def run(self, conf, args, plugins): ip = unbracket(args.IP) if not is_ip(ip): print("Invalid IP address") sys.exit(1) # FIXME: move code here in a library ipinfo = self.ipinfo(ip) print("MaxMind: Located in %s, %s" % (ipinfo["city"], ipinfo["country"])) if ipinfo["asn"] == 0: print("MaxMind: IP not found in the ASN database") else: print("MaxMind: ASN%i, %s" % (ipinfo["asn"], ipinfo["asn_name"])) print("CAIDA Type: %s" % ipinfo["asn_type"]) try: asndb2 = pyasn.pyasn(self.asncidr) res = asndb2.lookup(ip) except OSError: print("Configuration files are not available") print("Please run harpoon update before using harpoon") sys.exit(1) if res[1] is None: print("IP not found in ASN database") else: # Search for name f = open(self.asnname, "r") found = False line = f.readline() name = "" while not found and line != "": s = line.split("|") if s[0] == str(res[0]): name = s[1].strip() found = True line = f.readline() print("ASN %i - %s (range %s)" % (res[0], name, res[1])) if ipinfo["hostname"] != "": print("Hostname: %s" % ipinfo["hostname"]) if ipinfo["specific"] != "": print("Specific: %s" % ipinfo["specific"]) ipy = IP(ip) if ipy.iptype() == "PRIVATE": "Private IP" print("") if ipy.version() == 4: print("Censys:\t\thttps://censys.io/ipv4/%s" % ip) print("Shodan:\t\thttps://www.shodan.io/host/%s" % ip) print("IP Info:\thttp://ipinfo.io/%s" % ip) print("BGP HE:\t\thttps://bgp.he.net/ip/%s" % ip) print("IP Location:\thttps://www.iplocation.net/?query=%s" % ip)
def run(self, conf, args, plugins): if not is_ip(unbracket(args.IP)): print("Invalid IP address") sys.exit(-1) ips = self.get_list() if ips: if unbracket(args.IP) in ips: print("{} is a Tor Exit node".format(unbracket(args.IP))) else: print( "{} is not listed in the Tor Exit node public list".format( unbracket(args.IP))) else: print("Impossible to reach the Tor Exit node list")
def asncount(): """ Take a list of IP addresses as an IP and count them by ASN """ parser = argparse.ArgumentParser(description='Count IP addresses by ASN') parser.add_argument('IP', type=str, nargs='*', default=[], help="IP addresses") args = parser.parse_args() if len(args.IP): ips = args.IP else: with open("/dev/stdin") as f: ips = f.read().split() ipc = CommandIp() asnc = CommandAsn() asns = {} error = False for ip in ips: if is_ip(unbracket(ip)): asninfo = ipc.ip_get_asn(unbracket(ip)) if asninfo['asn'] not in asns: asns[asninfo['asn']] = 1 else: asns[asninfo['asn']] += 1 else: print('%s is not a valid IP address' % ip) error = True if error: print('') for asnn, nb in sorted(asns.items(), key=lambda x: x[1], reverse=True): if asnn == 0: name = "Unknown" else: name = asnc.asnname(asnn) print("%i\tASN%-6i\t%s" % (nb, asnn, name))
def countrycount(): """ Count country from which IPs are """ parser = argparse.ArgumentParser( description='Count IP addresses by Country') parser.add_argument('IP', type=str, nargs='*', default=[], help="IP addresses") args = parser.parse_args() if len(args.IP): ips = args.IP else: with open("/dev/stdin") as f: ips = f.read().split() ipc = CommandIp() countries = {} error = False for ip in ips: if is_ip(unbracket(ip)): info = ipc.ipinfo(unbracket(ip), dns=False) if info['country'] not in countries: countries[info['country']] = 1 else: countries[info['country']] += 1 else: print('%s is not a valid IP address' % ip) error = True if error: print('') for cnn, nb in sorted(countries.items(), key=lambda x: x[1], reverse=True): print("%i\t%s" % (nb, cnn))
