def main(): # print "Content-type: xml\n\n"; # MaltegoXML_in = sys.stdin.read() # logging.debug(MaltegoXML_in) # if MaltegoXML_in <> '': # m = MaltegoMsg(MaltegoXML_in) #Custom query per transform, but apply filter with and_(*filters) from transformCommon. # s = select([proxs.c.drone], and_(*filters)).distinct() s = select([sess.c.drone], and_(*filters)).distinct() logging.debug(filters) logging.debug(s) r = db.execute(s) results = r.fetchall() results = [t[0] for t in results] TRX = MaltegoTransform() for drone in results: logging.debug(drone) NewEnt=TRX.addEntity("snoopy.Drone", drone) NewEnt.addAdditionalFields("properties.drone","drone", "strict",drone) NewEnt.addAdditionalFields("start_time", "start_time", "strict", start_time) NewEnt.addAdditionalFields("end_time", "end_time", "strict", end_time) #NewEnt.addAdditionalFields("drone", "drone", "strict", drone) #NewEnt.addAdditionalFields("location", "location", "strict", location) TRX.returnOutput()
def main(argv): if argv[1] == "caseyso": namesList = ["bobbyo", "jjc", "alf", "courtp"] elif argv[1] == "jjc": namesList = ["caseyso", "jjc", "alf", "courtp", "mrclean"] elif argv[1] == "alf": namesList = ["mrclean", "jjc", "alf", "courtp", "joe"] elif argv[1] == "bobbyo": namesList = ["jjc", "caseyso", "brat322"] else: users = twitterSearch.getFollowers(argv[1]) if DEBUG: print users searchString = "" for i in range(len(users["users"])): searchString += str(users["users"][i]["id"]) + "," if DEBUG: print searchString[:-1] names = twitterSearch.idToUsername(searchString[:-1]) namesList = [] for name in names: namesList.append(name["screen_name"]) if DEBUG: print namesList mt = MaltegoTransform() for user_name in namesList: if DEBUG: print user_name mt.addEntity("maltego.Twit", user_name) mt.returnOutput()
def main(): # print "Content-type: xml\n\n"; # MaltegoXML_in = sys.stdin.read() # logging.debug(MaltegoXML_in) # if MaltegoXML_in <> '': # m = MaltegoMsg(MaltegoXML_in) #Custom query per transform, but apply filter with and_(*filters) from transformCommon. filters = [] filters.append(cookies.c.client_mac==mac) #s = select([cookies.c.baseDomain], and_(*filters)) #Bug: baseDomain being returned as full URL. s = select([cookies.c.host], and_(*filters)) logging.debug(s) logging.debug(mac) #s = select([ssids.c.ssid]).where(ssids.c.mac==mac).distinct() r = db.execute(s) results = r.fetchall() results = [t[0] for t in results] TRX = MaltegoTransform() illegal_xml_re = re.compile(u'[\x00-\x08\x0b-\x1f\x7f-\x84\x86-\x9f\ud800-\udfff\ufdd0-\ufddf\ufffe-\uffff]') for domain in results: domain = illegal_xml_re.sub('', domain) NewEnt=TRX.addEntity("maltego.Domain", domain) NewEnt.addAdditionalFields("fqdn","Domain", "strict",domain) NewEnt.addAdditionalFields("mac","Client Mac", "strict",mac) TRX.returnOutput()
def main(): # print "Content-type: xml\n\n"; # MaltegoXML_in = sys.stdin.read() # logging.debug(MaltegoXML_in) # if MaltegoXML_in <> '': # m = MaltegoMsg(MaltegoXML_in) #Custom query per transform, but apply filter with and_(*filters) from transformCommon. filters = [] filters.append(weblogs.c.client_ip==ip) s = select([weblogs.c.full_url, weblogs.c.cookies], and_(*filters)) logging.debug(s) #s = select([ssids.c.ssid]).where(ssids.c.mac==mac).distinct() r = db.execute(s) results = r.fetchall() #logging.debug(results) #results = [t[0] for t in results] TRX = MaltegoTransform() illegal_xml_re = re.compile(u'[\x00-\x08\x0b-\x1f\x7f-\x84\x86-\x9f\ud800-\udfff\ufdd0-\ufddf\ufffe-\uffff]') for res in results: logging.debug(res) url, cookies = res #logging.debug(cookies) NewEnt=TRX.addEntity("maltego.URL", url) NewEnt.addAdditionalFields("url","URL", "strict",url) TRX.returnOutput()
