def get_host_attribute_trackers(trx, context): """Get tracker data.""" query_value = context.Value client = load_client(context) response = client.get_host_attribute_trackers(query=query_value) if 'error' in response: return error_response(trx, response) results = response.get('results', []) if len(results) == 0: return blank_response(trx, response) for item in results: entity_name = "pt.tracker%s" % item.get('attributeType') ent = trx.addEntity(entity_name, safe_symbols(item.get('attributeValue'))) ent.addProperty(LABEL_FIRST_SEEN, LABEL_FIRST_SEEN, 'loose', safe_symbols(item.get('firstSeen', 'N/A'))) ent.addProperty(LABEL_LAST_SEEN, LABEL_LAST_SEEN, 'loose', safe_symbols(item.get('lastSeen', 'N/A'))) ent.addProperty(LABEL_TRACKER_TYPE, LABEL_LAST_SEEN, 'loose', safe_symbols(item.get('attributeType'))) ent.addProperty(LABEL_HOSTNAME, LABEL_HOSTNAME, 'loose', safe_symbols(item.get('hostname'))) return maltego_response(trx)
def get_host_attribute_components(trx, context): """Get component data.""" query_value = context.Value client = load_client(context) response = client.get_host_attribute_components(query=query_value) if 'error' in response: return error_response(trx, response) results = response.get('results', []) if len(results) == 0: return blank_response(trx, response) for item in results: entity_value = "%s (%s)" % (item.get('label'), item.get('category')) ent = trx.addEntity(MALTEGO_PT_COMPONENT, safe_symbols(entity_value)) ent.addProperty(LABEL_FIRST_SEEN, LABEL_FIRST_SEEN, 'loose', safe_symbols(item.get('firstSeen', 'N/A'))) ent.addProperty(LABEL_LAST_SEEN, LABEL_LAST_SEEN, 'loose', safe_symbols(item.get('lastSeen', 'N/A'))) ent.addProperty(LABEL_COMPONENT_TYPE, LABEL_LAST_SEEN, 'loose', safe_symbols(item.get('category'))) ent.addProperty(LABEL_HOSTNAME, LABEL_HOSTNAME, 'loose', safe_symbols(item.get('hostname'))) return maltego_response(trx)
def get_whois_details(trx, context): """Get WHOIS data.""" query_value = context.Value client = load_client(context) response = client.get_whois_details(query=query_value, compact_record=True) if 'error' in response: return error_response(trx, response) nameservers = response.get('nameServers', []) for item in nameservers: trx.addEntity(MALTEGO_PT_NAMESERVER, safe_symbols(item)) fields = ['registrar', 'registered', 'registryUpdatedAt', 'expiresAt'] for item in fields: entity_name = "pt.whois%s" % upper_first(item) trx.addEntity(entity_name, safe_symbols(response.get(item))) trx.addEntity(MALTEGO_DOMAIN, safe_symbols(response.get('domain', ''))) results = response.get('compact', {}) for entity, value in results.iteritems(): if len(value.get('raw', [])) == 0: continue entity_name = "pt.whois%s" % upper_first(entity) for item in value.get('raw', []): trx.addEntity(entity_name, safe_symbols(item)) return maltego_response(trx)
def get_host_attribute_trackers(trx, context): """Get tracker data.""" query_value = context.Value client = load_client(context) response = client.get_host_attribute_trackers(query=query_value) if 'error' in response: return error_response(trx, response) results = response.get('results', []) if len(results) == 0: return blank_response(response) for item in results: entity_name = "pt.tracker%s" % item.get('attributeType') ent = trx.addEntity(entity_name, safe_symbols(item.get('attributeValue'))) ent.addProperty(LABEL_FIRST_SEEN, LABEL_FIRST_SEEN, 'loose', safe_symbols(item.get('firstSeen', 'N/A'))) ent.addProperty(LABEL_LAST_SEEN, LABEL_LAST_SEEN, 'loose', safe_symbols(item.get('lastSeen', 'N/A'))) ent.addProperty(LABEL_TRACKER_TYPE, LABEL_LAST_SEEN, 'loose', safe_symbols(item.get('attributeType'))) ent.addProperty(LABEL_HOSTNAME, LABEL_HOSTNAME, 'loose', safe_symbols(item.get('hostname'))) return maltego_response(trx)
def get_host_attribute_components(trx, context): """Get component data.""" query_value = context.Value client = load_client(context) response = client.get_host_attribute_components(query=query_value) if 'error' in response: return error_response(trx, response) results = response.get('results', []) if len(results) == 0: return blank_response(response) for item in results: entity_value = "%s (%s)" % (item.get('label'), item.get('category')) ent = trx.addEntity(MALTEGO_PT_COMPONENT, safe_symbols(entity_value)) ent.addProperty(LABEL_FIRST_SEEN, LABEL_FIRST_SEEN, 'loose', safe_symbols(item.get('firstSeen', 'N/A'))) ent.addProperty(LABEL_LAST_SEEN, LABEL_LAST_SEEN, 'loose', safe_symbols(item.get('lastSeen', 'N/A'))) ent.addProperty(LABEL_COMPONENT_TYPE, LABEL_LAST_SEEN, 'loose', safe_symbols(item.get('category'))) ent.addProperty(LABEL_HOSTNAME, LABEL_HOSTNAME, 'loose', safe_symbols(item.get('hostname'))) return maltego_response(trx)