def run(self, conf, args, plugins): if is_ip(unbracket(args.TARGET)): # That's an IP address ptr_n = str(reversename.from_address(unbracket(args.TARGET))) try: answer = [entry for entry in resolver.query(ptr_n, "PTR")][0] print("%s - %s" % (ptr_n, str(answer))) except (resolver.NXDOMAIN, resolver.NoAnswer): print("%s - %s" % (ptr_n, "NXDOMAIN")) else: cip = plugins['ip'] if args.extended: for a in self.all_types: try: answers = resolver.query(unbracket(args.TARGET), a) for rdata in answers: print(a, ':', rdata.to_text()) except Exception as e: pass else: target = unbracket(args.TARGET) # A print("# A") try: answers = resolver.query(target, 'A') except (resolver.NoAnswer, resolver.NXDOMAIN): print("No A entry") else: for rdata in answers: info = cip.ipinfo(rdata.address) print("%s: ASN%i %s - %s %s" % (rdata.address, info['asn'], info['asn_name'], info['city'], info['country'])) # AA print("") print("# AAAA") try: answers = resolver.query(target, 'AAAA') for rdata in answers: print(rdata.address) except (resolver.NoAnswer, resolver.NXDOMAIN): print("No AAAA entry configured") # DNS Servers print("\n# NS") try: answers = resolver.query(target, 'NS') except (resolver.NoAnswer, resolver.NXDOMAIN, resolver.NoNameservers): # That's pretty unlikely print("No NS entry configured") else: for entry in answers: ttarget = str(entry.target) if is_ip(ttarget): # Pretty unlikely info = cip.ipinfo(ttarget) print("%s - ASN%i %s - %s %s" % (ttarget, info['asn'], info['asn_name'], info['city'], info['country'])) else: try: ip = [ b.address for b in resolver.query(ttarget, 'A') ][0] except resolver.NXDOMAIN: # Hostname without IPv4 print(ttarget) else: # Hostname info = cip.ipinfo(ip) print("%s - %s - ASN%i %s - %s %s" % (ttarget, ip, info['asn'], info['asn_name'], info['city'], info['country'])) # MX print("\n# MX:") try: answers = resolver.query(target, 'MX') except (resolver.NoAnswer, resolver.NXDOMAIN): print("No MX entry configured") else: for rdata in answers: if is_ip(rdata.exchange): # IP directly info = cip.ipinfo(rdata.exchange) print("%i %s - ASN%i %s - %s %s" % (rdata.preference, rdata.exchange, info['asn'], info['asn_name'], info['city'], info['country'])) else: try: ip = [ b.address for b in resolver.query( rdata.exchange, 'A') ][0] except resolver.NoAnswer: # Hostname without IPv4 print(rdata.exchange) else: # Hostname info = cip.ipinfo(ip) print("%i %s - %s - ASN%i %s - %s %s" % (rdata.preference, rdata.exchange, ip, info['asn'], info['asn_name'], info['city'], info['country'])) # SOA print("\n# SOA") try: answers = resolver.query(target, 'SOA') except (resolver.NoAnswer, resolver.NXDOMAIN): print("No SOA entry configured") else: entry = [b for b in answers][0] print("NS: %s" % str(entry.mname)) print("Owner: %s" % self.owner_to_email(str(entry.rname))) # TXT print("\n# TXT:") try: answers = resolver.query(target, 'TXT') except (resolver.NoAnswer, resolver.NXDOMAIN): print("No TXT entry configured") else: for a in answers: print(a.to_text())
def run(self, conf, args, plugins): if 'subcommand' in args: if args.subcommand == 'info': if not is_ip(unbracket(args.IP)): print("Invalid IP address") sys.exit(1) # FIXME: move code here in a library ip = unbracket(args.IP) try: ipy = IP(ip) except ValueError: print('Invalid IP format, quitting...') return ipinfo = self.ipinfo(ip) print('MaxMind: Located in %s, %s' % (ipinfo['city'], ipinfo['country'])) if ipinfo['asn'] == 0: print("MaxMind: IP not found in the ASN database") else: print('MaxMind: ASN%i, %s' % (ipinfo['asn'], ipinfo['asn_name'])) asndb2 = pyasn.pyasn(self.asncidr) res = asndb2.lookup(ip) if res[1] is None: print("IP not found in ASN database") else: # Search for name f = open(self.asnname, 'r') found = False line = f.readline() name = '' while not found and line != '': s = line.split('|') if s[0] == str(res[0]): name = s[1].strip() found = True line = f.readline() print('ASN %i - %s (range %s)' % (res[0], name, res[1])) if ipinfo['hostname'] != '': print('Hostname: %s' % ipinfo['hostname']) if ipinfo['specific'] != '': print("Specific: %s" % ipinfo['specific']) if ipy.iptype() == "PRIVATE": "Private IP" print("") if ipy.version() == 4: print("Censys:\t\thttps://censys.io/ipv4/%s" % ip) print("Shodan:\t\thttps://www.shodan.io/host/%s" % ip) print("IP Info:\thttp://ipinfo.io/%s" % ip) print("BGP HE:\t\thttps://bgp.he.net/ip/%s" % ip) print( "IP Location:\thttps://www.iplocation.net/?query=%s" % ip) elif args.subcommand == "intel": if not is_ip(unbracket(args.IP)): print("Invalid IP address") sys.exit(1) # Start