def checkAge(): s = shelve.open(eventDB) try: age = s['age'] eid = s['id'] except: age = datetime.today()-timedelta(seconds=6000) eid = "none" s.close() curDate = datetime.today() if age < curDate - timedelta(seconds=3600): mt = MaltegoTransform() mt.addException("[Warning] Selection of Event is over 1 hour old. Please reselect. Current selection: %s" % eid); mt.throwExceptions() else: return eid
def checkAge(): s = shelve.open(eventDB) try: age = s['age'] eid = s['id'] except: age = datetime.today() - timedelta(seconds=6000) eid = "none" s.close() curDate = datetime.today() if age < curDate - timedelta(seconds=3600): mt = MaltegoTransform() mt.addException( "[Warning] Selection of Event is over 1 hour old. Please reselect. Current selection: %s" % eid) mt.throwExceptions() else: return eid
def returnFailure(etype, value, reason): mt = MaltegoTransform() mt.addException("[Error] Failed to add %s with value %s due to %s" % (etype, value, reason)) mt.throwExceptions()
def dataError(request): mt = MaltegoTransform() mt.addException("[Error] Failure to load function with name %s" % request) mt.throwExceptions()
import argparse import re import shelve from datetime import datetime, timedelta from pymisp import PyMISP, MISPEvent, MISPAttribute from MaltegoTransform import * from mispego_util import * try: misp = PyMISP(BASE_URL, API_KEY, MISP_VERIFYCERT, 'json', MISP_DEBUG) except Exception as e: mt = MaltegoTransform() mt.addException( "[Error] Cannot connect to MISP instance using %s with API key %s. Please check and try again" % (BASE_URL, API_KEY)) mt.addException("[Error] %s" % e) mt.throwExceptions() eventDB = "event.db" def addDomain(domainValue): eid = checkAge() mispAttribute = MISPAttribute() mispAttribute.type = 'domain' mispAttribute.value = domainValue misp.add_attribute(eid, mispAttribute) returnSuccess("domain", domainValue, eid)
ent = me.addEntity("nullJaX.GooglePlusActivity", value) ent.setType("nullJaX.GooglePlusActivity") ent.setValue(value) if 'published' in activity: ent.addAdditionalFields("published", "Published", True, activity['published']) if 'updated' in activity: ent.addAdditionalFields("updated", "Updated", True, activity['updated']) ent.addAdditionalFields("AID", "Activity ID", True, activity['id']) ent.addAdditionalFields("url", "Activity URL", True, activity['url']) ent.addAdditionalFields("uid", "Publisher UID", True, activity['actor']['id']) if 'geocode' in activity: ent.addAdditionalFields("geocode", "Geocode", True, activity['geocode']) if 'address' in activity: ent.addAdditionalFields("address", "Address", True, activity['address']) if 'radius' in activity: ent.addAdditionalFields("radius", "Radius", True, activity['radius']) if 'placeName' in activity: ent.addAdditionalFields("placeName", "Name of Place", True, activity['namePlace']) me.heartbeat() me.returnOutput() except: me.addException("Something went wrong :(") me.throwExceptions()
def main(): mt = MaltegoTransform() if len(sys.argv) != 5: mt.addException( "You appear to be missing your uid and secret. Here is what was in your path: {s}" .format(s=sys.argv)) mt.throwExceptions() censys_uid = sys.argv[1] censys_secret = sys.argv[2] cn = sys.argv[3] auth = (censys_uid, censys_secret) page = 1 query = { 'query': '443.https.tls.certificate.parsed.issuer.common_name: {cn}'.format( cn=cn), 'fields': [ '443.https.tls.certificate.parsed.fingerprint_sha1', '443.https.tls.certificate.parsed.issuer_dn', '443.https.tls.certificate.parsed.subject_dn', 'updated_at', ], 'page': page } try: request = requests.post('https://www.censys.io/api/v1/search/ipv4', data=json.dumps(query), auth=auth) if request.status_code == 200: results = request.json() pages = results['metadata']['pages'] if results['metadata']['count'] > 0: parse_results(results['results'], mt) if pages > 1 > 4: mt.addUIMessage( "Found more than one page. Getting up to the first 100 results" ) for i in range(2, 5): page = i query['page'] = page request = requests.post( 