def main(): # print "Content-type: xml\n\n"; # MaltegoXML_in = sys.stdin.read() # logging.debug(MaltegoXML_in) # if MaltegoXML_in <> '': # m = MaltegoMsg(MaltegoXML_in) #Custom query per transform, but apply filter with and_(*filters) from transformCommon. filters.append(ssids.c.mac==mac) s = select([ssids.c.ssid], and_(*filters)) #s = select([ssids.c.ssid]).where(ssids.c.mac==mac).distinct() r = db.execute(s) results = r.fetchall() results = [t[0] for t in results] TRX = MaltegoTransform() illegal_xml_re = re.compile(u'[\x00-\x08\x0b-\x1f\x7f-\x84\x86-\x9f\ud800-\udfff\ufdd0-\ufddf\ufffe-\uffff]') for ssid in results: #ssid = b64decode(ssid) ssid=escape(ssid) ssid = illegal_xml_re.sub('', ssid) if not ssid.isspace() and ssid: NewEnt=TRX.addEntity("snoopy.SSID", ssid) NewEnt.addAdditionalFields("properties.ssid","ssid", "strict",ssid) TRX.returnOutput()
def main(): # print "Content-type: xml\n\n"; # MaltegoXML_in = sys.stdin.read() # logging.debug(MaltegoXML_in) # if MaltegoXML_in <> '': # m = MaltegoMsg(MaltegoXML_in) #Custom query per transform, but apply filter with and_(*filters) from transformCommon. filters = [] filters.extend((cookies.c.client_mac==mac, cookies.c.baseDomain==domain)) s = select([cookies.c.name, cookies.c.value], and_(*filters)) logging.debug(s) #s = select([ssids.c.ssid]).where(ssids.c.mac==mac).distinct() r = db.execute(s) results = r.fetchall() logging.debug(results) #results = [t[0] for t in results] TRX = MaltegoTransform() illegal_xml_re = re.compile(u'[\x00-\x08\x0b-\x1f\x7f-\x84\x86-\x9f\ud800-\udfff\ufdd0-\ufddf\ufffe-\uffff]') for cookie in results: logging.debug(cookie) name, value = cookie NewEnt=TRX.addEntity("snoopy.Cookie", name) NewEnt.addAdditionalFields("value","Value", "strict",value) NewEnt.addAdditionalFields("fqdn","Domain", "strict",domain) NewEnt.addAdditionalFields("mac","Client Mac", "strict",mac) TRX.returnOutput()
def main(): # print "Content-type: xml\n\n"; # MaltegoXML_in = sys.stdin.read() # logging.debug(MaltegoXML_in) # if MaltegoXML_in <> '': # m = MaltegoMsg(MaltegoXML_in) #Custom query per transform, but apply filter with and_(*filters) from transformCommon. filters = [] filters.append(weblogs.c.client_ip==ip) s = select([weblogs.c.useragent], and_(*filters)) logging.debug(s) #s = select([ssids.c.ssid]).where(ssids.c.mac==mac).distinct() r = db.execute(s) results = r.fetchall() logging.debug(results) #results = [t[0] for t in results] TRX = MaltegoTransform() illegal_xml_re = re.compile(u'[\x00-\x08\x0b-\x1f\x7f-\x84\x86-\x9f\ud800-\udfff\ufdd0-\ufddf\ufffe-\uffff]') for ua in results: logging.debug(ua) if str(ua).find('None') < 1: NewEnt=TRX.addEntity("snoopy.useragent", str(ua)) NewEnt.addAdditionalFields("ip","Client IP", "strict",ip) TRX.returnOutput()
def main(argv): myURLs = LinkedIn(sys.argv[1]) mt = MaltegoTransform(); for urls in myURLs: mt.addEntity("maltego.Alias", urls) mt.returnOutput()
def selectEvent(eventID): s = shelve.open(eventDB) s['id'] = eventID s['age'] = datetime.today() s.close() mt = MaltegoTransform() mt.addUIMessage("[Info] Event with ID %s selected for insert" % eventID) mt.returnOutput()
