def dotransform(request, response):
# Report transform progress
progress(50)
ip = request.value
url = 'https://www.virustotal.com/vtapi/v2/ip-address/report'
parameters = {'ip': ip, 'apikey': config['virustotal/apikey']}
resp = urllib2.urlopen('%s?%s' %
(url, urllib.urlencode(parameters))).read()
response_dict = json.loads(resp)
#Latest detected URLs"
try:
for i in range(0, len(response_dict['resolutions'])):
host = response_dict['resolutions'][i]['hostname']
host = Domain(host)
response += host
except IOError:
response = 'IO Error'
except KeyError:
response = 'Not Found'
# Update progress
progress(100)
# Return response for visualization
return response
def dotransform(request, response):
# Report transform progress
progress(50)
hash = request.value
total = ""
try:
e = Hash(hash)
text = ''
resp = urllib2.urlopen(
'https://innocuous.shadowserver.org/api/?query=' + hash).read()
start_results = resp.find("{")
end_results = resp.find("}")
av_results = resp[start_results + 1:end_results].replace('"', '')
text += av_results + ','
e += Field('AV Name', text, displayname='AV Name')
response += e
except IOError:
print 'IO Error'
# Update progress
progress(100)
# Return response for visualization
return response
def dotransform(request, response):
# Report transform progress
progress(50)
ip = request.value
url = 'https://www.virustotal.com/vtapi/v2/ip-address/report'
parameters = {'ip': ip, 'apikey': config['virustotal/apikey']}
resp = urllib2.urlopen('%s?%s' % (url, urllib.urlencode(parameters))).read()
response_dict = json.loads(resp)
#Latest detected URLs"
try:
for i in range(0,len(response_dict['resolutions'])):
host = response_dict['resolutions'][i]['hostname']
host = Domain(host)
response += host
except IOError:
response = 'IO Error'
except KeyError:
response = 'Not Found'
# Update progress
progress(100)
# Return response for visualization
return response
def dotransform(request, response, config):
"""
The dotransform function is our transform's entry point. The request object has the following properties:
- value: a string containing the value of the input entity.
- fields: a dictionary of entity field names and their respective values of the input entity.
- params: any additional command-line arguments to be passed to the transform.
- entity: the information above is serialized into an Entity object. The entity type is determined
by the inputs field in @configure for local transforms. For remote transforms, the entity
type is determined by the information in the body of the request. Local transforms suffer
from one limitation: if more than one entity type is listed in the inputs field of @configure,
the entity type might not be resolvable. Therefore, this should not be referenced in local
transforms if there is more than one input entity type defined in @configure.
The response object is a container for output entities, UI messages, and exception messages. The config object
contains a key-value store of the configuration file.
TODO: write your data mining logic below.
"""
progress(10)
debug('Extracting DNSName')
val = fix_dom(request.entities[0].fields['malriq.hostname'].value)
dnse = DNSName(val)
dnse.fqdn = val
response += [dnse]
progress(100)
return response
def dotransform(request, response):
# Report transform progress
progress(50)
ip = request.value
total = ""
urldom = 'https://www.virustotal.com/en/ip-address/' + ip + '/information/'
soup = BeautifulSoup(urllib2.urlopen(urldom).read())
try:
links = soup.findAll('div', attrs={'class': 'enum'})
for link in links:
total += str(link)
total = BeautifulSoup(total)
for totals in total.findAll('a', href=True):
totals = totals['href']
theIP = totals.replace("/en/domain/", "")
e = theIP.replace("/information/", "")
e = Domain(e)
response += e
except IOError:
print 'IO Error'
# Update progress
progress(100)
# Return response for visualization
return response
def dotransform(request, response):
# Report transform progress
progress(50)
