz.utc), "source" : "CIRCL" }) # BinaryEdge be_e = plugins['binaryedge'].test_config(conf) if be_e: print('[+] Downloading BinaryEdge information....') try: be = BinaryEdge(conf['BinaryEdge']['key']) res = be.domain_dns(unbracket(args.DOMAIN)) for d in res['events']: if "A" in d: for a in d['A']: passive_dns.append({ "ip": a, "first": parse(d['updated_at']).astimezone(pytz.utc), "last": parse(d['updated_at']).astimezone(pytz.utc), "source" : "BinaryEdge" }) except BinaryEdgeException: print('You need a paid BinaryEdge subscription for this request') # RobTex print('[+] Downloading Robtex information....') try: rob = Robtex() res = rob.get_pdns_domain(args.DOMAIN) for d in res: if d['rrtype'] in ['A', 'AAAA']: passive_dns.append({ 'first': d['time_first_o'].astimezone(pytz.utc), 'last': d['time_last_o'].astimezone(pytz.utc), 'ip': d['rrdata'], 'source': 'Robtex' }) except RobtexError: print("Robtex query failed") # PT pt_e = plugins['pt'].test_config(conf) if pt_e: try: pt_osint = {} ptout = False print('[+] Downloading Passive Total information....') client = DnsRequest(conf['PassiveTotal']['username'], conf['PassiveTotal']['key']) raw_results = client.get_passive_dns(query=unbracket(args.DOMAIN)) if "results" in raw_results: for res in raw_results["results"]: passive_dns.append({ "first": parse(res["firstSeen"]).astimezone(pytz.utc), "last": parse(res["lastSeen"]).astimezone(pytz.utc), "ip": res["resolve"], "source": "PT" }) if "message" in raw_results: if "quota_exceeded" in raw_results["message"]: print("PT quota exceeded") ptout = True if not ptout: client2 = EnrichmentRequest(conf["PassiveTotal"]["username"], conf["PassiveTotal"]['key']) # Get OSINT # TODO: add PT projects here pt_osint = client2.get_osint(query=unbracket(args.DOMAIN)) # Get malware raw_results = client2.get_malware(query=unbracket(args.DOMAIN)) if "results" in raw_results: for r in raw_results["results"]: malware.append({ 'hash': r["sample"], 'date': parse(r['collectionDate']).astimezone(pytz.utc), 'source' : 'PT (%s)' % r["source"] }) except requests.exceptions.ReadTimeout: print("PT: Time Out") # VT vt_e = plugins['vt'].test_config(conf) if vt_e: if conf["VirusTotal"]["type"] != "public": print('[+] Downloading VT information....') vt = PrivateApi(conf["VirusTotal"]["key"]) res = vt.get_domain_report(unbracket(args.DOMAIN)) if "results" in res: if "resolutions" in res['results']: for r in res["results"]["resolutions"]: passive_dns.append({ "first": parse(r["last_resolved"]).astimezone(pytz.utc), "last": parse(r["last_resolved"]).astimezone(pytz.utc), "ip": r["ip_address"], "source": "VT" }) if "undetected_downloaded_samples" in res['results']: for r in res['results']['undetected_downloaded_samples']: files.append({ 'hash': r['sha256'], 'date': parse(r['date']).astimezone(pytz.utc) if 'date' in r else '', 'source' : 'VT' }) if "undetected_referrer_samples" in res['results']: for r in res['results']['undetected_referrer_samples']: files.append({ 'hash': r['sha256'], 'date': parse(r['date']).astimezone(pytz.utc) if 'date' in r else '', 'source' : 'VT' }) if "detected_downloaded_samples" in res['results']: for r in res['results']['detected_downloaded_samples']: malware.append({ 'hash': r['sha256'], 'date': parse(r['date']).astimezone(pytz.utc), 'source' : 'VT' }) if "detected_referrer_samples" in res['results']: for r in res['results']['detected_referrer_samples']: if "date" in r: malware.append({ 'hash': r['sha256'], 'date': parse(r['date']).astimezone(pytz.utc), 'source' : 'VT' }) if "detected_urls" in res['results']: for r in res['results']['detected_urls']: urls.append({ 'date': parse(r['scan_date']).astimezone(pytz.utc), 'url': r['url'], 'ip': '', 'source': 'VT' }) else: vt_e = False tg_e = plugins['threatgrid'].test_config(conf) if tg_e: try: print('[+] Downloading Threat Grid....') tg = ThreatGrid(conf['ThreatGrid']['key']) res = tg.search_samples(unbracket(args.DOMAIN), type='domain') already = [] if 'items' in res: for r in res['items']: if r['sample_sha256'] not in already: d = parse(r['ts']).astimezone(pytz.utc) malware.append({ 'hash': r["sample_sha256"], 'date': d, 'source' : 'ThreatGrid' }) already.append(r['sample_sha256']) except ThreatGridError as e: print("Failed to connect to Threat Grid: %s" % e.message) print('[+] Downloading ThreatMiner....') tm = ThreatMiner() response = tm.get_report(unbracket(args.DOMAIN)) if response['status_code'] == '200': tmm = response['results'] else: tmm = [] if response['status_code'] == '404': print("Request to ThreatMiner failed: {}".format(response['status_message'])) response = tm.get_related_samples(unbracket(args.DOMAIN)) if response['status_code'] == '200': for r in response['results']: malware.append({ 'hash': r, 'date': None, 'source': 'ThreatMiner' }) print('----------------- Intelligence Report') if misp_e: if len(misp_results['Attribute']) > 0: print('MISP:') for event in misp_results['Attribute']: print("- {} - {}".format( event['Event']['id'], event['Event']['info'] )) if otx_e: if len(otx_pulses): print('OTX:') for p in otx_pulses: print('- %s (%s - %s)' % ( p['name'], p['created'][:10], "https://otx.alienvault.com/pulse/" + p['id'] ) ) else: print('OTX: Not found in any pulse') if pt_e: if "results" in pt_osint: if len(pt_osint["results"]): if len(pt_osint["results"]) == 1: if "name" in pt_osint["results"][0]: print("PT: %s %s" % (pt_osint["results"][0]["name"], pt_osint["results"][0]["sourceUrl"])) else: print("PT: %s" % (pt_osint["results"][0]["sourceUrl"])) else: print("PT:") for r in pt_osint["results"]: if "name" in r: print("- %s %s" % (r["name"], r["sourceUrl"])) else: print("- %s" % (r["sourceUrl"])) else: print("PT: Nothing found!") else: print("PT: Nothing found!") # ThreatMiner if len(tmm) > 0: print("ThreatMiner:") for r in tmm: print("- {} {} - {}".format( r['year'], r['filename'], r['URL'] )) if len(malware) > 0: print('----------------- Malware') for r in malware: print("[%s] %s %s" % ( r["source"], r["hash"], r["date"].strftime("%Y-%m-%d") if r["date"] else "" ) ) if len(files) > 0: print('----------------- Files') for r in files: if r['date'] != '': print("[%s] %s (%s)" % ( r["source"], r["hash"], r["date"].strftime("%Y-%m-%d") ) ) else: print("[%s] %s" % ( r["source"], r["hash"], ) ) if len(urls) > 0: print('----------------- Urls') for r in sorted(urls, key=lambda x: x["date"], reverse=True): print("[%s] %s - %s %s" % ( r["source"], r["url"], r["ip"], r["date"].strftime("%Y-%m-%d") ) ) # TODO: add ASN + location info here if len(passive_dns) > 0: print('----------------- Passive DNS') for r in sorted(passive_dns, key=lambda x: x["first"], reverse=True): print("[+] %-40s (%s -> %s)(%s)" % ( r["ip"], r["first"].strftime("%Y-%m-%d"), r["last"].strftime("%Y-%m-%d"), r["source"] ) ) else: self.parser.print_help() else: self.parser.print_help()
def intel(self, type, query, data, conf): if type == "domain": if conf["VirusTotal"]["type"] != "public": print("[+] Checking VirusTotal....") vt = PrivateApi(conf["VirusTotal"]["key"]) res = vt.get_domain_report(query) if "results" in res: if "resolutions" in res["results"]: for r in res["results"]["resolutions"]: try: data["passive_dns"].append({ "first": parse(r["last_resolved"]).astimezone( pytz.utc), "last": parse(r["last_resolved"]).astimezone( pytz.utc), "ip": r["ip_address"], "source": "VT", }) except TypeError: # Error with the date pass if "undetected_downloaded_samples" in res["results"]: for r in res["results"][ "undetected_downloaded_samples"]: data["files"].append({ "hash": r["sha256"], "date": parse(r["date"]).astimezone(pytz.utc) if "date" in r else "", "source": "VT", }) if "undetected_referrer_samples" in res["results"]: for r in res["results"]["undetected_referrer_samples"]: data["files"].append({ "hash": r["sha256"], "date": parse(r["date"]).astimezone(pytz.utc) if "date" in r else "", "source": "VT", }) if "undetected_communicating_samples" in res["results"]: for r in res["results"][ "undetected_communicating_samples"]: data["malware"].append({ "hash": r["sha256"], "date": parse(r["date"]).astimezone(pytz.utc), "source": "VT" }) if "detected_communicating_samples" in res["results"]: for r in res["results"][ "detected_communicating_samples"]: data["malware"].append({ "hash": r["sha256"], "date": parse(r["date"]).astimezone(pytz.utc), "source": "VT" }) if "detected_downloaded_samples" in res["results"]: for r in res["results"]["detected_downloaded_samples"]: data["malware"].append({ "hash": r["sha256"], "date": parse(r["date"]).astimezone(pytz.utc), "source": "VT", }) if "detected_referrer_samples" in res["results"]: for r in res["results"]["detected_referrer_samples"]: if "date" in r: data["malware"].append({ "hash": r["sha256"], "date": parse(r["date"]).astimezone(pytz.utc), "source": "VT", }) if "detected_urls" in res["results"]: for r in res["results"]["detected_urls"]: data["urls"].append({ "date": parse(r["scan_date"]).astimezone(pytz.utc), "url": r["url"], "ip": "", "source": "VT", }) elif type == "ip": if conf["VirusTotal"]["type"] != "public": print("[+] Checking VirusTotal...") vt = PrivateApi(conf["VirusTotal"]["key"]) res = vt.get_ip_report(query) if "results" in res: if "resolutions" in res["results"]: for r in res["results"]["resolutions"]: try: data["passive_dns"].append({ "first": parse(r["last_resolved"]).astimezone( pytz.utc), "last": parse(r["last_resolved"]).astimezone( pytz.utc), "domain": r["hostname"], "source": "VT", }) except TypeError: # Error with the date pass if "undetected_downloaded_samples" in res["results"]: for r in res["results"][ "undetected_downloaded_samples"]: data["files"].append({ "hash": r["sha256"], "date": parse(r["date"]).astimezone(pytz.utc) if "date" in r else "", "source": "VT", }) if "undetected_referrer_samples" in res["results"]: for r in res["results"]["undetected_referrer_samples"]: data["files"].append({ "hash": r["sha256"], "date": parse(r["date"]).astimezone(pytz.utc) if "date" in r else "", "source": "VT", }) if "undetected_communicating_samples" in res["results"]: for r in res["results"][ "undetected_communicating_samples"]: data["malware"].append({ "hash": r["sha256"], "date": parse(r["date"]).astimezone(pytz.utc), "source": "VT", }) if "detected_communicating_samples" in res["results"]: for r in res["results"][ "detected_communicating_samples"]: data["malware"].append({ "hash": r["sha256"], "date": parse(r["date"]).astimezone(pytz.utc), "source": "VT", }) if "detected_downloaded_samples" in res["results"]: for r in res["results"]["detected_downloaded_samples"]: data["malware"].append({ "hash": r["sha256"], "date": parse(r["date"]).astimezone(pytz.utc), "source": "VT" }) if "detected_urls" in res["results"]: for r in res["results"]["detected_urls"]: data["urls"].append({ "date": parse(r["scan_date"]).astimezone(pytz.utc), "url": r["url"], "ip": "", "source": "VT", }) elif type == "hash": if conf["VirusTotal"]["type"] != "public": print("[+] Checking VirusTotal...") vt = PrivateApi(conf["VirusTotal"]["key"]) res = vt.get_file_report(query) if res["results"]["response_code"] == 1: # Found data["samples"].append({ "date": parse(res['results']['scan_date']).astimezone( pytz.utc), "source": "VT", "url": res['results']['permalink'], "infos": { "AV Result": "{} / {}".format(res['results']['positives'], res['results']['total']), "First Seen": res['results']["first_seen"], "File Names": ", ".join(res['results']["submission_names"][:5]) } }) if "ITW_urls" in res["results"]: for url in res['results']["ITW_urls"]: data["urls"].append({ "url": url, "source": "VT", "link": res['results']['permalink'] }) if "additional_info" in res["results"]: if "behaviour-v1" in res["results"]["additional_info"]: if "network" in res['results']['additional_info'][ 'behaviour-v1']: for d in res['results']['additional_info'][ 'behaviour-v1']["network"]["dns"]: data["network"].append({ "source": "VT", "url": res['results']['permalink'], "host": d["hostname"], "ip": d["ip"] })
def run(self, conf, args, plugins): if 'subcommand' in args: if conf["VirusTotal"]["type"] != "public": vt = PrivateApi(conf["VirusTotal"]["key"]) if args.subcommand == "hash": response = vt.get_file_report(args.HASH) if args.raw: print(json.dumps(response, sort_keys=False, indent=4)) if args.extended: response = vt.get_network_traffic(args.HASH) print( json.dumps(response, sort_keys=False, indent=4)) response = vt.get_file_behaviour(args.HASH) print( json.dumps(response, sort_keys=False, indent=4)) else: self.print_file(response) elif args.subcommand == "dl": if os.path.isfile(args.HASH): print("File %s already exists" % args.HASH) sys.exit(0) data = vt.get_file(args.HASH) if isinstance(data, dict): if 'results' in data: with open(args.HASH, "wb") as f: f.write(data['results']) print("File downloaded as %s" % args.HASH) else: print('Invalid answer format') sys.exit(1) else: with open(args.HASH, "wb") as f: f.write(data) print("File downloaded as %s" % args.HASH) elif args.subcommand == "file": with open(args.FILE, "rb") as f: # FIXME : could be more efficient data = f.read() m = hashlib.sha256() m.update(data) h = m.hexdigest() response = vt.get_file_report(h) if args.raw: print(json.dumps(response, sort_keys=False, indent=4)) else: self.print_file(response) elif args.subcommand == "hashlist": with open(args.FILE, 'r') as infile: data = infile.read().split() hash_list = list(set([a.strip() for a in data])) print( "Hash;Found;Detection;Total AV;First Seen;Last Seen;Link" ) for h in hash_list: response = vt.get_file_report(h) if response["response_code"] != 200: print("Error with the request (reponse code %i)" % response["response_code"]) print( json.dumps(response, sort_keys=False, indent=4)) print("Quitting...") sys.exit(1) if "response_code" in response["results"]: if response["results"]["response_code"] == 0: print("%s;Not found;;;;;" % h) else: print("%s;Found;%i;%i;%s;%s;%s" % (h, response["results"]["positives"], response["results"]["total"], response["results"]["first_seen"], response["results"]["last_seen"], response["results"]["permalink"])) else: print("%s;Not found;;;;;" % h) elif args.subcommand == "domainlist": with open(args.FILE, 'r') as infile: data = infile.read().split() for d in data: print("################ Domain %s" % d.strip()) res = vt.get_domain_report(d.strip()) self.print_domaininfo(res) elif args.subcommand == "iplist": with open(args.FILE, 'r') as infile: data = infile.read().split() for d in data: print("################ IP %s" % d.strip()) res = vt.get_ip_report(unbracket(d.strip())) print(json.dumps(res, sort_keys=False, indent=4)) elif args.subcommand == "domain": res = vt.get_domain_report(unbracket(args.DOMAIN)) if args.json: print(json.dumps(res, sort_keys=False, indent=4)) else: self.print_domaininfo(res) elif args.subcommand == "ip": res = vt.get_ip_report(unbracket(args.IP)) print(json.dumps(res, sort_keys=False, indent=4)) elif args.subcommand == "url": res = vt.get_url_report(args.URL) print(json.dumps(res, sort_keys=False, indent=4)) else: self.parser.print_help() else: vt = PublicApi(conf["VirusTotal"]["key"]) if args.subcommand == "hash": response = vt.get_file_report(args.HASH) if args.raw: print(json.dumps(response, sort_keys=False, indent=4)) else: self.print_file(response) elif args.subcommand == "file": with open(args.FILE, "rb") as f: # FIXME : could be more efficient data = f.read() m = hashlib.sha256() m.update(data) response = vt.get_file_report(m.hexdigest()) if args.raw: print(json.dumps(response, sort_keys=False, indent=4)) else: self.print_file(response) elif args.subcommand == "hashlist": with open(args.FILE, 'r') as infile: data = infile.read().split() hash_list = list(set([a.strip() for a in data])) print("Hash;Found;Detection;Total AV;Link") for h in hash_list: response = vt.get_file_report(h) if response["response_code"] != 200: print("Error with the request (reponse code %i)" % response["response_code"]) print( json.dumps(response, sort_keys=False, indent=4)) print("Quitting...") sys.exit(1) if "response_code" in response["results"]: if response["results"]["response_code"] == 0: print("%s;Not found;;;" % h) else: print("%s;Found;%i;%i;%s" % (h, response["results"]["positives"], response["results"]["total"], response["results"]["permalink"])) else: print("%s;Not found;;;" % h) elif args.subcommand == "domain": res = vt.get_domain_report(unbracket(args.DOMAIN)) if args.json: print(json.dumps(res, sort_keys=False, indent=4)) else: self.print_domaininfo(res) elif args.subcommand == "ip": res = vt.get_ip_report(unbracket(args.IP)) print(json.dumps(res, sort_keys=False, indent=4)) elif args.subcommand == "url": res = vt.get_url_report(args.URL) print(json.dumps(res, sort_keys=False, indent=4)) elif args.subcommand == "domainlist": print( "Not implemented yet with public access, please propose PR if you need it" ) elif args.subcommand == "dl": print( "VirusTotal does not allow downloading files with a public feed, sorry" ) sys.exit(0) else: self.parser.print_help() else: self.parser.print_help()
