def getfromip(ip):
print("AS info for IP : " + ip)
from cymruwhois import Client
c = Client()
r = c.lookup(ip)
print(r.asn)
print(r.owner)
def check_ns(domain="gouv.bj"):
result = dns.resolver.resolve(domain, 'NS')
ns_len = len(result)
ns = []
for ipval in result:
ns.append(ipval.to_text())
infos['INFO_NS'] = {
'list': ns,
'number': ns_len,
}
#Get localisation
infos['INFO_NS']['ns_location'] = {}
for name in ns:
ip = socket.gethostbyname(name)
response = requests.get('http://ip-api.com/json/'+ip)
res = response.json()
infos['INFO_NS']['ns_location'][name] = res['country']+", "+res['city']
# Check ASN
if ns_len >= 2:
asn = 0
for name in ns:
ip = socket.gethostbyname(name)
c = Client()
r = c.lookup(ip)
if asn == 0:
asn = r.asn
elif asn != r.asn:
infos['INFO_NS']['same_asn'] = False
else:
asn = r.asn
infos['INFO_NS']['same_asn'] = True
def main():
parser = optparse.OptionParser('%prog ' + \
'-r <ip_file> || -i <ip>')
parser.add_option('-r', dest='ipfile', type='string',\
help='specify target file with ips')
parser.add_option('-i', dest='ip', type='string',\
help='specify target with ip')
(options, args) = parser.parse_args()
ip = options.ip
ipfile = options.ipfile
if ip == None and ipfile == None:
print parser.print_help()
exit(1)
if ip and ipfile :
print parser.usage
exit(1)
if ipfile != None:
ip_list = get_ips(ipfile)
look(ip_list)
else:
c = Client()
try:
try:
r = c.lookup(ip)
except Exception as e:print e
pt = r[ip].prefix + " ------> " + r[ip].ip + "\n" + \
r[ip].cc + "\t" + r[ip].owner
print pt + "\n" + "-"*60
except Exception as e:
print e
def main():
parser = optparse.OptionParser('%prog ' + \
'-r <file_with IPs> || -i <IP>')
parser.add_option('-r', dest='ips', type='string', \
help='specify target file with IPs')
parser.add_option('-i', dest='ip', type='string', \
help='specify a target IP address')
(options, args) = parser.parse_args()
ip = options.ip # Assigns a -i <IP> to variable 'ip'
global ips;
ips = options.ips # Assigns a -r <fileName> to variable 'ips'
if (ips == None) and (ip == None): # If proper arguments aren't given print the script usage
print parser.usage
sys.exit(0)
if ips != None: # Execute if ips has a value
checkFile(ips) # Execute the function to check if the file can be read
iplist = [] # create the ipslist list object
for line in open(ips, 'r'): # Parse File to create a list
iplist.append(line.strip('\n')) # Appends that line in the file to list and removes the new line char
look(iplist) # pass the iplist list object to the look() function
else: # Executes lookup() function for a single IP stored in variable 'ip'
try:
c = Client()
r = c.lookup(ip)
net = r.prefix;
owner = r.owner;
cc = r.cc
line = '%-20s # - %15s (%s) - %s' % (net, ip, cc, owner)
print line
except:pass
def look(iplist):
time.sleep(2) # delays for 2 seconds
c = Client() # creates an instance of the Client class
try:
# print 'here before != None'
# print iplist
# if ips != None:
if iplist != None:
print 'here after !=None'
print iplist
time.sleep(2)
# r = c.lookupmany_dict('8.8.8.8')
r = c.lookupmany_dict(
iplist
) # leverages the lookupmany_dict() function to pass in a list of IPs
for ip in iplist: # Iterates over the ips in the list to use a key value in the dictionary from lookupman_dict()
time.sleep(2) # delays for 2 seconds
print " ip here " + ip
net = r[ip].prefix
owner = r[ip].owner
cc = r[
ip].cc # gets the networking information from the dictionary
# print net
line = '%-20s # - %15s (%s) - %s' % (
net, ip, cc, owner) # formats the line to print cleanly
print line
except:
pass
def getfromhostname(hostname):
print("AS info for hostname :" + hostname)
ip = socket.gethostbyname(hostname)
from cymruwhois import Client
c = Client()
r = c.lookup(ip)
print(r.asn)
print(r.owner)
def look(iplist):
c=Client() # creates an instance of the Client class
try:
r = c.lookupmany_dict(iplist) # leverages the lookupmany_dict() function to pass in a list of IPs
for ip in iplist: # Iterates over the ips in the list to use a key value in the returned dictionary from lookupman_dict()
net = r[ip].prefix; owner = r[ip].owner; cc = r[ip].cc # gets the networking information from the dictionary
line = '%-20s # - %15s (%s) - %s' % (ip,net,cc,owner) # formats the line to print cleanly
print line
except:pass
def getTraceRoute(jsonFile):
import json
import sys
import pygeoip
from AtlasUtils import *
from cymruwhois import Client
c=Client()
inFile = jsonFile
outFile = "tmpASPath.txt"
my_file = open(outFile, "w")