ip = request.value
total=""
urldom = 'https://www.virustotal.com/en/ip-address/'+ip+'/information/'
soup = BeautifulSoup(urllib2.urlopen(urldom).read())
try:
links = soup.findAll('div', attrs={'class':'enum'})
for link in links:
total += str(link)
total = BeautifulSoup(total)
for totals in total.findAll('a',href=True):
totals=totals['href']
theIP = totals.replace("/en/domain/", "")
e = theIP.replace("/information/", "")
e = Domain(e)
response += e
except IOError:
print 'IO Error'
# Update progress
progress(100)
# Return response for visualization
return response
def dotransform(request, response):
# Report transform progress
progress(50)
domain = request.value
url = 'https://www.virustotal.com/vtapi/v2/domain/report'
parameters = {'domain': domain, 'apikey': config['virustotal/apikey']}
resp = urllib2.urlopen('%s?%s' % (url, urllib.urlencode(parameters))).read()
response_dict = json.loads(resp)
#Latest detected IPs"
try:
for i in range(0,len(response_dict['resolutions'])):
ip = response_dict['resolutions'][i]['ip_address']
ip = IPv4Address(ip)
response += ip
except IOError:
response = 'IO Error'
except KeyError:
response = 'Not Found'
# Update progress
progress(100)
# Return response for visualization
return response
def dotransform(request, response):
# Report transform progress
progress(50)
# Send a debugging message to the Maltego UI console
debug('Maltego Input Entity Value: %s' % request.value)
name = request.value
debug('name: %s' % name)
root = Tkinter.Tk()
root.lift()
root.withdraw()
# TODO Raise exception if no CSV file is selected
csvfilename = tkFileDialog.askopenfilename()
data = csv.DictReader(
open(csvfilename),
delimiter=',',
fieldnames=('Event Id', 'Event Type', 'Event Title', 'Start Time',
'End Time', 'Precision', 'Count', 'First Published Time',
'Last Published Time', 'Sample Fragment', 'Entities',
'Locations', 'Source Count', 'Positive Sentiment',
'Negative Sentiment'))
next(data)
for row in data:
event = row['Event Type'] + "-" + row['Event Id']
e = RFEvent('%s' % event)
e.eid = row['Event Id']
e.etype = row['Event Type']
e.title = row['Event Title']
e.starttime = row['Start Time']
e.stoptime = row['End Time']
e.fragment = row['Sample Fragment']
e.precision = row['Precision']
e.count = row['Count']
e.firstpublished = row['First Published Time']
e.lastpublished = row['Last Published Time']
e.sourcecount = row['Source Count']
e.possentiment = row['Positive Sentiment']
e.negsentiment = row['Negative Sentiment']
# Add entity to response object
response += e
# Update progress
progress(100)
# Return response for visualization
return response
def dotransform(request, response):
# Nespose API session login
session = nexlogin()
# Nexpose site creation
sitename = datetime.today().strftime("%Y%m%d-%H%M%S") + '-MaltegoSite'
newsite = host_site(sitename, request.value)
nexsite = sitesave(session, newsite)
resxml = ET.fromstring(nexsite)
siteid = resxml.attrib.get('site-id')
progress(10)
if resxml.attrib.get('success') == '1':
# Nexpose Scan Site
launchscan = sitescan(session, siteid)
launchres = ET.fromstring(launchscan)
progress(25)
if launchres.attrib.get('success') == '1':
for child in launchres:
scanid = child.attrib.get('scan-id')
status = scanstatus(session, scanid)
statusxml = ET.fromstring(status)
progress(50)
while statusxml.attrib.get('status') == 'running':
sleep(5)
status = scanstatus(session, scanid)
statusxml = ET.fromstring(status)
continue
progress(100)
response += NexposeSite(
sitename,
siteid=siteid,
scanid=scanid,
targetip=request.value)
return response
nexlogout(session)
def dotransform(request, response, config):
"""
The dotransform function is our transform's entry point. The request object has the following properties:
- value: a string containing the value of the input entity.
- fields: a dictionary of entity field names and their respective values of the input entity.
- params: any additional command-line arguments to be passed to the transform.