def main(): filters.append(wigle.c.ssid == ssid) filters.append(wigle.c.overflow == 0) s = select([wigle], and_(*filters)).distinct().limit(limit) #s = select([ssids.c.ssid]).where(ssids.c.mac==mac).distinct() r = db.execute(s) results = r.fetchall() logging.debug(results) TRX = MaltegoTransform() illegal_xml_re = re.compile(u'[\x00-\x08\x0b-\x1f\x7f-\x84\x86-\x9f\ud800-\udfff\ufdd0-\ufddf\ufffe-\uffff]') for address in results: if len(results) > 20: break #ssid = b64decode(ssid) #ssid=escape(ssid) #ssid = illegal_xml_re.sub('', ssid) logging.debug(type(address)) street_view_url1 = "http://maps.googleapis.com/maps/api/streetview?size=800x800&sensor=false&location=%s,%s" % (str(address['lat']),str(address['long'])) street_view_url2 = "https://maps.google.com/maps?q=&layer=c&cbp=11,0,0,0,0&cbll=%s,%s " % (str(address['lat']),str(address['long'])) map_url = "http://maps.google.com/maps?t=h&q=%s,%s"%(str(address['lat']),str(address['long'])) flag_img = "http://www.geognos.com/api/en/countries/flag/%s.png" % str(address['code']).upper() #NewEnt=TRX.addEntity("maltego.Location", address['shortaddress'].encode('utf-8')) NewEnt=TRX.addEntity("snoopy.ssidLocation", address['shortaddress'].encode('utf-8')) NewEnt.addAdditionalFields("city","city", "strict", address['city'].encode('utf-8')) NewEnt.addAdditionalFields("countrycode","countrycode", "strict", address['code'].encode('utf-8')) NewEnt.addAdditionalFields("country","country", "strict", address['country'].encode('utf-8')) NewEnt.addAdditionalFields("lat","lat", "strict", str(address['lat'])) NewEnt.addAdditionalFields("long","long", "strict", str(address['long'])) NewEnt.addAdditionalFields("longaddress","longaddress", "strict", address['longaddress'].encode('utf-8')) NewEnt.addAdditionalFields("location.areacode","Area Code", "strict", address['postcode']) NewEnt.addAdditionalFields("road","Road", "strict", address['road'].encode('utf-8')) NewEnt.addAdditionalFields("streetaddress","streetaddress", "strict", address['shortaddress'].encode('utf-8')) NewEnt.addAdditionalFields("ssid","SSID", "strict", address['ssid']) NewEnt.addAdditionalFields("state","State", "strict", address['state'].encode('utf-8')) NewEnt.addAdditionalFields("area","Area", "strict", address['suburb'].encode('utf-8')) NewEnt.addAdditionalFields("googleMap", "Google map", "nostrict", map_url) NewEnt.addAdditionalFields("streetView", "Street View", "nostrict", street_view_url2) #NewEnt.setIconURL(flag_img) logging.debug(street_view_url1) NewEnt.setIconURL(street_view_url1) NewEnt.addDisplayInformation("<a href='%s'>Click for map </a>" % street_view_url2, "Street view") NewEnt.addDisplayInformation("one","two") #try: TRX.returnOutput()
def parsereport(page): xform = MaltegoTransform() try: for element in page.findAll(text=re.compile("^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$")): entity = xform.addEntity("maltego.IPv4Address", element) except: sys.exit("Report contains no IPs.") xform.returnOutput()
def parsereport(page): xform = MaltegoTransform() table = page.find("div", {"id" : "network_hosts"}).findNext('table') elements = table.findAll('td', {"class" : "row"}) for element in elements: text = element.find(text=True) entity = xform.addEntity("maltego.IPv4Address", text) xform.returnOutput()
def main(): # init Maltego me = MaltegoTransform() # open database and create a cursor object if not os.path.isfile(DBNAME): #print "Collecting intelligence from the Internet ..." me.addEntity("maltego.Phrase", "Database file not found " + DBNAME) conn = sqlite3.connect(DBNAME) conn.text_factory = str c = conn.cursor() # reading samples table ... c.execute("SELECT * FROM samples") found = c.fetchall() if found is not None: for i in range(0, len(found)): # adding Sample entity name = found[i][2] me.addEntity("ran2.Sample", name) else: #print "Collecting intelligence from the Internet ..." me.addEntity("maltego.Phrase", name + " is not found") me.returnOutput() conn.commit() c.close()