def run(self, conf, args, plugins): if 'subcommand' in args: if args.subcommand == 'info': print("Not implemented yet") elif args.subcommand == "intel": # Start with MISP and OTX to get Intelligence Reports print('###################### %s ###################' % args.DOMAIN) passive_dns = [] urls = [] malware = [] files = [] # OTX otx_e = plugins['otx'].test_config(conf) if otx_e: print('[+] Downloading OTX information....') otx = OTXv2(conf["AlienVaultOtx"]["key"]) res = otx.get_indicator_details_full(IndicatorTypes.DOMAIN, unbracket(args.DOMAIN)) otx_pulses = res["general"]["pulse_info"]["pulses"] # Get Passive DNS if "passive_dns" in res: for r in res["passive_dns"]["passive_dns"]: passive_dns.append({ "ip": r['hostname'], "first": parse(r["first"]), "last": parse(r["last"]), "source" : "OTX" }) if "url_list" in res: for r in res["url_list"]["url_list"]: if "result" in r: urls.append({ "date": parse(r["date"]), "url": r["url"], "ip": r["result"]["urlworker"]["ip"] if "ip" in r["result"]["urlworker"] else "" , "source": "OTX" }) else: urls.append({ "date": parse(r["date"]), "url": r["url"], "ip": "", "source": "OTX" }) # CIRCL circl_e = plugins['circl'].test_config(conf) if circl_e: print('[+] Downloading CIRCL passive DNS information....') x = pypdns.PyPDNS( basic_auth=( conf['Circl']['user'], conf['Circl']['pass'] ) ) res = x.query(unbracket(args.DOMAIN)) for answer in res: passive_dns.append({ "ip": answer['rdata'], "first": answer['time_first'], "last": answer['time_last'], "source" : "CIRCL" }) # BinaryEdge be_e = plugins['binaryedge'].test_config(conf) if be_e: print('[+] Downloading BinaryEdge information....') be = BinaryEdge(conf['BinaryEdge']['key']) res = be.domain_dns(unbracket(args.DOMAIN)) for d in res['events']: if "A" in d: for a in d['A']: passive_dns.append({ "ip": a, "first": parse(d['updated_at']), "last": parse(d['updated_at']), "source" : "BinaryEdge" }) # RobTex print('[+] Downloading Robtex information....') rob = Robtex() res = rob.get_pdns_domain(args.DOMAIN) for d in res: if d['rrtype'] in ['A', 'AAAA']: passive_dns.append({ 'first': d['time_first_o'], 'last': d['time_last_o'], 'ip': d['rrdata'], 'source': 'Robtex' }) # PT pt_e = plugins['pt'].test_config(conf) if pt_e: try: pt_osint = {} ptout = False print('[+] Downloading Passive Total information....') client = DnsRequest(conf['PassiveTotal']['username'], conf['PassiveTotal']['key']) raw_results = client.get_passive_dns(query=unbracket(args.DOMAIN)) if "results" in raw_results: for res in raw_results["results"]: passive_dns.append({ "first": parse(res["firstSeen"]), "last": parse(res["lastSeen"]), "ip": res["resolve"], "source": "PT" }) if "message" in raw_results: if "quota_exceeded" in raw_results["message"]: print("PT quota exceeded") ptout = True if not ptout: client2 = EnrichmentRequest(conf["PassiveTotal"]["username"], conf["PassiveTotal"]['key']) # Get OSINT # TODO: add PT projects here pt_osint = client2.get_osint(query=unbracket(args.DOMAIN)) # Get malware raw_results = client2.get_malware(query=unbracket(args.DOMAIN)) if "results" in raw_results: for r in raw_results["results"]: malware.append({ 'hash': r["sample"], 'date': parse(r['collectionDate']), 'source' : 'PT (%s)' % r["source"] }) except requests.exceptions.ReadTimeout: print("PT: Time Out") # VT vt_e = plugins['vt'].test_config(conf) if vt_e: if conf["VirusTotal"]["type"] != "public": print('[+] Downloading VT information....') vt = PrivateApi(conf["VirusTotal"]["key"]) res = vt.get_domain_report(unbracket(args.DOMAIN)) if "results" in res: if "resolutions" in res['results']: for r in res["results"]["resolutions"]: passive_dns.append({ "first": parse(r["last_resolved"]), "last": parse(r["last_resolved"]), "ip": r["ip_address"], "source": "VT" }) if "undetected_downloaded_samples" in res['results']: for r in res['results']['undetected_downloaded_samples']: files.append({ 'hash': r['sha256'], 'date': parse(r['date']) if 'date' in r else '', 'source' : 'VT' }) if "undetected_referrer_samples" in res['results']: for r in res['results']['undetected_referrer_samples']: files.append({ 'hash': r['sha256'], 'date': parse(r['date']) if 'date' in r else '', 'source' : 'VT' }) if "detected_downloaded_samples" in res['results']: for r in res['results']['detected_downloaded_samples']: malware.append({ 'hash': r['sha256'], 'date': parse(r['date']), 'source' : 'VT' }) if "detected_referrer_samples" in res['results']: for r in res['results']['detected_referrer_samples']: if "date" in r: malware.append({ 'hash': r['sha256'], 'date': parse(r['date']), 'source' : 'VT' }) if "detected_urls" in res['results']: for r in res['results']['detected_urls']: urls.append({ 'date': parse(r['scan_date']), 