with MISP and OTX to get Intelligence Reports print('###################### %s ###################' % unbracket(args.IP)) passive_dns = [] urls = [] malware = [] files = [] # OTX otx_e = plugins['otx'].test_config(conf) if otx_e: print('[+] Downloading OTX information....') otx = OTXv2(conf["AlienVaultOtx"]["key"]) res = otx.get_indicator_details_full( IndicatorTypes.IPv4, unbracket(args.IP)) otx_pulses = res["general"]["pulse_info"]["pulses"] # Get Passive DNS if "passive_dns" in res: for r in res["passive_dns"]["passive_dns"]: passive_dns.append({ "domain": r['hostname'], "first": parse(r["first"]), "last": parse(r["last"]), "source": "OTX" }) if "url_list" in res: for r in res["url_list"]["url_list"]: urls.append(r) # RobTex print('[+] Downloading Robtex information....') rob = Robtex() res = rob.get_ip_info(unbracket(args.IP)) for d in ["pas", "pash", "act", "acth"]: if d in res: for a in res[d]: passive_dns.append({ 'first': a['date'], 'last': a['date'], 'domain': a['o'], 'source': 'Robtex' }) # PT pt_e = plugins['pt'].test_config(conf) if pt_e: out_pt = False print('[+] Downloading Passive Total information....') client = DnsRequest(conf['PassiveTotal']['username'], conf['PassiveTotal']['key']) raw_results = client.get_passive_dns( query=unbracket(args.IP)) if "results" in raw_results: for res in raw_results["results"]: passive_dns.append({ "first": parse(res["firstSeen"]), "last": parse(res["lastSeen"]), "domain": res["resolve"], "source": "PT" }) if "message" in raw_results: if "quota_exceeded" in raw_results["message"]: print("Quota exceeded for Passive Total") out_pt = True pt_osint = {} if not out_pt: client2 = EnrichmentRequest( conf["PassiveTotal"]["username"], conf["PassiveTotal"]['key']) # Get OSINT # TODO: add PT projects here pt_osint = client2.get_osint(query=unbracket(args.IP)) # Get malware raw_results = client2.get_malware( query=unbracket(args.IP)) if "results" in raw_results: for r in raw_results["results"]: malware.append({ 'hash': r["sample"], 'date': parse(r['collectionDate']), 'source': 'PT (%s)' % r["source"] }) # VT vt_e = plugins['vt'].test_config(conf) if vt_e: if conf["VirusTotal"]["type"] != "public": print('[+] Downloading VT information....') vt = PrivateApi(conf["VirusTotal"]["key"]) res = vt.get_ip_report(unbracket(args.IP)) if "results" in res: if "resolutions" in res['results']: for r in res["results"]["resolutions"]: passive_dns.append({ "first": parse(r["last_resolved"]), "last": parse(r["last_resolved"]), "domain": r["hostname"], "source": "VT" }) if "undetected_downloaded_samples" in res[ 'results']: for r in res['results'][ 'undetected_downloaded_samples']: files.append({ 'hash': r['sha256'], 'date': parse(r['date']), 'source': 'VT' }) if "undetected_referrer_samples" in res['results']: for r in res['results'][ 'undetected_referrer_samples']: files.append({ 'hash': r['sha256'], 'date': parse(r['date']), 'source': 'VT' }) if "detected_downloaded_samples" in res['results']: for r in res['results'][ 'detected_downloaded_samples']: malware.append({ 'hash': r['sha256'], 'date': parse(r['date']), 'source': 'VT' }) if "detected_referrer_samples" in res['results']: for r in res['results'][ 'detected_referrer_samples']: if "date" in r: malware.append({ 'hash': r['sha256'], 'date': parse(r['date']), 'source': 'VT' }) else: vt_e = False print('[+] Downloading GreyNoise information....') gn = GreyNoise() try: greynoise = gn.query_ip(unbracket(args.IP)) except GreyNoiseError: greynoise = [] tg_e = plugins['threatgrid'].test_config(conf) if tg_e: print('[+] Downloading Threat Grid....') tg = ThreatGrid(conf['ThreatGrid']['key']) res = tg.search_samples(unbracket(args.IP), type='ip') already = [] if 'items' in res: for r in res['items']: if r['sample_sha256'] not in already: d = parse(r['ts']) d = d.replace(tzinfo=None) malware.append({ 'hash': r["sample_sha256"], 'date': d, 'source': 'TG' }) already.append(r['sample_sha256']) # TODO: Add MISP print('----------------- Intelligence Report') if otx_e: if