def main(): # print "Content-type: xml\n\n"; # MaltegoXML_in = sys.stdin.read() # logging.debug(MaltegoXML_in) # if MaltegoXML_in <> '': # m = MaltegoMsg(MaltegoXML_in) global TRX ip = TRX.getVar("properties.client_ip") if TRX.getVar("client_ip"): ip = TRX.getVar("client_ip") domain = TRX.getVar("domain") filters = [] if ip: filters.append(sslstrip.c.client == ip) if domain: filters.append(sslstrip.c.domain == domain) s = select([sslstrip.c.key, sslstrip.c.value], and_(*filters)).distinct() results = db.execute(s).fetchall() for res in results: key, value = res NewEnt = TRX.addEntity("snoopy.sslstripResult", key) NewEnt.addAdditionalFields("key", "key", "strict", value) NewEnt.addAdditionalFields("value", "Value", "strict", value) TRX.returnOutput() # Custom query per transform, but apply filter with and_(*filters) from transformCommon. filters = [] filters.extend((leases.c.mac == mac, sslstrip.c.client == leases.c.ip)) if domain: filters.append(sslstrip.c.domain == domain) s = select([sslstrip.c.domain, leases.c.mac, leases.c.ip], and_(*filters)) r = db.execute(s) results = r.fetchall() TRX = MaltegoTransform() illegal_xml_re = re.compile(u"[\x00-\x08\x0b-\x1f\x7f-\x84\x86-\x9f\ud800-\udfff\ufdd0-\ufddf\ufffe-\uffff]") for res in results: domain, client_mac, client_ip = res NewEnt = TRX.addEntity("snoopy.Site", domain) NewEnt.addAdditionalFields("domain", "domain", "strict", domain) NewEnt.addAdditionalFields("mac", "Client Mac", "strict", client_mac) NewEnt.addAdditionalFields("client_ip", "Client IP", "strict", client_ip) TRX.returnOutput()
def createEvent(eventName): mt = MaltegoTransform() mt.addUIMessage("[Info] Creating event with the name %s" % eventName) event = misp.new_event(MISP_DISTRIBUTION, MISP_THREAT, MISP_ANALYSIS, eventName,None,MISP_EVENT_PUBLISH) eid = event['Event']['id'] einfo = event['Event']['info'] eorgc = event['Event']['orgc_id'] me = MaltegoEntity('maltego.MISPEvent',eid); me.addAdditionalFields('EventLink', 'EventLink', False, BASE_URL + '/events/view/' + eid ) me.addAdditionalFields('Org', 'Org', False, eorgc) me.addAdditionalFields('notes', 'notes', False, eorgc + ": " + einfo) mt.addEntityToMessage(me); returnSuccess("event", eid, None, mt)
def main(): # print "Content-type: xml\n\n"; # MaltegoXML_in = sys.stdin.read() # logging.debug(MaltegoXML_in) # if MaltegoXML_in <> '': # m = MaltegoMsg(MaltegoXML_in) #Custom query per transform, but apply filter with and_(*filters) from transformCommon. #db.echo=True #Need to implement outer join at some point: # s=select([cookies.c.client_mac]).outerjoin(vends, cookies.c.client_mac == vends.c.mac) #Outer join sl = select([leases.c.mac, leases.c.hostname]).distinct() lease_list = dict ( db.execute(sl).fetchall() ) #filters.append(cookies.c.client_mac == vends.c.mac) # Replaced with JOIN j = cookies.outerjoin(vends, cookies.c.client_mac == vends.c.mac) s = select([cookies.c.client_mac,vends.c.vendor, vends.c.vendorLong], and_(*filters)).select_from(j).distinct() logging.debug(s) #s = select([cookies.c.client_mac,vends.c.vendor, vends.c.vendorLong], and_(*filters)) if ssid: nfilters=[] nfilters.append(ssids.c.ssid == ssid) nfilters.append(ssids.c.mac == vends.c.mac) s = select([ssids.c.mac,vends.c.vendor, vends.c.vendorLong], and_(*nfilters)) #logging.debug(s) #s = select([cookies.c.client_mac,vends.c.vendor, vends.c.vendorLong], and_(cookies.c.client_mac == vends.c.mac, cookies.c.num_probes>1 ) ).distinct() cwdF = [cookies.c.run_id == sess.c.run_id] cw = select([cookies.c.client_mac], and_(*cwdF)) logging.debug(cw) r = db.execute(s) results = r.fetchall() TRX = MaltegoTransform() for mac,vendor,vendorLong in results: hostname = lease_list.get(mac) if hostname: NewEnt=TRX.addEntity("snoopy.Client", "%s\n(%s)" %(vendor,hostname)) else: NewEnt=TRX.addEntity("snoopy.Client", "%s\n(%s)" %(vendor,mac[6:])) NewEnt.addAdditionalFields("mac","mac address", "strict",mac) NewEnt.addAdditionalFields("vendor","vendor", "nostrict", vendor) NewEnt.addAdditionalFields("vendorLong","vendorLong", "nostrict", vendorLong) TRX.returnOutput()