'https://www.censys.io/api/v1/search/ipv4', data=json.dumps(query), auth=auth) if request.status_code == 200: results = request.json() if results['metadata']['count'] > 0: parse_results(results['results'], mt) else: if request.status_code == 400: results = request.json() mt.addException(str(results['error'])) if request.status_code == 429: results = request.json() mt.addException(str(results['error'])) if request.status_code == 404: mt.addException( "No data was found for this issuer cn {cn}" .format(cn=cn)) if request.status_code == 500: mt.addException( "There has been a server error!!!") if pages < 5 > 1: mt.addUIMessage( "Found more than one page. Getting up to the first 100 results" ) for i in range(2, pages): page = i query['page'] = page request = requests.post( 'https://www.censys.io/api/v1/search/ipv4', data=json.dumps(query), auth=auth) if request.status_code == 200: results = request.json() if results['metadata']['count'] > 0: parse_results(results['results'], mt) else: if request.status_code == 400: results = request.json() mt.addException(str(results['error'])) if request.status_code == 429: results = request.json() mt.addException(str(results['error'])) if request.status_code == 404: mt.addException( "No data was found for this issuer cn {cn}" .format(cn=cn)) if request.status_code == 500: mt.addException( "There has been a server error!!!") else: mt.addUIMessage( "No additional cert data was found with this ssl cert subject cn: {cn}" .format(cn=cn)) mt.returnOutput() else: if request.status_code == 400: results = request.json() mt.addException(str(results['error'])) if request.status_code == 429: results = request.json() mt.addException(str(results['error'])) if request.status_code == 404: mt.addException( "No data was found for this issuer cn {cn}".format(cn=cn)) if request.status_code == 500: mt.addException("There has been a server error!!!") mt.throwExceptions() except requests.exceptions.RequestException as e: mt.addException(str(e)) mt.throwExceptions()
def main(): mt = MaltegoTransform() if len(sys.argv) != 5: mt.addException("You appear to be missing your uid and secret. Here is what was in your path: {s}".format( s=sys.argv)) mt.throwExceptions() sha1 = sys.argv[3] censys_uid = sys.argv[1] censys_secret = sys.argv[2] auth = (censys_uid, censys_secret) page = 1 query = {'query': '443.https.tls.certificate.parsed.fingerprint_sha1: \"{s}\"'.format(s=sha1), 'fields': ['ip', '443.https.tls.certificate.parsed.subject.common_name', '443.https.tls.certificate.parsed.issuer.common_name', 'updated_at'], 'page': page} try: request = requests.post('https://www.censys.io/api/v1/search/ipv4', data=json.dumps(query), auth=auth) if request.status_code == 200: results = request.json() pages = results['metadata']['pages'] if results['metadata']['count'] > 0: process_results(results['results'], mt) if pages > 1 > 4: mt.addUIMessage("Found more than one page. Getting up to the first 100 results") for i in range(2, 5): page = i query['page'] = page request = requests.post('https://www.censys.io/api/v1/search/ipv4', data=json.dumps(query), auth=auth) if request.status_code == 200: results = request.json() if results['metadata']['count'] > 0: process_results(results['results'], mt) else: if request.status_code == 400: results = request.json() mt.addException(str(results['error'])) if request.status_code == 429: results = request.json() mt.addException(str(results['error'])) if request.status_code == 404: mt.addException("No info found") if request.status_code == 500: mt.addException("There has been a server error!!!") if pages < 5 > 1: for i in range(2, pages): page = i query['page'] = page request = requests.post('https://www.censys.io/api/v1/search/ipv4', data=json.dumps(query), auth=auth) if request.status_code == 200: results = request.json() if results['metadata']['count'] > 0: process_results(results['results'], mt) else: if request.status_code == 400: results = request.json() mt.addException(str(results['error'])) if