len(otx_pulses): print('OTX:') for p in otx_pulses: print(' -%s (%s - %s)' % (p['name'], p['created'][:10], "https://otx.alienvault.com/pulse/" + p['id'])) else: print('OTX: Not found in any pulse') if len(greynoise) > 0: print("GreyNoise: IP identified as") for r in greynoise: print("\t%s (%s -> %s)" % (r["name"], r["first_seen"], r["last_updated"])) else: print("GreyNoise: Not found") if pt_e: if "results" in pt_osint: if len(pt_osint["results"]): if len(pt_osint["results"]) == 1: if "name" in pt_osint["results"][0]: print( "PT: %s %s" % (pt_osint["results"][0]["name"], pt_osint["results"][0]["sourceUrl"])) else: print("PT: %s" % pt_osint["results"][0]["sourceUrl"]) else: print("PT:") for r in pt_osint["results"]: if "name" in r: print("-%s %s" % (r["name"], r["sourceUrl"])) else: print("-%s" % r["sourceUrl"]) else: print("PT: Nothing found!") else: print("PT: Nothing found!") if len(malware) > 0: print('----------------- Malware') for r in sorted(malware, key=lambda x: x["date"]): print("[%s] %s %s" % (r["source"], r["hash"], r["date"].strftime("%Y-%m-%d"))) if len(files) > 0: print('----------------- Files') for r in sorted(files, key=lambda x: x["date"]): print("[%s] %s %s" % (r["source"], r["hash"], r["date"].strftime("%Y-%m-%d"))) if len(passive_dns) > 0: print('----------------- Passive DNS') for r in sorted(passive_dns, key=lambda x: x["first"], reverse=True): print("[+] %-40s (%s -> %s)(%s)" % (r["domain"], r["first"].strftime("%Y-%m-%d"), r["last"].strftime("%Y-%m-%d"), r["source"])) else: self.parser.print_help() else: self.parser.print_help()
def ipinfo(): parser = argparse.ArgumentParser(description='Give information on an IP') parser.add_argument('IP', type=str, nargs='*', default=[], help="IP addresses") parser.add_argument('--format', '-f', help='Output format', choices=["json", "csv", "txt"], default="txt") parser.add_argument('--no-dns', '-n', help='No reverse DNS query', action='store_true') args = parser.parse_args() if len(args.IP): ips = args.IP else: with open("/dev/stdin") as f: ips = f.read().split() command = CommandIp() if len(ips) == 1: if is_ip(unbracket(ips[0])): r = command.ipinfo(unbracket(ips[0]), dns=not args.no_dns) if args.format == "txt": if r['asn'] == "": print("IP not found") else: print("Information on IP %s" % unbracket(ips[0])) print("ASN: AS%i - %s - %s" % (r['asn'], r['asn_name'], r['asn_type'])) print("Location: %s - %s" % (r['city'], r['country'])) if not args.no_dns: if r['hostname'] != '': print('Hostname: %s' % r['hostname']) if r['specific'] != '': print("Specific: %s" % r['specific']) elif args.format == "csv": if r['asn'] == "": print('%s;;;;;' % unbracket(ips[0])) else: if args.no_dns: print('%s;AS%i;%s;%s;%s;%s;%s' % (unbracket(ips[0]), r['asn'], r['asn_name'], r['asn_type'], r['city'], r['country'], r['specific'])) else: print('%s;AS%i;%s;%s;%s;%s;%s' % (unbracket(ips[0]), r['asn'], r['asn_name'], r['asn_type'], r['city'], r['country'], r['hostname'], r['specific'])) else: print(json.dumps(r, sort_keys=True, indent=4)) else: print("Invalid IP address") else: for ip in ips: if is_ip(unbracket(ip)): r = command.ipinfo(unbracket(ip), dns=not args.no_dns) if args.format in ["txt", "csv"]: if r['asn'] == "": print('%s ; ; ; ; ; ;' % unbracket(ip)) else: if args.no_dns: print('%s ; AS%i ; %s ; %s ; %s ; %s ; %s ' % (unbracket(ip), r['asn'], r['asn_name'], r['asn_type'], r['city'], r['country'], r['specific'])) else: print('%s ; AS%i ; %s ; %s ; %s ; %s ; %s ; %s' % (unbracket(ip), r['asn'], r['asn_name'], r['asn_type'], r['city'], r['country'], r['hostname'], r['specific'])) else: # JSON print( json.dumps({unbracket(ip): r}, sort_keys=True, indent=4)) else: print("%s ; ; ; ; ; ; Invalid IP" % unbracket(ip))