def new_transform(arg): m = MaltegoTransform() m.parseArguments(arg) ip = m.getVar('ipv4-address') wrkspc = m.getVar('workspace') url = 'http://10.1.99.250:8125/api/v1.0/%s/%s/asn' % (wrkspc, ip) try: r = requests.get(url) j = r.json() for i in j['items']: ent = m.addEntity('maltego.AS', i['asn']) ent.addAdditionalFields('workspace', 'Workspace ID', True, wrkspc) except Exception as e: m.addUIMessage(str(e)) m.returnOutput()
def checkAge(): s = shelve.open(eventDB) try: age = s['age'] eid = s['id'] except: age = datetime.today()-timedelta(seconds=6000) eid = "none" s.close() curDate = datetime.today() if age < curDate - timedelta(seconds=3600): mt = MaltegoTransform() mt.addException("[Warning] Selection of Event is over 1 hour old. Please reselect. Current selection: %s" % eid); mt.throwExceptions() else: return eid
def main(argv): url = sys.argv[1]; html = urllib.urlopen(url).read() emails = collectAllEmail(html) #print emails #myfile = open('emails.csv', 'wb') #wr = csv.writer(myfile, quoting=csv.QUOTE_ALL) #wr.writerow(emails) mt = MaltegoTransform(); for email in emails: mt.addEntity("maltego.EmailAddress", email) mt.returnOutput()
def main(): parser = argparse.ArgumentParser(description="Jumpstart Maltego graph of C2 infrastructure off domain or IP.", epilog="spidermal.py -l paloaltonetworks.com -s 2014-09-12 -e 2015-12-1 -r 2 -o pan.mgtx -a PT") parser.add_argument("-s", "--start", help="Start date for range; \"YYYY-MM-DD\".", metavar="YYYY-MM-DD") parser.add_argument("-e", "--end", help="End date for range; \"YYYY-MM-DD\".", metavar="YYYY-MM-DD") parser.add_argument("-l", "--lookup", help="Value you start search with.", required=True, metavar="IP|DOMAIN") parser.add_argument("-o", "--out", help="Output file name (will append \"mtgx\" if not present.", default="malgraph.mtgx", metavar="filename.mtgx") parser.add_argument("-r", "--recurse", help="Number of levels to recurse. Default is 1; be careful with hosting sites.", default=1, metavar="LEVEL") parser.add_argument("-a", "--api", help="Choose API to use. Default is PassiveTotal.", default="PT", choices=["PT"]) parser.add_argument("-t", "--transform", help="Run in Maltego Transform mode (run from inside Maltego client).", action="store_true") parser.add_argument("-v", "--verbose", help="Print additional data (tags/class/dynamic fields).", action="store_true") args, unknown = parser.parse_known_args() # Make sure to collect the unknown arguments since Maltego will pass them in "#" format global verbose verbose = args.verbose target_start = datetime.date(1970, 1, 1) # Default start date for range target_end = datetime.date.today() # Default end date for range if args.transform == True: if transform == 0: # Check to make sure the MaltegoTransform.py file is there, otherwise notify user within Maltego print """<MaltegoMessage><MaltegoTransformResponseMessage><Entities></Entities><UIMessages><UIMessage MessageType="FatalError">MaltegoTransform.py Module Not Found!