asnDict = open("asnDict.txt","w")
with open(inFile) as data_file:
data = json.load(data_file)
### use GeoIPASNum.dat if system is not connected to Internet. This is a offline database of ip-to-AS mapping
gi = pygeoip.GeoIP('GeoIPASNum.dat')
#
if is_valid_ipv4(data[0]["from"]):
gi = pygeoip.GeoIP('GeoIPASNum.dat')
else :
gi = pygeoip.GeoIP('GeoIPASNumv6.dat')
for index in range(len(data)):
tmpASPath = ""
for cnt in range(len(data[index]["result"])):
if data[index]["result"][cnt].has_key("error"):
print data[index]["result"][cnt]["error"]
else:
for resultrttindex in range(len(data[index]["result"][cnt]["result"])):
#print data[index]["result"][cnt]["result"][resultrttindex]
from_val = "*"
asn_val = False
if data[index]["result"][cnt]["result"][resultrttindex].has_key("from"):
from_val = data[index]["result"][cnt]["result"][resultrttindex]["from"]
tmp = "None"
r=c.lookup(from_val)
asn_val = r.asn+"$"+r.owner
print "%s :--> %s" % (from_val, asn_val)
if isinstance(asn_val, str) and not 'NA' in asn_val:
asnDict.write(asn_val+"\n")
if isinstance(asn_val, str) and not 'NA' in asn_val:
s = tmpASPath.split(" ")
if not s[len(s)-2] == r.asn:
tmpASPath = tmpASPath + r.asn + " "
my_file.write(tmpASPath + "\n")
my_file.close()
asnDict.close()
def api(ip):
c = Client()
r = c.lookup(ip)
print(r.asn)
print(r.owner)
asno = r.asn #as number
asname = r.owner #as name
res = jsonify(ASN=asno, AS=asname)
return res
def use_ip_to_get_isp(ip):
''' This might be redundant on the previous ip lookup, but the owner output
seems to have a might better consistenciy
'''
c = Client() # should probably pull this out of here so not to create it each time
r = c.lookup(ip)
# print r.asn
# print r.owner
return {'isp_name': r.owner}
def tryWhoIs(ip_addr):
try:
c = Client()
r = c.lookup(ip_addr)
name = r.owner
except:
name = "unknown"
return name
def get_isp(ip):
''' Gets the isp name for the ip
Much faster than the ipwhois lookup, but there is no "organization" field.
ip: an ip address parsed out of the log file.
Returns: dict containing isp name for the ip
'''
c = Client() # should probably pull this out of here so not to create it each time
r = c.lookup(ip)
return {'isp_name': r.owner}
def look(iplost): c=Client() # create instance of client class try: if ips != None: r = c.lookupmany_dict(iplist) # uses lookupmany_dict() function to pass in a list of IPs for ip in iplist: net = r[ip].prefix; owner = r[ip].owner; cc = r[ip].cc # gets network info from dict line = '%-20s # - %15s (%s) - %s' % (net,ip,cc,owner) # formats the line to print print line except:pass
def get_asn(ip):
"""use cymruwhois by default instead of pyasn
input ip address as string, return ASN and AS owner"""
if ip:
c = Client()
try:
r = c.lookup(ip)
return r.asn, r.owner
except Exception as e:
print("Error finding ASN for " + ip)
return False, False
def look(iplist):
c = Client() # creates an instance of the Client class
try:
if ips != None:
r = c.lookupmany_dict(iplist) # leverages the lookupmany_dict() function to pass in a list of IPs
for ip in iplist: # Iterates over the ips in the list to use a key value in the dictionary from lookupman_dict()
net = r[ip].prefix;
owner = r[ip].owner;
cc = r[ip].cc # gets the networking information from the dictionary
line = '%-20s # - %15s (%s) - %s' % (net, ip, cc, owner) # formats the line to print cleanly
print line
except:pass
def net_lookup(ips):
try:
c=Client()
ips = list(set(ips)) # uniq IPs
r = c.lookupmany_dict(ips)
for ip in ips:
net = r[ip].prefix; owner = r[ip].owner; cc = r[ip].cc
line = '%-20s # - %15s (%s) - %s' % (ip,net,cc,owner)
print line
except Exception as e:
print e
def look(ip_list):
c = Client()
try:
r = c.lookupmany_dict(ip_list)
for ip in ip_list:
pt = r[ip].prefix + " ------> " + r[ip].ip + "\n" + \
r[ip].cc + "\t" + r[ip].owner
print pt + "\n" + "-"*60
except Exception as e:
print e
pass
def whoisrecord(ip):
currenttime = time.time()
ts = currenttime
if ip in whois:
ASN,ts = whois[ip]
else:
ts = 0
if ((currenttime - ts) > 36000):
C = Client()
ASN = C.lookup(ip)
whois[ip] = (ASN,currenttime)
return ASN
def whoisrecord(ip):
currenttime = time.time()
ts = currenttime
if ip in whois:
ASN, ts = whois[ip]
else:
ts = 0
if ((currenttime - ts) > 36000):
C = Client()
ASN = C.lookup(ip)
whois[ip] = (ASN, currenttime)
return ASN
def get_asn(ip):
"""
Gets asnum for ip using Cymru's API
(https://pythonhosted.org/cymruwhois/api.html)
Stores in cache for future use using the lru_cache decorator