def run(self, conf, args, plugins): if 'subcommand' in args: if args.subcommand == 'info': if not is_ip(unbracket(args.IP)): print("Invalid IP address") sys.exit(1) # FIXME: move code here in a library ip = unbracket(args.IP) try: ipy = IP(ip) except ValueError: print('Invalid IP format, quitting...') return ipinfo = self.ipinfo(ip) print('MaxMind: Located in %s, %s' % (ipinfo['city'], ipinfo['country'])) if ipinfo['asn'] == 0: print("MaxMind: IP not found in the ASN database") else: print('MaxMind: ASN%i, %s' % (ipinfo['asn'], ipinfo['asn_name'])) print('CAIDA Type: %s' % ipinfo['asn_type']) try: asndb2 = pyasn.pyasn(self.asncidr) res = asndb2.lookup(ip) except OSError: print("Configuration files are not available") print("Please run harpoon update before using harpoon") sys.exit(1) if res[1] is None: print("IP not found in ASN database") else: # Search for name f = open(self.asnname, 'r') found = False line = f.readline() name = '' while not found and line != '': s = line.split('|') if s[0] == str(res[0]): name = s[1].strip() found = True line = f.readline() print('ASN %i - %s (range %s)' % (res[0], name, res[1])) if ipinfo['hostname'] != '': print('Hostname: %s' % ipinfo['hostname']) if ipinfo['specific'] != '': print("Specific: %s" % ipinfo['specific']) if ipy.iptype() == "PRIVATE": "Private IP" print("") if ipy.version() == 4: print("Censys:\t\thttps://censys.io/ipv4/%s" % ip) print("Shodan:\t\thttps://www.shodan.io/host/%s" % ip) print("IP Info:\thttp://ipinfo.io/%s" % ip) print("BGP HE:\t\thttps://bgp.he.net/ip/%s" % ip) print( "IP Location:\thttps://www.iplocation.net/?query=%s" % ip) elif args.subcommand == "intel": if not is_ip(unbracket(args.IP)): print("Invalid IP address") sys.exit(1) # Start with MISP and OTX to get Intelligence Reports print('###################### %s ###################' % unbracket(args.IP)) passive_dns = [] urls = [] malware = [] files = [] # MISP misp_e = plugins['misp'].test_config(conf) if misp_e: print('[+] Downloading MISP information...') server = ExpandedPyMISP(conf['Misp']['url'], conf['Misp']['key']) misp_results = server.search('attributes', value=unbracket(args.IP)) # Binary Edge be_e = plugins['binaryedge'].test_config(conf) if be_e: try: print('[+] Downloading BinaryEdge information...') be = BinaryEdge(conf['BinaryEdge']['key']) # FIXME: this only get the first page res = be.domain_ip(unbracket(args.IP)) for d in res["events"]: passive_dns.append({ "domain": d['domain'], "first": parse(d['updated_at']).astimezone(pytz.utc), "last": parse(d['updated_at']).astimezone(pytz.utc), "source": "BinaryEdge" }) except BinaryEdgeException: print( 'BinaryEdge request failed, you need a paid subscription' ) # OTX otx_e = plugins['otx'].test_config(conf) if otx_e: print('[+] Downloading OTX information....') otx = OTXv2(conf["AlienVaultOtx"]["key"]) res = otx.get_indicator_details_full( IndicatorTypes.IPv4, unbracket(args.IP)) otx_pulses = res["general"]["pulse_info"]["pulses"] # Get Passive DNS if "passive_dns" in res: for r in res["passive_dns"]["passive_dns"]: passive_dns.append({ "domain": r['hostname'], "first": parse(r["first"]).astimezone(pytz.utc), "last": parse(r["last"]).astimezone(pytz.utc), "source": "OTX" }) if "url_list" in res: for r in res["url_list"]["url_list"]: if "result" in r: urls.append({ "date": parse(r["date"]).astimezone(pytz.utc), "url": r["url"], "ip": r["result"]["urlworker"]["ip"] if "ip" in r["result"]["urlworker"] else "", "source": "OTX" }) else: urls.append({ "date": parse(r["date"]).astimezone(pytz.utc), "url": r["url"], "ip": "", "source": "OTX" }) # RobTex print('[+] Downloading Robtex information....') rob = Robtex() try: res = rob.get_ip_info(unbracket(args.IP)) except RobtexError: print("Error with Robtex") else: for d in ["pas", "pash", "act", "acth"]: if d in res: for a in res[d]: passive_dns.append({ 'first': a['date'].astimezone(pytz.utc), 'last': a['date'].astimezone(pytz.utc), 'domain': a['o'], 'source': 'Robtex' }) # PT pt_e = plugins['pt'].test_config(conf) if pt_e: out_pt = False print('[+] Downloading Passive Total information....') client = DnsRequest(conf['PassiveTotal']['username'], conf['PassiveTotal']['key']) try: raw_results = client.get_passive_dns( query=unbracket(args.IP)) if "results" in raw_results: for res in