- entity: the information above is serialized into an Entity object. The entity type is determined
by the inputs field in @configure for local transforms. For remote transforms, the entity
type is determined by the information in the body of the request. Local transforms suffer
from one limitation: if more than one entity type is listed in the inputs field of @configure,
the entity type might not be resolvable. Therefore, this should not be referenced in local
transforms if there is more than one input entity type defined in @configure.
The response object is a container for output entities, UI messages, and exception messages. The config object
contains a key-value store of the configuration file.
TODO: write your data mining logic below.
"""
client = get_client(config)
prog = 10
progress(prog)
debug('Starting RiskIQ blacklist lookup...')
url = request.entities[0].value
inc = client.get_blacklist_lookup(url)
prog += 10
progress(prog)
if not inc:
progress(100)
return response
for ent in incident_children(inc):
response += ent
progress(100)
return response
def dotransform(request, response):
# Nespose API session login
session = nexlogin()
# Nexpose site creation
sitename = datetime.today().strftime("%Y%m%d-%H%M%S") + '-MaltegoSite'
newsite = host_site(sitename, request.value)
nexsite = sitesave(session, newsite)
resxml = ET.fromstring(nexsite)
siteid = resxml.attrib.get('site-id')
progress(10)
if resxml.attrib.get('success') == '1':
# Nexpose Scan Site
launchscan = sitescan(session, siteid)
launchres = ET.fromstring(launchscan)
progress(25)
if launchres.attrib.get('success') == '1':
for child in launchres:
scanid = child.attrib.get('scan-id')
status = scanstatus(session, scanid)
statusxml = ET.fromstring(status)
progress(50)
while statusxml.attrib.get('status') == 'running':
sleep(5)
status = scanstatus(session, scanid)
statusxml = ET.fromstring(status)
continue
progress(100)
response += NexposeSite(sitename,
siteid=siteid,
scanid=scanid,
targetip=request.value)
return response
nexlogout(session)
def dotransform(request, response, config):
"""
The dotransform function is our transform's entry point. The request object has the following properties:
- value: a string containing the value of the input entity.
- fields: a dictionary of entity field names and their respective values of the input entity.
- params: any additional command-line arguments to be passed to the transform.
- entity: the information above is serialized into an Entity object. The entity type is determined
by the inputs field in @configure for local transforms. For remote transforms, the entity
type is determined by the information in the body of the request. Local transforms suffer
from one limitation: if more than one entity type is listed in the inputs field of @configure,
the entity type might not be resolvable. Therefore, this should not be referenced in local
transforms if there is more than one input entity type defined in @configure.
The response object is a container for output entities, UI messages, and exception messages. The config object
contains a key-value store of the configuration file.
TODO: write your data mining logic below.
"""
client = get_client(config)
prog = 10
progress(prog)
debug('Starting RiskIQ blacklist lookup...')
url = request.entities[0].value
inc = client.get_blacklist_lookup(url)
prog += 10
progress(prog)
if not inc:
progress(100)
return response
for ent in incident_children(inc):
response += ent
progress(100)
return response
def dotransform(request, response):
# Report transform progress
progress(50)
# Send a debugging message to the Maltego UI console
debug('Maltego Input Entity Value: %s' % request.value)
name = request.value
debug('name: %s' % name)
root = Tkinter.Tk()
root.lift()
root.withdraw()
# TODO Raise exception if no CSV file is selected
csvfilename = tkFileDialog.askopenfilename()
data = csv.DictReader(open(csvfilename), delimiter=',',fieldnames=('Event Id','Event Type','Event Title','Start Time','End Time','Precision','Count','First Published Time','Last Published Time','Sample Fragment','Entities','Locations','Source Count','Positive Sentiment','Negative Sentiment'))
next(data)
for row in data:
event = row['Event Type']+"-"+row['Event Id']
e = RFEvent('%s' % event)
e.eid = row['Event Id']
e.etype = row['Event Type']
e.title = row['Event Title']
e.starttime = row['Start Time']
e.stoptime = row['End Time']
e.fragment = row['Sample Fragment']
e.precision = row['Precision']
e.count = row['Count']
e.firstpublished = row['First Published Time']
e.lastpublished = row['Last Published Time']
e.sourcecount = row['Source Count']
e.possentiment = row['Positive Sentiment']
e.negsentiment = row['Negative Sentiment']
# Add entity to response object
response += e
# Update progress
progress(100)
# Return response for visualization
return response
def dotransform(request, response):
# Report transform progress
progress(50)
# Send a debugging message to the Maltego UI console
debug('Maltego Input Entity Value: %s' % request.value)
eid = request.fields['eid']
debug('Maltego Input Entity eid Field: %s' % eid)
rfapi = APIUtil()