:param ip:
:return: asnum info
"""
client = Client()
result = client.lookup(ip)
return result.asn
def net_lookup(ips):
try:
c = Client()
ips = list(set(ips)) # uniq IPs
r = c.lookupmany_dict(ips)
for ip in ips:
net = r[ip].prefix
owner = r[ip].owner
cc = r[ip].cc
line = '%-20s # - %15s (%s) - %s' % (ip, net, cc, owner)
print line
except Exception as e:
print e
def whoisrecord(ip):
try:
currenttime = time.time()
ts = currenttime
if ip in whois:
ASN,ts = whois[ip]
else:
ts = 0
if ((currenttime - ts) > 36000):
c = Client()
ASN = c.lookup(ip)
whois[ip] = (ASN,currenttime)
return ASN
except Exception as e:
return e
def whoisrecord(ip):
try:
currenttime = time.time()
ts = currenttime
if ip in whois:
ASN,ts = whois[ip]
else:
ts = 0
if ((currenttime - ts) > 36000):
c = Client()
ASN = c.lookup(ip)
whois[ip] = (ASN,currenttime)
return ASN
except Exception as e:
return e
def domain(fqdn, rid):
# mongodb connect
intel_db = MongoClient('127.0.0.1', 27017).intel
collection = intel_db.collection
print '####### cymru.ipv4 #######'
if collection.find_one({
'$and': [{
"rid": str(rid)
}, {
"fqdn": str(fqdn)
}, {
"cc": {
"$exists": True
}
}]
}) != None:
print '\t####### [cymru.domain] already registed [%s] #######' % str(
fqdn)
else:
print '\t####### for new registration [%s] #######' % str(fqdn)
# cymru whois lookup
ip = socket.gethostbyname(fqdn)
c = Client()
r = c.lookup(ip)
ele = collection.find_one(
{'$and': [{
"fqdn": str(fqdn)
}, {
"rid": str(rid)
}]})
if ele == None:
# regist db
result = {
"fqdn": str(fqdn),
"ip": str(ip),
"owner": str(r.owner),
"cc": str(r.cc),
"rid": str(rid)
}
collection.insert_one(result)
else:
# add db
ele["owner"] = str(r.owner)
ele["cc"] = str(r.cc)
collection.save(ele)
class Traceroute:
def __init__(self):
self.client = Client()
def run(self) -> NoReturn:
server = self.parse_args()
ips = self.get_ip_list(server)
print(tabulate([[ip, *self.get_ip_info(ip)] for ip in ips],
headers=['IP', 'ASN', 'Owner', 'Country'],
tablefmt='grid'))
def get_ip_list(self, server: str) -> List[str]:
ips = []
sub = subprocess.run(['traceroute', server], stdout=subprocess.PIPE)
for line in sub.stdout.decode().split('\n')[1:]:
ip = self.extract_ip(line)
if ip:
ips.append(ip)
return ips
def get_ip_info(self, ip: str) -> Tuple[int, str, str]:
r = self.client.lookup(ip)
return r.asn, r.owner, r.cc
@staticmethod
def extract_ip(line: str) -> Optional[str]:
s = re.search(IP_PATTERN, line)
return s.group(0) if s else None
@staticmethod
def parse_args() -> str:
parser = argparse.ArgumentParser()
parser.add_argument('server', type=str, help='Destination URL/IP')
args = parser.parse_args()
return args.server
def net_lookup(ips, results_file):
try:
c = Client()
ips = list(set(ips)) # uniq IPs
r = c.lookupmany_dict(ips)
cidrs = []
for ip in ips:
cidrs.append(r[ip].prefix)
cidrs = list(set(cidrs)) # uniq CIDRs
cidr_results = ", ".join(cidrs)
print "[+] Found Results in CIDRs: " + cidr_results
if results_file:
results_file.write("[+] Found Results in CIDRs: " + cidr_results + "\n")
except Exception as e:
print e
def main():
parser = optparse.OptionParser('%prog ' + '-r <file_with IPs> || -i <IP>')
parser.add_option('-r',
dest='ips',
type='string',
help='specify target file with IPs')
parser.add_option('-i',
dest='ip',
type='string',
help='specify a target IP address')
(options, args) = parser.parse_args()
ip = options.ip # Assigns a -i <IP> to variable 'ip'
global ips
ips = options.ips # Assigns a -r <fileName> to variable 'ips'
if (ips == None) and (
ip == None
): # If proper arguments aren't given print the script usage
print parser.usage
sys.exit(0)
if ips != None: # Execute if ips has a value
# print "ips is not empty here " + ips
checkFile(ips) # Execute the function to check if the file can be read
iplist = [] # create the ipslist list object
for line in open(ips, 'r'): # Parse File to create a list
# iplist.append(line.strip("'" + "\r\n" + "'"))
iplist.append(
line.strip("\r\n")
) # Appends that line in the file to list and removes the new line char
# iplist.append(line.strip('n'))
print "line not empty " + line
print iplist
look(iplist) # pass the iplist list object to the look() function
elif ip != None:
try:
print "here ip not empty " + ip
c = Client()
r = c.lookup(ip)
net = r.prefix
owner = r.owner
cc = r.cc
print net
line = '%-20s # - %15s (%s) - %s' % (net, ip, cc, owner)
print line
except:
pass
def build_ip_db(unique_ips):
''' Builds up a db of ip addresses that were in the server logs.