raw_results["results"]: passive_dns.append({ "first": parse(res["firstSeen"]).astimezone( pytz.utc), "last": parse(res["lastSeen"]).astimezone( pytz.utc), "domain": res["resolve"], "source": "PT" }) if "message" in raw_results: if "quota_exceeded" in raw_results["message"]: print("Quota exceeded for Passive Total") out_pt = True pt_osint = {} except requests.exceptions.ReadTimeout: print("Timeout on Passive Total requests") if not out_pt: try: client2 = EnrichmentRequest( conf["PassiveTotal"]["username"], conf["PassiveTotal"]['key']) # Get OSINT # TODO: add PT projects here pt_osint = client2.get_osint( query=unbracket(args.IP)) # Get malware raw_results = client2.get_malware( query=unbracket(args.IP)) if "results" in raw_results: for r in raw_results["results"]: malware.append({ 'hash': r["sample"], 'date': parse(r['collectionDate']), 'source': 'PT (%s)' % r["source"] }) except requests.exceptions.ReadTimeout: print("Timeout on Passive Total requests") # Urlhaus uh_e = plugins['urlhaus'].test_config(conf) if uh_e: print("[+] Checking urlhaus data...") try: urlhaus = UrlHaus(conf["UrlHaus"]["key"]) res = urlhaus.get_host(unbracket(args.IP)) except UrlHausError: print("Error with the query") else: if "urls" in res: for r in res['urls']: urls.append({ "date": parse(r["date_added"]).astimezone( pytz.utc), "url": r["url"], "source": "UrlHaus" }) # VT vt_e = plugins['vt'].test_config(conf) if vt_e: if conf["VirusTotal"]["type"] != "public": print('[+] Downloading VT information....') vt = PrivateApi(conf["VirusTotal"]["key"]) res = vt.get_ip_report(unbracket(args.IP)) if "results" in res: if "resolutions" in res['results']: for r in res["results"]["resolutions"]: passive_dns.append({ "first": parse(r["last_resolved"]).astimezone( pytz.utc), "last": parse(r["last_resolved"]).astimezone( pytz.utc), "domain": r["hostname"], "source": "VT" }) if "undetected_downloaded_samples" in res[ 'results']: for r in res['results'][ 'undetected_downloaded_samples']: files.append({ 'hash': r['sha256'], 'date': parse(r['date']), 'source': 'VT' }) if "undetected_referrer_samples" in res['results']: for r in res['results'][ 'undetected_referrer_samples']: if 'date' in r: files.append({ 'hash': r['sha256'], 'date': parse(r['date']), 'source': 'VT' }) else: #FIXME : should consider data without dates files.append({ 'hash': r['sha256'], 'date': datetime.datetime(1970, 1, 1), 'source': 'VT' }) if "detected_downloaded_samples" in res['results']: for r in res['results'][ 'detected_downloaded_samples']: malware.append({ 'hash': r['sha256'], 'date': parse(r['date']), 'source': 'VT' }) if "detected_referrer_samples" in res['results']: for r in res['results'][ 'detected_referrer_samples']: if "date" in r: malware.append({ 'hash': r['sha256'], 'date': parse(r['date']), 'source': 'VT' }) else: vt_e = False print('[+] Downloading GreyNoise information....') gn = GreyNoise() try: greynoise = gn.query_ip(unbracket(args.IP)) except GreyNoiseError: greynoise = [] tg_e = plugins['threatgrid'].test_config(conf) if tg_e: print('[+] Downloading Threat Grid....') try: tg = ThreatGrid(conf['ThreatGrid']['key']) res = tg.search_samples(unbracket(args.IP), type='ip') already = [] if 'items' in res: for r in res['items']: if r['sample_sha256'] not in already: d = parse(r['ts']) d = d.replace(tzinfo=None) malware.append({ 'hash': r["sample_sha256"], 'date': d, 'source': 'TG' }) already.append(r['sample_sha256']) except ThreatGridError as e: print("Error with threat grid: {}".format(e.message)) # ThreatMiner print('[+] Downloading ThreatMiner....') tm = ThreatMiner() response = tm.get_report(unbracket(args.IP)) if response['status_code'] == '200': tmm = response['results'] else: tmm = [] if response['status_code'] != '404': print("Request to ThreatMiner failed: {}".format( response['status_message'])) response = tm.get_related_samples(unbracket(args.IP)) if response['status_code'] == '200': for r in response['results']: malware.append({ 'hash': r, 'date': None, 'source': 