'url': r['url'], 'ip': '', 'source': 'VT' }) else: vt_e = False tg_e = plugins['threatgrid'].test_config(conf) if tg_e: try: print('[+] Downloading Threat Grid....') tg = ThreatGrid(conf['ThreatGrid']['key']) res = tg.search_samples(unbracket(args.DOMAIN), type='domain') already = [] if 'items' in res: for r in res['items']: if r['sample_sha256'] not in already: d = parse(r['ts']) d = d.replace(tzinfo=None) malware.append({ 'hash': r["sample_sha256"], 'date': d, 'source' : 'ThreatGrid' }) already.append(r['sample_sha256']) except ThreatGridError as e: print("Failed to connect to Threat Grid: %s" % e.message) # TODO: Add MISP print('----------------- Intelligence Report') if otx_e: if len(otx_pulses): print('OTX:') for p in otx_pulses: print(' -%s (%s - %s)' % ( p['name'], p['created'][:10], "https://otx.alienvault.com/pulse/" + p['id'] ) ) else: print('OTX: Not found in any pulse') if pt_e: if "results" in pt_osint: if len(pt_osint["results"]): if len(pt_osint["results"]) == 1: if "name" in pt_osint["results"][0]: print("PT: %s %s" % (pt_osint["results"][0]["name"], pt_osint["results"][0]["sourceUrl"])) else: print("PT: %s" % (pt_osint["results"][0]["sourceUrl"])) else: print("PT:") for r in pt_osint["results"]: if "name" in r: print("-%s %s" % (r["name"], r["sourceUrl"])) else: print("-%s" % (r["sourceUrl"])) else: print("PT: Nothing found!") else: print("PT: Nothing found!") if len(malware) > 0: print('----------------- Malware') for r in sorted(malware, key=lambda x: x["date"]): print("[%s] %s %s" % ( r["source"], r["hash"], r["date"].strftime("%Y-%m-%d") ) ) if len(files) > 0: print('----------------- Files') for r in files: if r['date'] != '': print("[%s] %s (%s)" % ( r["source"], r["hash"], r["date"].strftime("%Y-%m-%d") ) ) else: print("[%s] %s" % ( r["source"], r["hash"], ) ) if len(urls) > 0: print('----------------- Urls') for r in sorted(urls, key=lambda x: x["date"], reverse=True): print("[%s] %s - %s %s" % ( r["source"], r["url"], r["ip"], r["date"].strftime("%Y-%m-%d") ) ) # TODO: add ASN + location info here if len(passive_dns) > 0: print('----------------- Passive DNS') for r in sorted(passive_dns, key=lambda x: x["first"], reverse=True): print("[+] %-40s (%s -> %s)(%s)" % ( r["ip"], r["first"].strftime("%Y-%m-%d"), r["last"].strftime("%Y-%m-%d"), r["source"] ) ) else: self.parser.print_help() else: self.parser.print_help()
def run(self, conf, args, plugins): if 'subcommand' in args: if args.subcommand == 'info': if not is_ip(unbracket(args.IP)): print("Invalid IP address") sys.exit(1) # FIXME: move code here in a library ip = unbracket(args.IP) try: ipy = IP(ip) except ValueError: print('Invalid IP format, quitting...') return ipinfo = self.ipinfo(ip) print('MaxMind: Located in %s, %s' % (ipinfo['city'], ipinfo['country'])) if ipinfo['asn'] == 0: print("MaxMind: IP not found in the ASN database") else: print('MaxMind: ASN%i, %s' % (ipinfo['asn'], ipinfo['asn_name'])) print('CAIDA Type: %s' % ipinfo['asn_type']) try: asndb2 = pyasn.pyasn(self.asncidr) res = asndb2.lookup(ip) except OSError: print("Configuration files are not available") print("Please run harpoon update before using harpoon") sys.exit(1) if res[1] is None: print("IP not found in ASN database") else: # Search for name f = open(self.asnname, 'r') found = False line = f.readline() name = '' while not found and line != '': s = line.split('|') if s[0] == str(res[0]): name = s[1].strip() found = True line = f.readline() print('ASN %i - %s (range %s)' % (res[0], name, res[1])) if ipinfo['hostname'] != '': print('Hostname: %s' % ipinfo['hostname']) if ipinfo['specific'] != '': print("Specific: %s" % ipinfo['specific']) if ipy.iptype() == "PRIVATE": "Private IP" print("") if ipy.version() == 4: print("Censys:\t\thttps://censys.io/ipv4/%s" % ip) print("Shodan:\t\thttps://www.shodan.io/host/%s" % ip) print("IP Info:\thttp://ipinfo.io/%s" % ip) print("BGP HE:\t\thttps://bgp.he.net/ip/%s" % ip) print( "IP Location:\thttps://www.iplocation.net/?query=%s" % ip) elif args.subcommand == "intel": if not is_ip(unbracket(args.IP)): print("Invalid IP address") sys.exit(1) # Start with MISP and OTX to get Intelligence Reports print('###################### %s ###################' % unbracket(args.IP)) passive_dns = [] urls = [] malware = [] files = [] # MISP misp_e = plugins['misp'].test_config(conf) if