unique_ips: set of ip's that were seen in the server logs
Returns: the ip db with 'isp_name', 'latitude and 'longitude'
'''
c = Client()
ip_db = shelve.open(opj(data_dir, 'ip.db')) # NOTE again, this might get too big and blow everything up
unique_ips = [ip for ip in unique_ips if ip not in ip_db] # if we have stuff in ip.db already from a previous run
ips_fetching = 'Fetching info for this many IPs: {}'.format(len(unique_ips))
print ips_fetching
logging.info(ips_fetching)
for subset_of_unique_ips in split_list_into_chunks(unique_ips, 10000): # only do 10,000 ip's at a time
for ip_addr, ip_info_dict in c.lookupmany_dict(subset_of_unique_ips).iteritems():
lat, lon = get_lat_and_long(ip_addr) # NOTE maybe take this out so the shelve doesn't ballon too big
ip_db[ip_addr] = {'isp_name': ip_info_dict.owner,
# 'organization': ??? -- would probably need to pull out from whois, but slow and messy
'latitude': lat,
'longitude': lon}
return ip_db
def __init__(self, host, port, db=False, logging="_"):
self._log = utility.logger("jetplane", logging)
self._host = host
self._port = port
self._proxy_ip = None
self._whois_handle = Client()
self._criteria = None
self._max_tours = 0
self._tours = 1
self._takeoff_time = None
self._errors = 0
self._success = False
self._trip_details = []
self._db = db
self._kill_bit = False
if self._db:
self._mongodb_handle = mongodb("127.0.0.1", "27017", "jetplane",
"hanger", "INFO")
self._mdb = self._mongodb_handle.get_con()
def get_asn_mapping(ip_list):
'''
Calls the cymru api service to get ASN from a given IP and checks if its from Bell
:param ip_list: A list of ips to get asn information from
:type ip_list: list of str
:return mapping: Returns a dictionary with key value pairs of (ip:asn_info)
:rtype mapping: dict
'''
mapping = {}
client = Client()
try:
# If the length of the list is 1, do a solo api call
if len(ip_list) == 1:
# Incase the api call returns special characters, catch error and set none
try:
result = client.lookup(ip_list[0])
is_bell = result.asn in CONFIG['bell_asn'].keys()
mapping.update(
{ip_list[0]: {
'asn': result.asn,
'is_bell': is_bell
}})
return mapping
except UnicodeDecodeError:
mapping.update({ip_list[0]: {'asn': None, 'is_bell': None}})
return mapping
for idx, result in enumerate(client.lookupmany(ip_list)):
is_bell = result.asn in CONFIG['bell_asn'].keys()
mapping.update(
{ip_list[idx]: {
'asn': result.asn,
'is_bell': is_bell
}})
return mapping
except UnicodeDecodeError:
# Split list and recall function to find invalid api call and rejoin
mapping_a = get_asn_mapping(ip_list[:len(ip_list) // 2])
mapping_b = get_asn_mapping(ip_list[len(ip_list) // 2:])
mapping_c = mapping_a.copy()
mapping_c.update(mapping_b)
return mapping_c
def main():
global numcnt
numcnt = 0
numcnt = int(numcnt)
parser = optparse.OptionParser('%prog ' + '-r <file_with IPs> || -i <IP>')
parser.add_option('-r',
dest='ips',
type='string',
help='specify target file with IPs')
parser.add_option('-i',
dest='ip',
type='string',
help='specify a target IP address')
(options, args) = parser.parse_args()
ip = options.ip # Assigns a -i <IP> to variable 'ip'
global ips
ips = options.ips # Assigns a -r <fileName> to variable 'ips'
# checkFile(ips)
if ip != None:
try:
c = Client()
r = c.lookup(ip)
net = r.prefix
owner = r.owner
cc = r.cc
line = '%-20s # - %15s (%s) - %s' % (net, ip, cc, owner)
print line
return
except:
pass
if ips != None:
try:
checkFile(ips)
iplist = []
for line in open(ips, 'r'):
cnt += 1
iplist.append(line.strip("\r\n"))
look(iplist, cnt)
except:
pass
def add():
print(request.form['textareaInput'])
fstring=request.form['textareaInput']
originalstring=request.form['textareaInput']
ip = re.findall( r'[0-9]+(?:\.[0-9]+){3}', fstring ) # extracting the IP addresses
lst=[]
c = Client()
for index,item in enumerate(ip):
r = c.lookup(ip[index])
#print(r.asn)
if r.asn != 'NA':
print(r.asn, index, ip[index], r.owner)
lst.append([index,ip[index],r.asn,r.owner,r.cc])
#1 -index, 2-ip, 3-Asnumber, 4-Asname, 5-Location
#print(lst)
for i in lst:
#print(i[1])#printing ips
fstring = fstring.replace(i[1],'<a class="toolTipInfo" data-toggle="tooltip" title="AS number: '+i[2]+'
AS name: '+i[3]+'
Location: '+i[4]+'">'+i[1]+'</a>')
fstring = fstring.replace('\n','<br>') #format to html
uuid.uuid4()
struuid = str(uuid.uuid4())
uniqueid = uuid.uuid4().hex
con = sqlite3.connect(DATABASE)
cur = con.cursor()
cur.execute("INSERT INTO pastes (paste, pasteparsed, routeid) VALUES (?,?,?)",(originalstring,fstring,uniqueid) )
con.commit()
cur.execute("select * from pastes")
users = cur.fetchall();
print(users)
con.close()
return redirect("/paste/"+uniqueid)
def getAsForDomains(domain):
ips = []
# get all ips
for ip in domain['ipaddr']:
theip = ip['ipaddr']
ips.append(theip)
# lookup all ips
c=Client()
resp = c.lookupmany(ips)
# find original ip again
for r in resp:
for ip in domain['ipaddr']:
if ip['ipaddr'] == r.ip:
ip['ipaddr'] = r.ip
ip['cc'] = r.cc
ip['asn'] = r.asn
ip['asnowner'] = r.owner
print " AS: " + r.asn + " / " + r.owner
class Lookup(object):
asndb = None
def __init__(self, pyasn_file=None):
if pyasn_file:
self.asndb = pyasn(pyasn_file)
self.whois = Client()
def lookup(self, ip):
if self.asndb:
asn = self.asndb.lookup(ip)[0]
if asn:
return str(asn)
else:
return self.whois.lookup(ip).asn
def __init__(self, host, port, db=False, logging="_"):
self._log = utility.logger("jetplane", logging)
self._host = host
self._port = port
self._proxy_ip = None
self._whois_handle = Client()
self._criteria = None
self._max_tours = 0
self._tours = 1
self._takeoff_time = None
self._errors = 0
self._success = False
self._trip_details = []
self._db = db
self._kill_bit = False
if self._db:
self._mongodb_handle = mongodb("127.0.0.1", "27017", "jetplane", "hanger", "INFO")
self._mdb = self._mongodb_handle.get_con()
def get_aspath(sagan_results, pyasn_file=None):
'''sort throught traceroute results. it converts
the ip address of each hop in the traceroute to create
and as hop path.
if pyasn_file is passed us that as the ipasn DB file.
otherwise use tc whois'''
if pyasn_file:
asndb = pyasn(pyasn_file)
def _lookup(ip):
asn = asndb.lookup(ip)[0]
if asn:
return str(asn)
else:
whois = Client()
def _lookup(ip):
return whois.lookup(ip).asn
asn_paths = []
for result in sagan_results:
if result.is_error:
logging.error('{}: {}'.format(result, result.error_message))
continue
asn_path = []
logging.debug('Checking: {}'.format(result.source_address))
msm_asn = _lookup(result.source_address)
if msm_asn:
logging.debug('Adding: {}'.format(msm_asn))
asn_path.append(msm_asn)
for hop in result.hops:
for packet in hop.packets:
if packet.origin:
logging.debug('Checking: {}'.format(packet.origin))
asn = _lookup(packet.origin)
if asn and asn != asn[-1]:
logging.debug('Adding: {}'.format(asn))
asn_path.append(asn)
break
logging.info('Found path: {}'.format(asn_path))
asn_paths.append(asn_path)
return asn_paths
#!/usr/bin/python
from cymruwhois import Client
import sys
#log file location hard coded, change to suit environment
logfile = open('/var/log/honeypot/honeyd.log','r')
source = []
for line in logfile:
source.append(line.split(' ')[3])
src_country = []
src_count = []
c = Client()
results = c.lookupmany_dict( set(source) )
for res in results:
country = results[res].cc
try:
pos = src_country.index( country )
src_count[pos] += 1
except:
src_country.append( country )
src_count.append( 1 )
for i in range( 0, ( len( src_country ) - 1 ) ):
sys.stdout.write( "%s:\t%i\n" %( src_country[i], src_count[i] ) )
web_user = None
web_pass = None
proxy_user = None
proxy_pass = None
delay = 0
name_lookup = False
salt = False
backup_salt = False
urlencode = False
shut_up = False
web_lookup = False
email_lookup = False
google_dict_search = False
google_query_dict = False
whois = False
whois_client = WhoisClient()
web_client = httplib2.Http()
###[ Subroutines
def usage():
"""
Guess what ;)
"""
print "Chaosmap " + version
print "Coded by Bastian Ballmann"
print "http://www.datenterrorist.de\n"
print "Usage: " + sys.argv[0] + """
-b <base_url>
-B(ackup salt)