def get_malware(trx, context): """Get malware for a query.""" query_value = context.Value client = load_client(context) response = client.get_malware(query=query_value) if 'error' in response: return error_response(trx, response) for item in response.get('results', []): trx.addEntity(MALTEGO_PHRASE, safe_symbols(item.get('source'))) trx.addEntity(MALTEGO_URL, safe_symbols(item.get('sourceUrl'))) trx.addEntity(MALFORMITY_HASH, safe_symbols(item.get('sample'))) return maltego_response(trx)
def get_malware(trx, context): """Get malware for a query.""" query_value = context.Value client = load_client(context) response = client.get_malware(query=query_value) if 'error' in response: return error_response(trx, response) for item in response.get('results', []): trx.addEntity(MALTEGO_PHRASE, safe_symbols(item.get('source'))) trx.addEntity(MALTEGO_URL, safe_symbols(item.get('sourceUrl'))) trx.addEntity(MALTEGO_HASH, safe_symbols(item.get('sample'))) return maltego_response(trx)
def get_osint(trx, context): """Get OSINT for a query.""" query_value = context.Value client = load_client(context) response = client.get_osint(query=query_value) if 'error' in response: return error_response(trx, response) for item in response.get('results', []): trx.addEntity(MALTEGO_PHRASE, safe_symbols(item.get('source'))) trx.addEntity(MALTEGO_URL, safe_symbols(item.get('sourceUrl'))) for tag in item.get('tags', []): trx.addEntity(MALTEGO_PT_TAG, safe_symbols(tag)) return maltego_response(trx)
def get_osint_details(trx, context): """Get OSINT for a query.""" query_value = context.Value client = load_client(context) response = client.get_osint(query=query_value) if 'error' in response: return error_response(trx, response) for item in response.get('results', []): for value in item.get('inReport', []): if value_type(value) == 'ip': trx.addEntity(MALTEGO_IP, safe_symbols(value)) else: trx.addEntity(MALTEGO_DOMAIN, safe_symbols(value)) return maltego_response(trx)
def get_ssl_certificate_history_by_ip(trx, context): """Get unique passive DNS data.""" query_value = context.Value client = load_client(context) response = client.get_ssl_certificate_history(query=query_value) if 'error' in response: return error_response(trx, response) for item in response.get('results', []): ent = trx.addEntity(MALTEGO_PT_SSL_CERT, safe_symbols(item.get('sha1'))) ent.addProperty(LABEL_FIRST_SEEN, LABEL_FIRST_SEEN, 'loose', safe_symbols(item.get('firstSeen', 'N/A'))) ent.addProperty(LABEL_LAST_SEEN, LABEL_LAST_SEEN, 'loose', safe_symbols(item.get('lastSeen', 'N/A'))) return maltego_response(trx)
def run_tracker_search(trx, context, field): """Abstract runner to search tracker data.""" query_value = context.Value client = load_client(context) response = client.search_trackers(query=query_value, type=field) if 'error' in response: return error_response(trx, response) results = response.get('results', []) if len(results) == 0: return blank_response(response) for item in results: ent = trx.addEntity(MALTEGO_DOMAIN, safe_symbols(item.get('hostname'))) ent.addProperty(LABEL_BLACKLISTED, LABEL_BLACKLISTED, 'loose', safe_symbols(item.get('everBlacklisted',))) return maltego_response(trx)
def get_passive_dns(trx, context): """Get passive DNS data.""" query_value = context.Value client = load_client(context) response = client.get_passive_dns(query=query_value, timeout=10) if 'error' in response: return error_response(trx, response) query_type = response.get('queryType') for item in response.get('results', []): resolution = item.get('resolve', 'N/A') ent = trx.addEntity(type_map[query_type], safe_symbols(resolution)) ent.addProperty(LABEL_FIRST_SEEN, LABEL_FIRST_SEEN, 'loose', safe_symbols(item.get('firstSeen', 'N/A'))) ent.addProperty(LABEL_LAST_SEEN, LABEL_LAST_SEEN, 'loose', safe_symbols(item.get('lastSeen', 'N/A'))) ent.addProperty(LABEL_SOURCES, LABEL_SOURCES, 'loose', safe_symbols(', '.join(item.get('source', [])))) return maltego_response(trx)