# Limit to the past 6 months.
min_pub = date.today() + relativedelta(months=-6)
cluster_query = {
"cluster": {
"document": {
"published": {
"min": str(min_pub)
}
},
"attributes": [
{
"entity": { "id" : eid },
}
],
"limit": 100
}
}
for eve in rfapi.query(cluster_query).get("events", []):
e = RFEvent(eve['type'] + " [id: {0}]".format(eve['id']));
e.eid = eve['id'];
e.etype = eve['type'];
e.starttime = eve['attributes'].get('start','');
e.stoptime = eve['attributes'].get('stop','');
e.fragment = eve['stats']['top_sources'][0]['fragment'].encode('utf-8');
e.document_link = eve['stats']['top_sources'][0]['document_link'].encode('utf-8');
# Add entity to response object
response += e
# Update progress
progress(100)
# Return response for visualization
return response
def dotransform(request, response):
# Report transform progress
progress(50)
# Send a debugging message to the Maltego UI console
debug('Maltego Input Entity Value: %s' % request.value)
eid = request.fields['eid']
debug('Maltego Input Entity eid Field: %s' % eid)
rfapi = APIUtil()
# Limit to the past 6 months.
min_pub = date.today() + relativedelta(months=-6)
cluster_query = {
"cluster": {
"document": {
"published": {
"min": str(min_pub)
}
},
"attributes": [{
"entity": {
"id": eid
},
}],
"limit": 100
}
}
for eve in rfapi.query(cluster_query).get("events", []):
e = RFEvent(eve['type'] + " [id: {0}]".format(eve['id']))
e.eid = eve['id']
e.etype = eve['type']
e.starttime = eve['attributes'].get('start', '')
e.stoptime = eve['attributes'].get('stop', '')
e.fragment = eve['stats']['top_sources'][0]['fragment'].encode('utf-8')
e.document_link = eve['stats']['top_sources'][0][
'document_link'].encode('utf-8')
# Add entity to response object
response += e
# Update progress
progress(100)
# Return response for visualization
return response
def dotransform(request, response):
# Report transform progress
progress(50)
# Send a debugging message to the Maltego UI console
debug('Maltego Input Entity Value: %s' % request.value)
name = request.value
debug('name: %s' % name)
rfapi = APIUtil()
entity_query = {
"entity": {
"name": name,
"type": ["Company", "Organization"],
"limit": 1
}
}
query_response = rfapi.query(entity_query)
eid = None
for q_eid, q_ent in query_response.get('entity_details', {}).items():
debug("Found eid: {0}".format(q_eid))
name = q_ent['name']
eid = q_eid
etype = q_ent['type']
ent = q_ent
if not eid:
debug("Could not resolve any company/organization named '{0}'".format(
name.encode('utf-8')))
exit(1)
# Create MyRecordedfutureEntity entity with value set to 'Hello <request.value>!'
e = Company('%s' % request.value)
e.eid = eid
# Update progress
progress(100)
# Add entity to response object
response += e
# Return response for visualization
return response
def dotransform(request, response, config):
HIBP = "https://haveibeenpwned.com/api/breachedaccount/" # http://legacy.python.org/dev/peps/pep-0008/#constants
email = request.value
getrequrl = HIBP + email
progress(50)
try:
urllib2_response = urllib2.urlopen(getrequrl) # Renamed "response" due conflict within canari namespace
for rep in urllib2_response:
e = Phrase("Pwned at %s" % rep)
response += e
except:
print ""
progress(100)
return response
def dotransform(request, response, config):
"""
TODO: write your data mining logic below.