# SOFTWARE.
# Tip jars!
# Bitcoin Cash (BCH) qpz32c4lg7x7lnk9jg6qg7s4uavdce89myax5v5nuk
# Ether (ETH) - 0x843d3DEC2A4705BD4f45F674F641cE2D0022c9FB
# Litecoin (LTC) - Lfk5y4F7KZa9oRxpazETwjQnHszEPvqPvu
# Bitcoin (BTC) - 34L8qWiQyKr8k4TnHDacfjbaSqQASbBtTd
#Created by https://github.com/tg12
import requests
import re
import tabulate
from fake_useragent import UserAgent
from cymruwhois import Client
c = Client()
ua = UserAgent()
headers = {
'User-Agent': ua.random,
}
ips_to_check = []
ip_data = []
lists_to_agg = [
"https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/091/590/original/ip_filter.blf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIXACIED2SPMSC7GA%2F20200503%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200503T173407Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=10feb0d139742092e98186a296d30ada45ee9081777ab8197d0c5daf0308384b",
"http://talosintel.com/feeds/ip-filter.blf",
"https://reputation.alienvault.com/reputation.generic",
"https://www.matthewroberts.io/api/threatlist/latest",
"https://threatintel.stdominics.sa.edu.au/",
"https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt",
def __init__(self):
self.client = Client()
web_user = None
web_pass = None
proxy_user = None
proxy_pass = None
delay = 0
name_lookup = False
salt = False
backup_salt = False
urlencode = False
shut_up = False
web_lookup = False
email_lookup = False
google_dict_search = False
google_query_dict = False
whois = False
whois_client = WhoisClient()
web_client = httplib2.Http()
###[ Subroutines
def usage():
"""
Guess what ;)
"""
print "Chaosmap " + version
print "Coded by Bastian Ballmann"
print "http://www.datenterrorist.de\n"
print "Usage: " + sys.argv[0] + """
-b <base_url>
-B(ackup salt)
def asn_lookup(asn):
cymru_client = Client()
req = cymru_client.lookup("AS" + asn)
cc_data = req.cc
return cc_data
class jetplane:
def __init__(self, host, port, db=False, logging="_"):
self._log = utility.logger("jetplane", logging)
self._host = host
self._port = port
self._proxy_ip = None
self._whois_handle = Client()
self._criteria = None
self._max_tours = 0
self._tours = 1
self._takeoff_time = None
self._errors = 0
self._success = False
self._trip_details = []
self._db = db
self._kill_bit = False
if self._db:
self._mongodb_handle = mongodb("127.0.0.1", "27017", "jetplane", "hanger", "INFO")
self._mdb = self._mongodb_handle.get_con()
def take_off(self, criteria, tours):
self._takeoff_time = time.time()
self._max_tours = tours + 1
self._criteria = criteria.lower()
self._log.info("Trip details: max tours - %d, local - %s" % (self._max_tours, self._criteria))
r = self._world_tour()
return r
def _world_tour(self):
self._log.info("Baggage check number %d" % self._tours)
time.sleep(3) # naptime
self._log.info("Tickets purchased to %s" % self._criteria)
self._flush_addr() # kill off any address we had before
self._log.info("Safety and pre-flight checks")
time.sleep(7)
# accept 3 errors before ditching
for i in range(0, 2):
prox_run = self._proxy_check() # see what TOR gave us
if prox_run:
break
else:
if i == 1:
return False
for i in range(0, 2):
who_run = self._whoami() # pull out the decision
if who_run:
break
else:
if i == 1:
return False
self._decide() # did we land in the right area
return True
def _flush_addr(self):
self._log.info("Boarding the plane")
sout = Popen(["/etc/init.d/tor", "restart"], stdout=PIPE, stderr=STDOUT).communicate()[0]
def _proxy_check(self):
self._headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0",
"Connection": "Keep-Alive",
}
self._proxies = {"http": self._host + ":" + self._port}
self._urls = [
"http://whatismyipaddress.com/",
"http://www.whatsmyip.us/",
"http://www.ipchicken.com/",
"http://www.whatsmyip.info/",
"http://www.whatsmyip.in/",
"http://www.whatsmyip.cc/",
"http://ipswift.com",
]
self._url = self._urls[random.randint(0, len(self._urls) - 1)]
self._log.info("Fetching address data from %s" % self._url)
response = requests.get(self._url, proxies=self._proxies)
if response.status_code == 200:
try:
self._proxy_ip = re.search(
r"((2[0-5]|1[0-9]|[0-9])?[0-9]\.){3}((2[0-5]|1[0-9]|[0-9])?[0-9])", response.content
).group()
self._log.info("Query returned %s" % self._proxy_ip)
return True
except:
self._log.error("Failed to find IP address using %s" % self._url)
self._errors += 1
return False
else:
self._proxy_ip = "127.0.0.1"
self._log.error("Query failed, flushing again")
self._errors += 1
return False
def _whoami(self):
try:
self._whois_data = self._whois_handle.lookup(self._proxy_ip)
self._addr_owner = self._whois_data.owner
self._addr_asn = self._whois_data.asn
self._addr_prefix = self._whois_data.prefix
self._addr_cc = self._whois_data.cc
return True
except Exception, e:
self._log.error("Failed to gather WHOIS for %s" % self._proxy_ip)
self._log.info(str(e))
self._errors += 1
return False
def __init__(self, pyasn_file=None):
if pyasn_file:
self.asndb = pyasn(pyasn_file)
self.whois = Client()
def process_pcaps(pcap_file):
aggr_dict = {}
ROWS = 256
COLUMNS = 256
sport_grid = []
for row in range(ROWS):
sport_grid.append([])
for column in range(COLUMNS):
sport_grid[row].append(0)
dport_grid = []
for row in range(ROWS):
dport_grid.append([])
for column in range(COLUMNS):
dport_grid[row].append(0)
print("Reading pcap file " + pcap_file + "...")