</UIMessage></UIMessages></MaltegoTransformResponseMessage></MaltegoMessage>""" sys.exit() unknownargs = unknown[0].split("#") # Peel off any dates sent by Maltego in the "Before" or "After" fields for argument in unknownargs: if argument.startswith("After"): target_start = date_convert(argument.split("=")[1], "user") elif argument.startswith("Before"): target_end = date_convert(argument.split("=")[1], "user") else: pass global maltrans # Build maltego transform to pipe data back if transform is selected maltrans = MaltegoTransform() final_list, type = api_query(args.lookup, target_start, target_end, "1", "PT", args.transform) build_maltego(final_list, type, str(target_start), str(target_end)) maltrans.returnOutput() else: if args.start: target_start = date_convert(args.start, "user") if args.end: target_end = date_convert(args.end, "user") print "[+] Begining search for", args.lookup, "using", args.api, "API between", str(target_start), "and", str(target_end) + "." final_list, type = api_query(args.lookup, target_start, target_end, args.recurse, args.api, args.transform) print "[+] Finished API queries." print "[+] Building graph (nodes/edges)." build_graph(final_list, args.out) print "[+] Building Maltego file named", args.out + "." zip_file(args.out)
def returnSuccess(etype,value,event=None, mt=None): if not mt: mt = MaltegoTransform() if event: mt.addUIMessage("[Info] Successful entry of %s with value %s into event %s" % (etype, value, event)) else: mt.addUIMessage("[Info] Successful entry of %s with ID %s" % (etype, value)) mt.returnOutput()
def main(): # print "Content-type: xml\n\n"; # MaltegoXML_in = sys.stdin.read() # logging.debug(MaltegoXML_in) # if MaltegoXML_in <> '': # m = MaltegoMsg(MaltegoXML_in) #Custom query per transform, but apply filter with and_(*filters) from transformCommon. filters = [] filters.append(weblogs.c.client_ip==ip) s = select([weblogs.c.host, weblogs.c.path, weblogs.c.cookies], and_(*filters)) logging.debug(s) #s = select([ssids.c.ssid]).where(ssids.c.mac==mac).distinct() r = db.execute(s) results = r.fetchall() logging.debug(results) #results = [t[0] for t in results] TRX = MaltegoTransform() illegal_xml_re = re.compile(u'[\x00-\x08\x0b-\x1f\x7f-\x84\x86-\x9f\ud800-\udfff\ufdd0-\ufddf\ufffe-\uffff]') for res in results: #logging.debug(res) host, path, cookies = res logging.debug(host) #logging.debug(path) logging.debug(cookies) if len(cookies) > 2: foo = cookies.split(", ") for cookie in foo: name, value = cookie.split(": ") name = name.split('"')[1] value = value.split('"')[1] logging.debug(name) logging.debug(value) NewEnt=TRX.addEntity("snoopy.Cookie", name) NewEnt.addAdditionalFields("value","Value", "strict",value) NewEnt.addAdditionalFields("fqdn","Domain", "strict",host) #NewEnt.addAdditionalFields("path","Path", "strict",path) NewEnt.addAdditionalFields("ip","Client IP", "strict",ip) TRX.returnOutput()
def main(argv): url = sys.argv[1]; html = urllib.urlopen(url).read() emails = collectAllEmail(html) #print emails #myfile = open('emails.csv', 'wb') #wr = csv.writer(myfile, quoting=csv.QUOTE_ALL) #wr.writerow(emails) mt = MaltegoTransform(); for email in emails: index = email.find('@'); alias = email[:index] mt.addEntity("maltego.Alias", alias) mt.returnOutput()
def parsereport(page): xform = MaltegoTransform() try: try: single = page.find(text='To mark the presence in the system, the following Mutex object was created:').findNext('ul').li.text except: single = None try: multiple = page.find(text='To mark the presence in the system, the following Mutex objects were created:').findNext('ul') except: multiple = None if single is not None: entity = xform.addEntity("maltego.IPv4Address", single) if multiple is not None: for mutex in multiple.findAll('li'): entity = xform.addEntity("maltego.Phrase", mutex.text) elif multiple is not None: for mutex in multiple.findAll('li'): entity = xform.addEntity("maltego.Phrase", mutex.text) else: sys.exit("No Mutexes Reported") except: sys.exit("Error finding Mutexes.") xform.returnOutput()