"""
# Report transform progress
progress(50)
pattern = re.compile("(.+)@(.+)")
m = pattern.search(request.value)
username = m.group(1).encode("base64").strip()
domain = m.group(2)
url = "http://www.whoismind.com/email/" + username + "-" + domain + ".html"
useragent = 'Mozilla/5.0'
# src = urllib.urlopen(url).read()
req = urllib2.Request(url)
req.add_header("User-Agent", useragent)
# src = BeautifulSoup(urllib2.urlopen(req))
src = urllib2.urlopen(req).read()
for fqdn in re.findall(r"Whois data\">(.*?)</a><br/>",src,re.M):
e = Domain(fqdn)
# Add entity to response object
response += e
# Update progress
progress(100)
# Return response for visualization
return response
def dotransform(request, response):
# Report transform progress
progress(50)
# Send a debugging message to the Maltego UI console
debug('Maltego Input Entity Value: %s' % request.value)
name = request.value
debug('name: %s' % name)
rfapi = APIUtil()
entity_query = {
"entity":{"name":name, "type":["Company", "Organization"], "limit":1}
}
query_response = rfapi.query(entity_query)
eid = None
for q_eid, q_ent in query_response.get('entity_details', {}).items():
debug("Found eid: {0}".format(q_eid))
name = q_ent['name']
eid = q_eid
etype = q_ent['type']
ent = q_ent
if not eid:
debug("Could not resolve any company/organization named '{0}'".format(name.encode('utf-8')))
exit(1)
# Create MyRecordedfutureEntity entity with value set to 'Hello <request.value>!'
e = Company('%s' % request.value)
e.eid = eid
# Update progress
progress(100)
# Add entity to response object
response += e
# Return response for visualization
return response
def dotransform(request, response, config):
HIBP = "https://haveibeenpwned.com/api/breachedaccount/" # http://legacy.python.org/dev/peps/pep-0008/#constants
email = request.value
getrequrl = HIBP + email
progress(50)
try:
urllib2_response = urllib2.urlopen(
getrequrl
) # Renamed "response" due conflict within canari namespace
for rep in urllib2_response:
e = Phrase("Pwned at %s" % rep)
response += e
except:
print ""
progress(100)
return response
def dotransform(request, response, config):
"""
TODO: write your data mining logic below.
"""
# Report transform progress
progress(50)
url = "http://passivedns.mnemonic.no/search/?query=" + request.value + "&method=exact"
src = urllib.urlopen(url).read()
for url in re.findall(r"\.&method=exact\">(.*?)\.</a>",src,re.M):
e = Domain(url)
# Add entity to response object
response += e
# Update progress
progress(100)
# Return response for visualization
return response
def dotransform(request, response, config):
"""
The dotransform function is our transform's entry point. The request object has the following properties:
- value: a string containing the value of the input entity.
- fields: a dictionary of entity field names and their respective values of the input entity.
- params: any additional command-line arguments to be passed to the transform.
- entity: the information above is serialized into an Entity object. The entity type is determined
by the inputs field in @configure for local transforms. For remote transforms, the entity
type is determined by the information in the body of the request. Local transforms suffer
from one limitation: if more than one entity type is listed in the inputs field of @configure,
the entity type might not be resolvable. Therefore, this should not be referenced in local
transforms if there is more than one input entity type defined in @configure.
The response object is a container for output entities, UI messages, and exception messages. The config object
contains a key-value store of the configuration file.
TODO: write your data mining logic below.
"""
# Report transform progress
progress(50)
# Send a debugging message to the Maltego UI console
debug("This was pointless!")