'ThreatMiner' }) print('----------------- Intelligence Report') ctor = CommandTor() tor_list = ctor.get_list() if tor_list: if unbracket(args.IP) in tor_list: print("{} is a Tor Exit node".format(unbracket( args.IP))) else: print("Impossible to reach the Tor Exit Node list") if otx_e: if len(otx_pulses): print('OTX:') for p in otx_pulses: print('- %s (%s - %s)' % (p['name'], p['created'][:10], "https://otx.alienvault.com/pulse/" + p['id'])) else: print('OTX: Not found in any pulse') if misp_e: if len(misp_results['Attribute']) > 0: print('MISP:') for event in misp_results['Attribute']: print("- {} - {}".format(event['Event']['id'], event['Event']['info'])) if len(greynoise) > 0: print("GreyNoise: IP identified as") for r in greynoise: print("\t%s (%s -> %s)" % (r["name"], r["first_seen"], r["last_updated"])) else: print("GreyNoise: Not found") if pt_e: if "results" in pt_osint: if len(pt_osint["results"]): if len(pt_osint["results"]) == 1: if "name" in pt_osint["results"][0]: print( "PT: %s %s" % (pt_osint["results"][0]["name"], pt_osint["results"][0]["sourceUrl"])) else: print("PT: %s" % pt_osint["results"][0]["sourceUrl"]) else: print("PT:") for r in pt_osint["results"]: if "name" in r: print("-%s %s" % (r["name"], r["sourceUrl"])) else: print("-%s" % r["sourceUrl"]) else: print("PT: Nothing found!") else: print("PT: Nothing found!") # ThreatMiner if len(tmm) > 0: print("ThreatMiner:") for r in tmm: print("- {} {} - {}".format(r['year'], r['filename'], r['URL'])) if len(malware) > 0: print('----------------- Malware') for r in malware: print("[%s] %s %s" % (r["source"], r["hash"], r["date"].strftime("%Y-%m-%d") if r["date"] else "")) if len(files) > 0: print('----------------- Files') for r in sorted(files, key=lambda x: x["date"]): print("[%s] %s %s" % (r["source"], r["hash"], r["date"].strftime("%Y-%m-%d"))) if len(passive_dns) > 0: print('----------------- Passive DNS') for r in sorted(passive_dns, key=lambda x: x["first"], reverse=True): print("[+] %-40s (%s -> %s)(%s)" % (r["domain"], r["first"].strftime("%Y-%m-%d"), r["last"].strftime("%Y-%m-%d"), r["source"])) if len(urls) > 0: print('----------------- Urls') for r in sorted(urls, key=lambda x: x["date"], reverse=True): print("[%s] %s - %s" % (r["source"], r["url"], r["date"].strftime("%Y-%m-%d"))) else: self.parser.print_help() else: self.parser.print_help()
def run(self, conf, args, plugins): if "subcommand" in args: if args.subcommand == "domain": data = { "passive_dns": [], "urls": [], "malware": [], "files": [], "reports": [], #"subdomains": [] } print("###################### %s ###################" % args.DOMAIN) for p in plugins: if args.all: if plugins[p].test_config(conf): plugins[p].intel("domain", unbracket(args.DOMAIN), data, conf) else: if plugins[p].test_config(conf) and plugins[p].check_intel(conf): plugins[p].intel("domain", unbracket(args.DOMAIN), data, conf) print("") if len(data["reports"]) > 0: print("----------------- Intelligence Report") for report in data["reports"]: print("{} - {} - {} - {}".format( report["date"].strftime("%Y-%m-%d") if report["date"] else "", report["title"], report["url"], report["source"] )) print("") if len(data["malware"]) > 0: print("----------------- Malware") for r in data["malware"]: print( "[%s] %s %s" % ( r["source"], r["hash"], r["date"].strftime("%Y-%m-%d") if r["date"] else "", ) ) print("") if len(data["files"]) > 0: print("----------------- Files") for r in data["files"]: if r["date"] != "": print( "[%s] %s (%s)" % ( r["source"], r["hash"], r["date"].strftime("%Y-%m-%d"), ) ) else: print( "[%s] %s" % ( r["source"], r["hash"], ) ) print("") if len(data["urls"]) > 0: print("----------------- Urls") for r in sorted(data["urls"], key=lambda x: x["date"], reverse=True): print("{:9} {} - {} {}".format( "[" + r["source"] + "]", r["url"], r["ip"], r["date"].strftime("%Y-%m-%d"), ) ) print("") #if len(data["subdomains"]) > 0: #print("----------------- Subdomains") #for r in set(data["subdomains"]): #print(r) if len(data["passive_dns"]) > 0: print("----------------- Passive DNS") for r in sorted( data["passive_dns"], key=lambda x: x["first"], reverse=True ): print( "[+] %-40s (%s -> %s)(%s)" % ( r["ip"], r["first"].strftime("%Y-%m-%d"), r["last"].strftime("%Y-%m-%d") if r["last"] else "", r["source"], ) ) print("") if sum([len(data[b]) for b in data]) == 0: print("Nothing found") # ------------------------------ IP ------------------------------- elif args.subcommand == "ip": if not is_ip(unbracket(args.IP)): print("Invalid IP address") sys.exit(1) data = { "passive_dns": [], "urls": [], "malware": [], "files": [], "reports": [], "ports": [] } print("###################### %s ###################" % args.IP) for p in plugins: if args.all: if plugins[p].test_config(conf): plugins[p].intel("ip", unbracket(args.IP), data, conf) else: if plugins[p].test_config(conf) and plugins[p].check_intel(conf): plugins[p].intel("ip", unbracket(args.IP), data, conf) print("") if len(data["reports"]) > 0: print("----------------- Intelligence Report") for report in data["reports"]: print("{} - {} - {} - {}".format( report["date"].strftime("%Y-%m-%d") if report["date"] else "", report["title"], report["url"], report["source"] )) print("") if len(data["malware"]) > 0: print("----------------- Malware") for r in data["malware"]: print( "[%s] %s %s" % ( r["source"], r["hash"], r["date"].strftime("%Y-%m-%d") if r["date"] else "", ) ) print("") if len(data["files"]) > 0: print("----------------- Files") for r in data["files"]: if r["date"] != "": print( "[%s] %s (%s)" % ( r["source"], r["hash"], r["date"].strftime("%Y-%m-%d"), ) ) else: print( "[%s] %s" % ( r["source"], r["hash"], ) ) print("") if len(data["urls"]) > 0: print("----------------- Urls") for r in sorted(data["urls"], key=lambda x: x["date"], reverse=True): print("{:9} {} - {} {}".format( "[" + r["source"] + "]", r["url"], r["ip"], r["date"].strftime("%Y-%m-%d"), ) ) print("") if len(data["ports"]) > 0: print("--------------------- Open Ports") for p in data["ports"]: print("{:6} - {} ({})".format( p["port"], p["info"], p["source"] )) print("") if len(data["passive_dns"]) > 0: print("----------------- Passive DNS") for r in sorted( data["passive_dns"], key=lambda x: x["first"], reverse=True ): print( "[+] %-40s (%s -> %s)(%s)" % ( r["domain"], r["first"].strftime("%Y-%m-%d"), r["last"].strftime("%Y-%m-%d") if r["last"] else "", r["source"], ) ) print("") if sum([len(data[b]) for b in data]) == 0: print("Nothing found") elif args.subcommand == "hash": data = { "samples": [], "urls": [], "network": [], "reports": [] } print("############### {}".format(args.HASH)) for p in plugins: if args.all: if plugins[p].test_config(conf): plugins[p].intel("hash", args.HASH, data, conf) else: if plugins[p].test_config(conf) and plugins[p].check_intel(conf): plugins[p].intel("hash", args.HASH, data, conf) print("") if len(data["reports"]) > 0: print("----------------- Intelligence Report") for report in data["reports"]: print("{} - {} - {} - {}".format( report["date"].strftime("%Y-%m-%d") if report["date"] else "", report["title"], report["url"], report["source"] )) print("") if len(data["samples"]) > 0: print("----------------- Samples") for sample in data["samples"]: print("{} - {} {}".format( sample["date"].strftime("%Y-%m-%d") if sample["date"] else "", sample["source"], sample["url"], )) if "infos" in sample: for info in sample["infos"]: print("- {} - {}".format( info, sample["infos"][info] )) print("") if len(data["network"]) > 0: print("------------------ Network") for host in data["network"]: if "host2" in host: print("{:30} {} - {}".format( "{} ({})".format(host["host"], host["host2"]), host["source"], host["url"] )) else: print("{:30} {} - {}".format( host["host"], host["source"], host["url"] )) print("") if len(data["urls"]) > 0: print("----------------- Urls") for report in data["urls"]: print("{} - {} - {}".format( report["url"], report["link"], report["source"] )) print("") else: self.parser.print_help() else: self.parser.print_help()