request.status_code == 429: results = request.json() mt.addException(str(results['error'])) if request.status_code == 404: mt.addException("No info found") if request.status_code == 500: mt.addException("There has been a server error!!!") else: mt.addUIMessage("No IP addresses found with this ssl cert") mt.returnOutput() else: if request.status_code == 400: results = request.json() mt.addException(str(results['error'])) if request.status_code == 429: results = request.json() mt.addException(str(results['error'])) if request.status_code == 404: mt.addException("No info found") if request.status_code == 500: mt.addException("There has been a server error!!!") mt.throwExceptions() except requests.exceptions.RequestException as e: mt.addException(str(e)) mt.throwExceptions()
if ssid is None: ssid = m.AdditionalFields.get('ssid') if domain is None: domain = m.AdditionalFields.get('fqdn') if observation is None: observation = m.AdditionalFields.get('observation') #If no start and end times specified fetch all. #It might make more sense to just remove the time filter. if start_time is None: start_time = "2000-01-01 00:00:00.0" if end_time is None: end_time = "2037-01-01 00:00:00.0" if not shadowKey or shadowKey == ' ': TRX.addException("Bad shadow key entered! Please obtain it via your www.ShadowLightly.com account.") TRX.throwExceptions() exit(0) ss = select([mtk.c.mtkey]).where(mtk.c.mtkey == shadowKey) r = db.execute(ss).fetchall() logging.debug("Key is %s" %shadowKey) logging.debug("Query is %s" %str(ss)) logging.debug("Results of R: %s" %str(r)) logging.debug( "Length of R: %d" %len(r)) if len(r) < 1: TRX.addException("Bad shadow key entered! Please obtain it via your www.ShadowLightly.com account.") TRX.throwExceptions() exit(0) #loging.error(len(r)) # The dirtiest hack of dirty hacks.
ssid = m.AdditionalFields.get('ssid') if domain is None: domain = m.AdditionalFields.get('fqdn') if observation is None: observation = m.AdditionalFields.get('observation') #If no start and end times specified fetch all. #It might make more sense to just remove the time filter. if start_time is None: start_time = "2000-01-01 00:00:00.0" if end_time is None: end_time = "2037-01-01 00:00:00.0" if not shadowKey or shadowKey == ' ': TRX.addException( "Bad shadow key entered! Please obtain it via your www.ShadowLightly.com account." ) TRX.throwExceptions() exit(0) ss = select([mtk.c.mtkey]).where(mtk.c.mtkey == shadowKey) r = db.execute(ss).fetchall() logging.debug("Key is %s" % shadowKey) logging.debug("Query is %s" % str(ss)) logging.debug("Results of R: %s" % str(r)) logging.debug("Length of R: %d" % len(r)) if len(r) < 1: TRX.addException( "Bad shadow key entered! Please obtain it via your www.ShadowLightly.com account." ) TRX.throwExceptions() exit(0)
def dataError(request): mt = MaltegoTransform() mt.addException("[Error] Failure to load function with name %s" % request) mt.throwExceptions()
def returnFailure(etype, value, reason): mt = MaltegoTransform() mt.addException("[Error] Failed to add %s with value %s due to %s" % (etype, value, reason)); mt.throwExceptions()
# MISP_Maltego) # Date: 09/03/2016 ###################################################### from pymisp import PyMISP from MaltegoTransform import * from mispego_util import * from datetime import datetime, timedelta import shelve import re try: misp = PyMISP(BASE_URL, API_KEY, MISP_VERIFYCERT, 'json', MISP_DEBUG) except Exception as e: mt = MaltegoTransform() mt.addException("[Error] Cannot connect to MISP instance using %s with API key %s. Please check and try again" % (BASE_URL, API_KEY)) mt.addException("[Error] %s" % e) mt.throwExceptions() eventDB = "event.db" def addDomain(domainValue): eid = checkAge() event = misp.get(eid) misp.add_domain(event, domainValue, to_ids=MISP_TO_IDS) returnSuccess("domain",domainValue,eid) def addIP(ipValue): eid = checkAge() event = misp.get(eid) misp.add_ipdst(event, ipValue, to_ids=MISP_TO_IDS)