# Create MyMaltego_whoismindEntity entity with value set to 'Hello <request.value>!'
e = MyMaltego_whoismindEntity("Hello %s!" % request.value)
# Setting field values on the entity
e.field1 = 2
e.fieldN = "test"
# Update progress
progress(100)
# Add entity to response object
response += e
# Return response for visualization
return response
def dotransform(request, response):
# Report transform progress
progress(50)
hash = request.value
total=""
try:
e = Hash(hash)
text = ''
resp = urllib2.urlopen('https://innocuous.shadowserver.org/api/?query=' + hash).read()
start_results = resp.find("{")
end_results = resp.find("}")
av_results = resp[start_results+1:end_results].replace('"','')
text += av_results + ','
e += Field('AV Name', text, displayname='AV Name')
response += e
except IOError:
print 'IO Error'
# Update progress
progress(100)
# Return response for visualization
return response
def dotransform(request, response, config):
# Send a debugging message to the Maltego UI console
debug('Fuzing Domains...')
progress(10)
# Create MyPhishwatcherEntity entity with value set to 'Hello <request.value>!'
domains = fuzz_domain(request.value)
progress(50)
#Create simple domain entity for each generated domain
for d in domains:
de = Domain(d)
response += de
progress(100)
# Return response for visualization
return response
#complete_url = "%s/events/restSearch/%s/%s" % (url, apikey, request.value)
debug("Accessing %s" % complete_url)
try:
tree = xml.parse(urllib2.urlopen(complete_url))
except IOError,e:
if hasattr(e, 'code'):
if e.code == 404:
# normal condition
return response
raise
rootElement = tree.getroot()
progress(50)
for a in rootElement.findall('Event'):
# Add entity to response object
e = MISPEvent(a.find('id').text)
e.fieldN = a.find('info').text
response += e
# Setting field values on the entity
#e.field1 = 2
#e.fieldN = 'test'
# Update progress
progress(100)
# Return response for visualization
return response
def dotransform(request, response):
# Report transform progress
progress(50)
# Send a debugging message to the Maltego UI console
debug('Maltego Input Entity Value: %s' % request.value)
eid = request.fields['eid']
debug('Maltego Input Entity eid Field: %s' % eid)
rfapi = APIUtil()
reference_query = {"reference": {"cluster_id": eid, "limit": 100}}
ents = []
seen_ids = set()
seen_ids.add(eid)
for ceid, ent in rfapi.query(reference_query).get("entities", {}).items():
if ceid not in seen_ids:
ent["id"] = ceid
ents.append(ent)
seen_ids.add(ceid)
e = request.value
types = {
'maltego.Person':
'Person',
'recfut.Company': ['Company', 'OrgEntity'],
'recfut.Organization':
'Organization',
'recfut.Product':
'Product',
'recfut.Technology':
'Technology',
'recfut.Position':
'Position',
'maltego.IPv4Address':
'IpAddress',
'maltego.Domain':
"URL",
'maltego.Location': [
'Continent', 'Country', 'City', 'ProvinceOrState', 'Region',
'NaturalFeature', 'GeoEntity'
],
'maltego.File':
'WinExeFile',
'maltego.Twit':
'Username'
}
for ent in ents:
c_type = "maltego.Phrase"
for k, v in types.items():
if type(v) == type([]) and ent['type'] in v:
c_type = k
elif v == ent['type']:
c_type = k
debug('c_type: %s' % c_type)
if c_type == 'maltego.Person':
e = Person('%s' % ent['name'].encode('utf-8'))
debug('ent[\'name\']: %s' % ent['name'].encode('utf-8'))
# Add entity to response object
response += e
if c_type == 'maltego.Phrase':
e = Phrase('%s' % ent['name'].encode('utf-8'))
debug('ent[\'name\']: %s' % ent['name'].encode('utf-8'))
# Add entity to response object
response += e
# TODO Unit Test for Recorded Future API IPv4Address
if c_type == 'maltego.IPv4Address':
e = IPv4Address('%s' % ent['name'].encode('utf-8'))
debug('ent[\'name\']: %s' % ent['name'].encode('utf-8'))
# Add entity to response object
response += e
# TODO Unit Test for Recorded Future API Domain
if c_type == 'maltego.Domain':
e = Domain('%s' % ent['name'].encode('utf-8'))
debug('ent[\'name\']: %s' % ent['name'].encode('utf-8'))
# Add entity to response object
response += e
# TODO Unit Test for Recorded Future API Location
if c_type == 'maltego.Location':
e = Location('%s' % ent['name'].encode('utf-8'))
debug('ent[\'name\']: %s' % ent['name'].encode('utf-8'))
# Add entity to response object
response += e
# TODO Unit Test for Recorded Future API File
if c_type == 'maltego.File':
e = File('%s' % ent['name'].encode('utf-8'))
debug('ent[\'name\']: %s' % ent['name'].encode('utf-8'))
# Add entity to response object
response += e
# TODO Unit Test for Recorded Future API Twit
if c_type == 'maltego.Twit':
e = Twit('%s' % ent['name'].encode('utf-8'))
debug('ent[\'name\']: %s' % ent['name'].encode('utf-8'))
# Add entity to response object
response += e
# Update progress
progress(100)
# Return response for visualization
return response
def dotransform(request, response, config):
"""
The dotransform function is our transform's entry point. The request object has the following properties:
- value: a string containing the value of the input entity.