def get_tags(trx, context): """Get tags for query value.""" query_value = context.Value client = load_client(context) response = client.get_tags(query=query_value) if 'error' in response: return error_response(trx, response) for tag in response.get('tags', []): trx.addEntity(MALTEGO_PT_TAG, safe_symbols(tag)) return maltego_response(trx)
def get_classification(trx, context): """Get classification for query value.""" query_value = context.Value client = load_client(context) response = client.get_classification_status(query=query_value) if 'error' in response: return error_response(trx, response) content = response.get('classification', 'N/A') trx.addEntity(MALTEGO_PHRASE, safe_symbols(content)) return maltego_response(trx)
def run_tracker_search(trx, context, field): """Abstract runner to search tracker data.""" query_value = context.Value client = load_client(context) response = client.search_trackers(query=query_value, type=field) if 'error' in response: return error_response(trx, response) results = response.get('results', []) if len(results) == 0: return blank_response(trx, response) for item in results: ent = trx.addEntity(MALTEGO_DOMAIN, safe_symbols(item.get('hostname'))) ent.addProperty(LABEL_FIRST_SEEN, LABEL_FIRST_SEEN, 'loose', safe_symbols(item.get('firstSeen', 'N/A'))) ent.addProperty(LABEL_LAST_SEEN, LABEL_LAST_SEEN, 'loose', safe_symbols(item.get('lastSeen', 'N/A'))) return maltego_response(trx)
def get_subdomains(trx, context): """Get subdomains for a query.""" query_value = context.Value client = load_client(context) response = client.get_subdomains(query=query_value) if 'error' in response: return error_response(trx, response) for item in response.get('subdomains', []): entity_value = "%s.%s" % (item, query_value) trx.addEntity(MALTEGO_DOMAIN, safe_symbols(entity_value)) return maltego_response(trx)
def get_unique_passive_dns(trx, context): """Get unique passive DNS data.""" query_value = context.Value client = load_client(context) response = client.get_unique_resolutions(query=query_value, timeout=10) if 'error' in response: return error_response(trx, response) query_type = response.get('queryType') for item in response.get('results', []): trx.addEntity(type_map[query_type], safe_symbols(item)) return maltego_response(trx)
def get_ever_compromised(trx, context): """Get ever-compromised for query value.""" query_value = context.Value client = load_client(context) response = client.get_ever_compromised_status(query=query_value) if 'error' in response: return error_response(trx, response) content = "Unknown" if response.get('everCompromised', False): content = "Been Compromised" trx.addEntity(MALTEGO_PHRASE, safe_symbols(content)) return maltego_response(trx)
def get_dynamic_dns(trx, context): """Get dynamic-dns for query value.""" query_value = context.Value client = load_client(context) response = client.get_dynamic_dns_status(query=query_value) if 'error' in response: return error_response(trx, response) content = "Unknown" if response.get('dynamicDns', False): content = "Dynamic DNS" trx.addEntity(MALTEGO_PHRASE, safe_symbols(content)) return maltego_response(trx)
def get_monitor(trx, context): """Get monitor status for query value.""" query_value = context.Value client = load_client(context) response = client.get_monitor_status(query=query_value) if 'error' in response: return error_response(trx, response) content = "Unknown" if response.get('monitor', False): content = "Monitoring" trx.addEntity(MALTEGO_PHRASE, safe_symbols(content)) return maltego_response(trx)
def get_sinkhole(trx, context): """Get sinkhole for query value.""" query_value = context.Value client = load_client(context) response = client.get_sinkhole_status(query=query_value) if 'error' in response: return error_response(trx, response) content = "Unknown" if response.get('sinkhole', False): content = "Sinkholed" trx.addEntity(MALTEGO_PHRASE, safe_symbols(content)) return maltego_response(trx)
def get_host_attribute_child_pairs(trx, context): """Get pair data.""" query_value = context.Value client = load_client(context) response = client.get_host_attribute_pairs(query=query_value, direction="children") if 'error' in response: return error_response(trx, response) results = response.get('results', []) if len(results) == 0: return blank_response(trx, response) for item in results: ent = trx.addEntity(MALTEGO_DOMAIN, safe_symbols(item.get('child'))) ent.addProperty(LABEL_FIRST_SEEN, LABEL_FIRST_SEEN, 'loose', safe_symbols(item.get('firstSeen', 'N/A'))) ent.addProperty(LABEL_LAST_SEEN, LABEL_LAST_SEEN, 'loose', safe_symbols(item.get('lastSeen', 'N/A'))) ent.addProperty(LABEL_COMPONENT_TYPE, LABEL_LAST_SEEN, 'loose', safe_symbols(item.get('cause'))) ent.setLinkLabel(safe_symbols(item.get('cause'))) return maltego_response(trx)