def new_transform(arg): m = MaltegoTransform() url = 'http://10.1.99.250:8125/api/v1.0/%s/ip' % arg try: r = requests.get(url) j = r.json() for i in j['items']: ent = m.addEntity('maltego.IPv4Address', i['ipaddr']) ent.addAdditionalFields('workspace', 'Workspace ID', True, arg) except Exception as e: m.addUIMessage(str(e)) m.returnOutput()
def main(): # print "Content-type: xml\n\n"; # MaltegoXML_in = sys.stdin.read() # logging.debug(MaltegoXML_in) # if MaltegoXML_in <> '': # m = MaltegoMsg(MaltegoXML_in) TRX = MaltegoTransform() TRX.parseArguments(sys.argv) lat = float(TRX.getVar("latitude")) lng = float(TRX.getVar("longitude")) address = TRX.getVar("longaddress") logging.debug(lat) logging.debug(address) try: f = open("wigle_creds.txt", "r") user, passw, email,proxy = f.readline().strip().split(":") except Exception, e: print "ERROR: Unable to read Wigle user & pass, email (and optional proxy) from wigle_creds.txt" print e exit(-1)
#!/usr/bin/env python # Maltego transform for getting the robots.txt file from websites from MaltegoTransform import * import requests m = MaltegoTransform() m.parseArguments(sys.argv) website = m.getVar('fqdn') port = m.getVar('ports') port = port.split(',') ssl = m.getVar('website.ssl-enabled') robots = [] try: for c in port: if ssl == 'true': url = 'https://' + website + ':' + str(c) + '/robots.txt' r = requests.get(url) if r.status_code == 200: robots = str(r.text).split('\n') for i in robots: ent = m.addEntity('maltego.Phrase', i) ent.addAdditionalFields("url","Original URL",True,url) else: m.addUIMessage("No Robots.txt found..") else: url = 'http://' + website + ':' + str(c) + '/robots.txt' r = requests.get(url)
return os.path.normpath(pathname) configFile = getLocalConfPath() config = ConfigParser.SafeConfigParser() config.read(configFile) username = config.get('credentials', 'username') password = config.get('credentials', 'password') auth = config.get('splunk','auth') searchhead = config.get('splunk','searchhead') timeframe = config.get('splunk', 'timeframe') management = config.get('splunk', 'management') # Setting up Maltego entities and getting initial variables. me = MaltegoTransform() sourcetype = sys.argv[1] # Determine which REST call to make based on authentication setting. if auth == "1": output = subprocess.check_output('curl -u ' + username + ':' + password + ' -s -k --data-urlencode search="search index=' + sourcetype + ' earliest=' + timeframe + ' | table sourcetype | dedup sourcetype" -d "output_mode=csv" https://' + searchhead + ':' + management + '/servicesNS/admin/search/search/jobs/export', shell=True) else: output = subprocess.check_output('curl -s -k --data-urlencode search="search index=' + sourcetype + ' earliest=' + timeframe + ' | table sourcetype | dedup sourcetype" -d "output_mode=csv" https://' + searchhead + ':' + management + '/servicesNS/admin/search/search/jobs/export', shell=True) # Regex to find Sourcetype sourcetype = re.findall(r'.+', output) sourcetypes = [] for i in sourcetype: if i[0] == '"':
from MaltegoTransform import * from mcrits_utils import * crits = mcrits() me = MaltegoTransform() me.parseArguments(sys.argv) id_ = me.getVar('id') crits_type = me.getVar('crits_type') for result in crits.get_related(crits_type, id_, 'Sample'): me.addEntity(result[0], result[1]) me.returnOutput()
#!/usr/bin/env python import sys import urllib2 from MaltegoTransform import * mt = MaltegoTransform() mt.parseArguments(sys.argv) SearchString = mt.getValue() mt = MaltegoTransform() url = 'http://api.predator.wtf/resolver/?arguments='+SearchString ipaddress = urllib2.urlopen(url).read() mt.addEntity("maltego.IPv4Address",ipaddress) mt.returnOutput()