sys.stdout.flush()
proto_dict = {17: 'UDP', 6: 'TCP'}
ip_dports = {}
packet_count = 0
start_time = None
end_time = None
with PcapReader(pcap_file) as packets:
for packet in packets:
try:
if (IP in packet) and (packet.proto in proto_dict.keys()):
if packet_count == 0:
start_time = packet.time
else:
end_time = packet.time
packet_count += 1
proto_name = proto_dict[packet.proto]
l3 = packet['IP']
l4 = packet[proto_name]
if (l3.src != '0.0.0.0' and l3.src != '255.255.255.255'
and l3.dst != '0.0.0.0'
and l3.dst != '255.255.255.255'):
if l3.src not in aggr_dict:
aggr_dict[l3.src] = {}
if l3.dst not in aggr_dict[l3.src]:
aggr_dict[l3.src][l3.dst] = 0
aggr_dict[l3.src][l3.dst] += len(packet.payload)
# get ports
if l3.src not in ip_dports:
ip_dports[l3.src] = []
ip_dports[l3.src].append(l4.dport)
except:
# packet failed to parse, skipping
pass
print("done")
ROWS = 289
COLUMNS = 289
private_grid = []
for row in range(ROWS):
private_grid.append([])
for column in range(COLUMNS):
private_grid[row].append([0, 0])
private_map = populate_1918_space()
ROWS = 256
COLUMNS = 256
asn_dict = {}
c = Client()
for host in aggr_dict:
if len(aggr_dict[host]) > 1:
# get sent bytes
print("host: {0}".format(host))
with open('www/static/img/maps/manifest.txt', 'a+') as f:
f.write(pcap_file.split("/")[-1] + ": " + host + "\n")
for port in ip_dports[host]:
dport_grid[int(port / ROWS)][port % ROWS] = 1
for peer in aggr_dict[host]:
try:
r = c.lookup(peer)
if not r.asn:
if not r.cc:
# RFC 1918, etc.
#print "peer:", peer, "bytes out :", aggr_dict[host][peer]
priv_arr = private_map[".".join(
peer.split(".")[:-1])]
private_grid[priv_arr[0]][
priv_arr[1]][1] += aggr_dict[host][peer]
else:
print(
"found public IP without an ASN: {0} bytes out: {1}"
.format(peer, aggr_dict[host][peer]))
else:
# public ip space
if r.asn in asn_dict:
asn_dict[
r.asn]['bytes_out'] += aggr_dict[host][peer]
else:
asn_dict[r.asn] = {
'owner': r.owner,
'bytes_out': aggr_dict[host][peer],
'bytes_in': 0
}
except Exception as e:
print("{0} FAILED TO LOOKUP ASN".format(peer))
print(str(sys.exc_info()[0]) + str(e))
else:
if host in ip_dports:
for port in ip_dports[host]:
sport_grid[int(port / ROWS)][port % ROWS] = 2
# get received bytes
dst = None
# there is only one to loop through
for d in aggr_dict[host]:
dst = d
try:
r = c.lookup(host)
if not r.asn:
if not r.cc:
# RFC 1918, etc.
#print "peer:", host, "bytes in:", aggr_dict[host][dst]
priv_arr = private_map[".".join(host.split(".")[:-1])]
private_grid[priv_arr[0]][
priv_arr[1]][0] += aggr_dict[host][dst]
else:
print(
"found public IP without an ASN: {0} bytes out: {1}"
.format(host, aggr_dict[host][dst]))
else:
# public ip space
if r.asn in asn_dict:
asn_dict[r.asn]['bytes_in'] += aggr_dict[host][dst]
else:
asn_dict[r.asn] = {
'owner': r.owner,
'bytes_in': aggr_dict[host][dst],
'bytes_out': 0
}
except Exception as e:
print("{0} FAILED TO LOOKUP ASN".format(host))
print(str(sys.exc_info()[0]) + str(e))
asn_grid = []
for row in range(ROWS):
asn_grid.append([])
for column in range(COLUMNS):
asn_grid[row].append([0, 0])
for asn in asn_dict:
try:
asn_num = int(asn)
if asn_num < 65536:
asn_grid[int(asn_num / ROWS)][asn_num % ROWS] = [
asn_dict[asn]['bytes_in'], asn_dict[asn]['bytes_out']
]
else:
print(
"ALERT!!!! high external asn: {0} asn owner: {1} total bytes sent: {2} total bytes received: {3}"
.format(asn, asn_dict[asn]['owner'],
asn_dict[asn]['bytes_out'],
asn_dict[asn]['bytes_in']))
except Exception as e:
print(str(e))
return asn_grid, private_grid, sport_grid, dport_grid, packet_count, humanize.naturaldelta(
datetime.utcfromtimestamp(end_time) -
datetime.utcfromtimestamp(start_time))
ip_file.close()
ip_cnt = int(len(ip_lines))
## Running
print("\n[ API Server - whois.cymru.com / whois.kisa.or.kr ]")
print(
"-----------------------------------------------------------------------------------"
)
print("[*]\t[Search IP]\t[Cymru/KISA]\t[AS Name]")
print(
"-----------------------------------------------------------------------------------"
)
for line in ip_lines:
ip = socket.gethostbyname(line)
c = Client()
r = c.lookup(ip)
a = r.owner
f = re.findall("[A-Z]{2}", a)
c = len(f)
url = "http://whois.kisa.or.kr/openapi/whois.jsp?query=" + line + "&key=2018052409355407130895&answer=json"
res = requests.get(url, verify=False)
dict = json.loads(res.text)
if f[c - 1] == "KR":
kr_chk = "Korea"
'''
whois = open(save_file, "a",encoding="utf-8")
whois.writelines("[Korea]\n")
whois.close()