misp_e: print('[+] Downloading MISP information...') server = ExpandedPyMISP(conf['Misp']['url'], conf['Misp']['key']) misp_results = server.search('attributes', value=unbracket(args.IP)) # Binary Edge be_e = plugins['binaryedge'].test_config(conf) if be_e: try: print('[+] Downloading BinaryEdge information...') be = BinaryEdge(conf['BinaryEdge']['key']) # FIXME: this only get the first page res = be.domain_ip(unbracket(args.IP)) for d in res["events"]: passive_dns.append({ "domain": d['domain'], "first": parse(d['updated_at']).astimezone(pytz.utc), "last": parse(d['updated_at']).astimezone(pytz.utc), "source": "BinaryEdge" }) except BinaryEdgeException: print( 'BinaryEdge request failed, you need a paid subscription' ) # OTX otx_e = plugins['otx'].test_config(conf) if otx_e: print('[+] Downloading OTX information....') otx = OTXv2(conf["AlienVaultOtx"]["key"]) res = otx.get_indicator_details_full( IndicatorTypes.IPv4, unbracket(args.IP)) otx_pulses = res["general"]["pulse_info"]["pulses"] # Get Passive DNS if "passive_dns" in res: for r in res["passive_dns"]["passive_dns"]: passive_dns.append({ "domain": r['hostname'], "first": parse(r["first"]).astimezone(pytz.utc), "last": parse(r["last"]).astimezone(pytz.utc), "source": "OTX" }) if "url_list" in res: for r in res["url_list"]["url_list"]: if "result" in r: urls.append({ "date": parse(r["date"]).astimezone(pytz.utc), "url": r["url"], "ip": r["result"]["urlworker"]["ip"] if "ip" in r["result"]["urlworker"] else "", "source": "OTX" }) else: urls.append({ "date": parse(r["date"]).astimezone(pytz.utc), "url": r["url"], "ip": "", "source": "OTX" }) # RobTex print('[+] Downloading Robtex information....') rob = Robtex() try: res = rob.get_ip_info(unbracket(args.IP)) except RobtexError: print("Error with Robtex") else: for d in ["pas", "pash", "act", "acth"]: if d in res: for a in res[d]: passive_dns.append({ 'first': a['date'].astimezone(pytz.utc), 'last': a['date'].astimezone(pytz.utc), 'domain': a['o'], 'source': 'Robtex' }) # PT pt_e = plugins['pt'].test_config(conf) if pt_e: out_pt = False print('[+] Downloading Passive Total information....') client = DnsRequest(conf['PassiveTotal']['username'], conf['PassiveTotal']['key']) try: raw_results = client.get_passive_dns( query=unbracket(args.IP)) if "results" in raw_results: for res in raw_results["results"]: passive_dns.append({ "first": parse(res["firstSeen"]).astimezone( pytz.utc), "last": parse(res["lastSeen"]).astimezone( pytz.utc), "domain": res["resolve"], "source": "PT" }) if "message" in raw_results: if "quota_exceeded" in raw_results["message"]: print("Quota exceeded for Passive Total") out_pt = True pt_osint = {} except requests.exceptions.ReadTimeout: print("Timeout on Passive Total requests") if not out_pt: try: client2 = EnrichmentRequest( conf["PassiveTotal"]["username"], conf["PassiveTotal"]['key']) # Get OSINT # TODO: add PT projects here pt_osint = client2.get_osint( query=unbracket(args.IP)) # Get malware raw_results = client2.get_malware( query=unbracket(args.IP)) if "results" in raw_results: for r in raw_results["results"]: malware.append({ 'hash': r["sample"], 'date': parse(r['collectionDate']), 'source': 'PT (%s)' % r["source"] }) except requests.exceptions.ReadTimeout: print("Timeout on Passive Total requests") # Urlhaus uh_e = plugins['urlhaus'].test_config(conf) if uh_e: print("[+] Checking urlhaus data...") try: urlhaus = UrlHaus(conf["UrlHaus"]["key"]) res = urlhaus.get_host(unbracket(args.IP)) except UrlHausError: print("Error with the query") else: if "urls" in res: for r in res['urls']: urls.append({ "date": parse(r["date_added"]).astimezone( pytz.utc), "url": r["url"], "source": "UrlHaus" }) # VT vt_e = plugins['vt'].test_config(conf) if vt_e: if conf["VirusTotal"]["type"] != "public": print('[+] Downloading VT information....') vt = PrivateApi(conf["VirusTotal"]["key"]) res = vt.get_ip_report(unbracket(args.IP)) if "results" in res: if "resolutions" in res['results']: for r in res["results"]["resolutions"]: passive_dns.append({ "first": parse(r["last_resolved"]).astimezone( pytz.utc), "last": parse(r["last_resolved"]).astimezone( pytz.utc), "domain": r["hostname"], "source": "VT" }) if "undetected_downloaded_samples" in res[ 'results']: for r in res['results'][ 'undetected_downloaded_samples']: files.append({ 'hash': r['sha256'], 