- fields: a dictionary of entity field names and their respective values of the input entity.
- params: any additional command-line arguments to be passed to the transform.
- entity: the information above is serialized into an Entity object. The entity type is determined
by the inputs field in @configure for local transforms. For remote transforms, the entity
type is determined by the information in the body of the request. Local transforms suffer
from one limitation: if more than one entity type is listed in the inputs field of @configure,
the entity type might not be resolvable. Therefore, this should not be referenced in local
transforms if there is more than one input entity type defined in @configure.
The response object is a container for output entities, UI messages, and exception messages. The config object
contains a key-value store of the configuration file.
TODO: write your data mining logic below.
"""
client = get_client(config)
prog = 10
progress(prog)
debug('Starting RiskIQ passive dns lookup...')
value = request.entities[0].value
if IP_REGEX.match(value):
api_response = client.get_dns_ptr_by_ip(value, rrtype=None)
else:
api_response = client.get_dns_data_by_name(value, rrtype=None)
if not api_response:
progress(100)
return response
dns_data = api_response['records']
a_responses = set()
ns_responses = set()
mx_responses = set()
aaaa_responses = set()
cname_responses = set()
responses = set()
for dns_datum in dns_data:
data = dns_datum['data']
if dns_datum.get('rrtype') == 'A':
a_responses |= set(data)
elif dns_datum.get('rrtype') == 'CNAME':
cname_responses |= set(data)
elif dns_datum.get('rrtype') == 'NS':
ns_responses |= set(data)
elif dns_datum.get('rrtype') == 'MX':
mx_responses |= set(data)
elif dns_datum.get('rrtype') == 'AAAA':
aaaa_responses |= set(data)
elif dns_datum.get('rrtype') == 'TXT':
pass
else:
responses |= set(data)
prog += 40
progress(prog)
for rec in a_responses:
e = IPv4Address(rec)
e.ip = rec
response += e
prog += 10
progress(prog)
"""
for rec in aaaa_responses:
e = IPv6Address(rec)
e.ip = rec
response += e
prog += 10
progress(prog)
"""
for _rec in ns_responses:
rec = fix_dom(_rec)
e = NSRecord(rec)
e.fqdn = rec
response += e
prog += 10
progress(prog)
for _rec in mx_responses:
rec = fix_dom(_rec)
e = MXRecord(rec)
e.fqdn = rec
response += e
prog += 10
progress(prog)
for _rec in cname_responses:
rec = fix_dom(_rec)
e = DNSName(rec)
e.fqdn = rec
response += e
prog += 10
progress(prog)
for _rec in responses:
rec = fix_dom(_rec)
if IP_REGEX.match(rec):
e = IPv4Address(rec)
e.ip = rec
else:
e = DNSName(rec)
e.fqdn = rec
response += e
progress(100)
return response