def run_whois_search(trx, context, field): """Abstract runner to search whois data.""" query_value = context.Value client = load_client(context) response = client.search_whois_by_field(query=query_value, field=field) if 'error' in response: return error_response(trx, response) results = response.get('results', []) if len(results) == 0: return blank_response(trx, response) for item in results: trx.addEntity(MALTEGO_DOMAIN, safe_symbols(item.get('domain'))) return maltego_response(trx)
def get_osint_passive_dns(trx, context): """Get OSINT passive DNS data.""" query_value = context.Value client = load_client(context) response = client.get_unique_resolutions(query=query_value, timeout=10) if 'error' in response: return error_response(trx, response) eclient = load_enrichment(context) unique_items = response.get('results', []) osint = eclient.get_bulk_osint(query=unique_items) query_type = response.get('queryType') for key, value in osint.get('results', {}).iteritems(): if value['hasOsint']: trx.addEntity(type_map[query_type], safe_symbols(key)) return maltego_response(trx)
def get_ssl_certificate_details(trx, context): """Get SSL certificate data.""" query_value = context.Value client = load_client(context) response = client.get_ssl_certificate_details(query=query_value) if 'error' in response: return error_response(trx, response) for entity, value in response.iteritems(): if value == '' or not value: continue entity_name = "pt.ssl%s" % upper_first(entity) ent = trx.addEntity(entity_name, safe_symbols(value)) ent.addProperty(LABEL_PROPERTY, LABEL_PROPERTY, 'loose', upper_first(entity)) return maltego_response(trx)
def run_ssl_certificate_search(trx, context, field): """Abstract runner to search certificate data.""" query_value = context.Value client = load_client(context) response = client.search_ssl_certificate_by_field(query=query_value, field=field) if 'error' in response: return error_response(trx, response) results = response.get('results', []) if len(results) == 0: return blank_response(trx, response) for item in results: trx.addEntity(MALTEGO_PT_SSL_CERT, safe_symbols(item.get('sha1'))) return maltego_response(trx)
def run_ssl_certificate_search(trx, context, field): """Abstract runner to search certificate data.""" query_value = context.Value client = load_client(context) response = client.search_ssl_certificate_by_field( query=query_value, field=field ) if 'error' in response: return error_response(trx, response) results = response.get('results', []) if len(results) == 0: return blank_response(trx, response) for item in results: trx.addEntity(MALTEGO_PT_SSL_CERT, safe_symbols(item.get('sha1'))) return maltego_response(trx)
def get_enrichment(trx, context): """Get tracker data.""" query_value = context.Value client = load_client(context) response = client.get_enrichment(query=query_value) if 'error' in response: return error_response(trx, response) query_type = response.get('queryType') if query_type == 'ip': as_number = response.get('autonomousSystemNumber') ent = trx.addEntity(MALTEGO_AS_NUMBER, safe_symbols(as_number)) ent = trx.addEntity(MALTEGO_NETBLOCK, safe_symbols(response.get('network'))) as_name = response.get('autonomousSystemName') ent = trx.addEntity(MALTEGO_PHRASE, safe_symbols(as_name)) ent = trx.addEntity(MALTEGO_LOCATION, safe_symbols(response.get('country'))) ent.addProperty(LABEL_LATITUDE, LABEL_LATITUDE, 'loose', safe_symbols(response.get('latitude'))) ent.addProperty(LABEL_LONGITUDE, LABEL_LONGITUDE, 'loose', safe_symbols(response.get('longitude'))) if response.get('sinkhole', False): trx.addEntity(MALTEGO_PHRASE, safe_symbols('Sinkholed')) else: trx.addEntity(MALTEGO_DOMAIN, safe_symbols(response.get('tld'))) if response.get('dynamicDns', False): trx.addEntity(MALTEGO_PHRASE, safe_symbols('Dynamic DNS')) if response.get('primaryDomain', '') != query_type: trx.addEntity(MALTEGO_DOMAIN, safe_symbols(response.get('primaryDomain'))) if response.get('everCompromised', False): ent = trx.addEntity(MALTEGO_PHRASE, safe_symbols('Been compromised')) for tag in response.get('tags', []): ent = trx.addEntity(MALTEGO_PT_TAG, safe_symbols(tag)) return maltego_response(trx)