## Doesn't work
from cymruwhois import Client
c=Client()
print 'enter filename'
filename = raw_input()
txt = open(filename)
print
f = open("output/list2asn.txt",'w')
for ip in txt:
s = str((c.lookup(ip))) + '\n'
f.write(s)
ip = raw_input() from cymruwhois import Client c=Client() r=c.lookup(ip) print r
class jetplane:
def __init__(self, host, port, db=False, logging="_"):
self._log = utility.logger("jetplane", logging)
self._host = host
self._port = port
self._proxy_ip = None
self._whois_handle = Client()
self._criteria = None
self._max_tours = 0
self._tours = 1
self._takeoff_time = None
self._errors = 0
self._success = False
self._trip_details = []
self._db = db
self._kill_bit = False
if self._db:
self._mongodb_handle = mongodb("127.0.0.1", "27017", "jetplane",
"hanger", "INFO")
self._mdb = self._mongodb_handle.get_con()
def take_off(self, criteria, tours):
self._takeoff_time = time.time()
self._max_tours = tours + 1
self._criteria = criteria.lower()
self._log.info("Trip details: max tours - %d, local - %s" %
(self._max_tours, self._criteria))
r = self._world_tour()
return r
def _world_tour(self):
self._log.info("Baggage check number %d" % self._tours)
time.sleep(3) #naptime
self._log.info("Tickets purchased to %s" % self._criteria)
self._flush_addr() #kill off any address we had before
self._log.info("Safety and pre-flight checks")
time.sleep(7)
#accept 3 errors before ditching
for i in range(0, 2):
prox_run = self._proxy_check() #see what TOR gave us
if prox_run:
break
else:
if i == 1:
return False
for i in range(0, 2):
who_run = self._whoami() #pull out the decision
if who_run:
break
else:
if i == 1:
return False
self._decide() #did we land in the right area
return True
def _flush_addr(self):
self._log.info("Boarding the plane")
sout = Popen(['/etc/init.d/tor', 'restart'],
stdout=PIPE,
stderr=STDOUT).communicate()[0]
def _proxy_check(self):
self._headers = {
'User-Agent':
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0',
'Connection': 'Keep-Alive'
}
self._proxies = {"http": self._host + ":" + self._port}
self._urls = [
'http://whatismyipaddress.com/', 'http://www.whatsmyip.us/',
'http://www.ipchicken.com/', 'http://www.whatsmyip.info/',
'http://www.whatsmyip.in/', 'http://www.whatsmyip.cc/',
'http://ipswift.com'
]
self._url = self._urls[random.randint(0, len(self._urls) - 1)]
self._log.info("Fetching address data from %s" % self._url)
response = requests.get(self._url, proxies=self._proxies)
if response.status_code == 200:
try:
self._proxy_ip = re.search(
r'((2[0-5]|1[0-9]|[0-9])?[0-9]\.){3}((2[0-5]|1[0-9]|[0-9])?[0-9])',
response.content).group()
self._log.info("Query returned %s" % self._proxy_ip)
return True
except:
self._log.error("Failed to find IP address using %s" %
self._url)
self._errors += 1
return False
else:
self._proxy_ip = "127.0.0.1"
self._log.error("Query failed, flushing again")
self._errors += 1
return False
def _whoami(self):
try:
self._whois_data = self._whois_handle.lookup(self._proxy_ip)
self._addr_owner = self._whois_data.owner
self._addr_asn = self._whois_data.asn
self._addr_prefix = self._whois_data.prefix
self._addr_cc = self._whois_data.cc
return True
except Exception, e:
self._log.error("Failed to gather WHOIS for %s" % self._proxy_ip)
self._log.info(str(e))
self._errors += 1
return False
import socket
from cymruwhois import Client
ip = '100.10.1.63'
ip_2 = '102.164.120.10'
ip_3 = '102.80.10.106'
ip_4 = '102.80.101.132'
c = Client()
#instead of puting lookup(ip) in the loop and get weird results, instead use lookupmany(ips) to return the results
for r in c.lookupmany([ip, ip_2, ip_3, ip_4]):
print r.owner
#using cymruwhois to convert ips to asn and country code on the commandline
#cymruwhois /home/Marting/Videos/work/ips.txt -f asn,cc > /home/Marting/Videos/work/cyrmu_output.txt
kmlheader = '<?xml version="1.0" encoding="UTF-8"?>\
\n<kml xmlns="http://www.opengis.net/kml/2.2">\n<Document>\n'
kmlfooter = '</Document>\n</kml>\n'
kmldoc=kmlheader+plotIPs(iplistwithnullsremoved)+kmlfooter
f = open('plot.kml', 'w')
f.write(kmldoc)
f.close()
if __name__ == "__main__":
c=Client()
gi = pygeoip.GeoIP('GeoIP.dat/GeoLiteCity.dat')
#check for file and age, download if appropriate
if os.path.isfile(csvfilename):
filetimestamp = datetime.datetime.fromtimestamp(os.stat(csvfilename).st_mtime)
delta = datetime.datetime.now() - filetimestamp
if delta.days > 2:
getupdatedlist()
else:
getupdatedlist()
if os.path.isfile(csvfilename):
malwarelist = readcsv(csvfilename)