'date': parse(r['date']), 'source': 'VT' }) if "undetected_referrer_samples" in res['results']: for r in res['results'][ 'undetected_referrer_samples']: if 'date' in r: files.append({ 'hash': r['sha256'], 'date': parse(r['date']), 'source': 'VT' }) else: #FIXME : should consider data without dates files.append({ 'hash': r['sha256'], 'date': datetime.datetime(1970, 1, 1), 'source': 'VT' }) if "detected_downloaded_samples" in res['results']: for r in res['results'][ 'detected_downloaded_samples']: malware.append({ 'hash': r['sha256'], 'date': parse(r['date']), 'source': 'VT' }) if "detected_referrer_samples" in res['results']: for r in res['results'][ 'detected_referrer_samples']: if "date" in r: malware.append({ 'hash': r['sha256'], 'date': parse(r['date']), 'source': 'VT' }) else: vt_e = False print('[+] Downloading GreyNoise information....') gn = GreyNoise() try: greynoise = gn.query_ip(unbracket(args.IP)) except GreyNoiseError: greynoise = [] tg_e = plugins['threatgrid'].test_config(conf) if tg_e: print('[+] Downloading Threat Grid....') try: tg = ThreatGrid(conf['ThreatGrid']['key']) res = tg.search_samples(unbracket(args.IP), type='ip') already = [] if 'items' in res: for r in res['items']: if r['sample_sha256'] not in already: d = parse(r['ts']) d = d.replace(tzinfo=None) malware.append({ 'hash': r["sample_sha256"], 'date': d, 'source': 'TG' }) already.append(r['sample_sha256']) except ThreatGridError as e: print("Error with threat grid: {}".format(e.message)) # ThreatMiner print('[+] Downloading ThreatMiner....') tm = ThreatMiner() response = tm.get_report(unbracket(args.IP)) if response['status_code'] == '200': tmm = response['results'] else: tmm = [] if response['status_code'] != '404': print("Request to ThreatMiner failed: {}".format( response['status_message'])) response = tm.get_related_samples(unbracket(args.IP)) if response['status_code'] == '200': for r in response['results']: malware.append({ 'hash': r, 'date': None, 'source': 'ThreatMiner' }) print('----------------- Intelligence Report') ctor = CommandTor() tor_list = ctor.get_list() if tor_list: if unbracket(args.IP) in tor_list: print("{} is a Tor Exit node".format(unbracket( args.IP))) else: print("Impossible to reach the Tor Exit Node list") if otx_e: if len(otx_pulses): print('OTX:') for p in otx_pulses: print('- %s (%s - %s)' % (p['name'], p['created'][:10], "https://otx.alienvault.com/pulse/" + p['id'])) else: print('OTX: Not found in any pulse') if misp_e: if len(misp_results['Attribute']) > 0: print('MISP:') for event in misp_results['Attribute']: print("- {} - {}".format(event['Event']['id'], event['Event']['info'])) if len(greynoise) > 0: print("GreyNoise: IP identified as") for r in greynoise: print("\t%s (%s -> %s)" % (r["name"], r["first_seen"], r["last_updated"])) else: print("GreyNoise: Not found") if pt_e: if "results" in pt_osint: if len(pt_osint["results"]): if len(pt_osint["results"]) == 1: if "name" in pt_osint["results"][0]: print( "PT: %s %s" % (pt_osint["results"][0]["name"], pt_osint["results"][0]["sourceUrl"])) else: print("PT: %s" % pt_osint["results"][0]["sourceUrl"]) else: print("PT:") for r in pt_osint["results"]: if "name" in r: print("-%s %s" % (r["name"], r["sourceUrl"])) else: print("-%s" % r["sourceUrl"]) else: print("PT: Nothing found!") else: print("PT: Nothing found!") # ThreatMiner if len(tmm) > 0: print("ThreatMiner:") for r in tmm: print("- {} {} - {}".format(r['year'], r['filename'], r['URL'])) if len(malware) > 0: print('----------------- Malware') for r in malware: print("[%s] %s %s" % (r["source"], r["hash"], r["date"].strftime("%Y-%m-%d") if r["date"] else "")) if len(files) > 0: print('----------------- Files') for r in sorted(files, key=lambda x: x["date"]): print("[%s] %s %s" % (r["source"], r["hash"], r["date"].strftime("%Y-%m-%d"))) if len(passive_dns) > 0: print('----------------- Passive DNS') for r in sorted(passive_dns, key=lambda x: x["first"], reverse=True): print("[+] %-40s (%s -> %s)(%s)" % (r["domain"], r["first"].strftime("%Y-%m-%d"), r["last"].strftime("%Y-%m-%d"), r["source"])) if len(urls) > 0: print('----------------- Urls') for r in sorted(urls, key=lambda x: x["date"], reverse=True): print("[%s] %s - %s" % (r["source"], r["url"], r["date"].strftime("%Y-%m-%d"))) else: self.parser.print_help() else: self.parser.print_help()