import sys import emailprotectionslib.spf as spf from MaltegoTransform import * mt = MaltegoTransform() mt.parseArguments(sys.argv) domain = mt.getValue() mt = MaltegoTransform() try: spf_record = spf.SpfRecord.from_domain(domain) #print spf_record mt.addEntity("maltego.Phrase","SPF Record: "+str(spf_record)) except: mt.addUIMessage("Exception Occured",messageType="PartialError") mt.returnOutput()
#!/usr/bin/python #DESC: Transform Meetup group URL into Meetup leader profile URLs import httplib2, urllib2, lxml, sys, re from bs4 import BeautifulSoup from MaltegoTransform import * baseurl = sys.argv[1] url = sys.argv[1] + "members/?op=leaders" opener = urllib2.build_opener() opener.addheaders = [('User-agent', 'Mozilla/5.0')] soup = BeautifulSoup(opener.open(url), "lxml") me = MaltegoTransform() for thing in soup.find_all("a", "memName"): NewEnt = me.addEntity("maltego.URL", thing.text + " Meetup") NewEnt.addAdditionalFields("url", "URL", "", thing['href']) me.returnOutput()
config.read(configFile) username = config.get('credentials', 'username') password = config.get('credentials', 'password') auth = config.get('splunk','auth') searchhead = config.get('splunk','searchhead') timeframe = config.get('splunk', 'timeframe') status = config.get('splunk', 'status') management = config.get('splunk', 'management') proxy = config.get('splunk', 'proxy') proxy_ip = config.get('splunk','proxy_ip') proxy_port = config.get('splunk', 'proxy_port') # Setting up Maltego entities and getting initial variables. me = MaltegoTransform() me.parseArguments(sys.argv) sourcetype = sys.argv[1] hostip = me.getVar("host") # Determine which REST call to make based on authentication setting. if auth == "1": if proxy == "1": output = subprocess.check_output('curl -u ' + username + ':' + password + ' -s -k --socks5 ' + proxy_ip + ':' + proxy_port + ' --data-urlencode search="search index=* earliest=' + timeframe + ' sourcetype=' + sourcetype + ' | table host | dedup host" -d "output_mode=csv" https://' + searchhead + ':' + management + '/servicesNS/admin/search/search/jobs/export', shell=True) else: output = subprocess.check_output('curl -u ' + username + ':' + password + ' -s -k --data-urlencode search="search index=* earliest=' + timeframe + ' sourcetype=' + sourcetype + ' | table host | dedup host" -d "output_mode=csv" https://' + searchhead + ':' + management + '/servicesNS/admin/search/search/jobs/export', shell=True) else: if proxy == "1": output = subprocess.check_output('curl -s -k --socks5 ' + proxy_ip + ':' + proxy_port + ' --data-urlencode search="search index=* earliest=' + timeframe + ' sourcetype=' + sourcetype + ' | table host | dedup host" -d "output_mode=csv" https://' + searchhead + ':' + management + '/servicesNS/admin/search/search/jobs/export', shell=True)
#!/usr/bin/python # -*- coding: utf-8 -*- from MaltegoTransform import * from ttp import ttp from urlparse import urlparse import sys, httplib # Description: Locally extract URLs from Tweets # Installation: http://dev.paterva.com/developer/getting_started/building_your_own_local_transform.php # Author: Michael Henriksen (@michenriksen) transform = MaltegoTransform() transform.parseArguments(sys.argv) tweet = transform.getVar("content").decode('utf-8') parser = ttp.Parser() parsed_tweet = parser.parse(tweet) for url in parsed_tweet.urls: parsed_url = urlparse(url) # Expand Twitter shortened URLs if parsed_url.hostname == "t.co": transform.addUIMessage("Expanding t.co URL: " + url, "Inform") # Perform a HEAD request on t.co via secure connection connection = httplib.HTTPSConnection(parsed_url.hostname) connection.request("HEAD", parsed_url.path) response = connection.getresponse() # Loop through each header until we find the Location header