def threatcrowd(self, elastic_output): output = {} req_threatcrowd = requests.get("https://www.threatcrowd.org/searchApi/v2/domain/report/?domain=" + self.domain) json_threatcrowd = json.loads(req_threatcrowd.content) if json_threatcrowd['response_code'] == "0": return False print "--------------------Threatcrowd module------------------------" votes = json_threatcrowd['votes'] trust = "non-trusted" if votes < 0 else "trusted" if votes > 0 else "no opinion" print "Reputation of " + self.domain + ": " + trust print "[*] Domain was resolved to following IPs: " for i, j in enumerate(json_threatcrowd['resolutions']): if i == 3: break if len(j['ip_address']) > 1: print bcolors.HEADER + j['ip_address'] + bcolors.ENDC output[j["ip_address"]] = j["last_resolved"] else: del j[ 'ip_address'] # Threatcrowd gives "-" when there is no IP address. Check if ip_address has 2 chars at least, if not delete it from json_threatcrowd # output = {ip:last_resolved} if elastic_output: tools.elast('threatcrowd', 'domain', json_threatcrowd) tools.json_output(self.domain, "/threatcrowd", json_threatcrowd) return output
def geolocation(self, elastic_output): print("-------------Geolocation module---------------------") req_geolocation = requests.get("https://extreme-ip-lookup.com/json/" + self.ip_address) json_geolocation = json.loads(req_geolocation.content) try: business_name = json_geolocation['businessName'] print(bcolors.HEADER + self.ip_address + bcolors.ENDC + " belongs to " + bcolors.OKGREEN + business_name if len(business_name) > 0 else "No business name for that IP") print("It is from " + bcolors.OKGREEN + json_geolocation['country'] + ", " + json_geolocation['city'] + ", " + json_geolocation['region'] + bcolors.ENDC) except KeyError: print(bcolors.FAIL + "Error" + bcolors.ENDC) coordinates = dict(list(islice(json_geolocation.items(), 9, 11))) if elastic_output: tools.elast('coordinates', 'ip', coordinates) tools.json_output(self.ip_address, "/geolocation", json_geolocation) return coordinates
def whois_history(self, key, elastic_output): print "-------------------WhoIs history module---------------------" req_whois_history = requests.get("http://api.whoxy.com/?key=" + key + "&history=" + self.domain) json_whois_history = json.loads(req_whois_history.content) output = {} help = 0 if json_whois_history['status'] == 0: print "Whois Retrieval Failed" return False print "[*} Found " + bcolors.OKGREEN + str( json_whois_history['total_records_found'] ) + bcolors.ENDC + " result(s)" if json_whois_history['total_records_found'] > 0: for c, i in enumerate(json_whois_history['whois_records']): try: print "[*] Domain " + bcolors.HEADER + self.domain + bcolors.ENDC + " was registered on " + i[ 'create_date'] + " in " + \ i['domain_registrar']['registrar_name'] # output = {counter: {'create_date': i['create_date'], 'contact': i['registrant_contact'], # 'dns': i['name_servers']}} output[c] = {} output[c]['create_date'] = i['create_date'] output[c]['contact'] = i['registrant_contact'] output[c]['dns'] = i['name_servers'] output[c]['domain_name'] = i['domain_name'] print "[*] Contact: " for k in i['registrant_contact']: print bcolors.OKBLUE + i['registrant_contact'][ k] + bcolors.ENDC print "[*] Name servers:" for j in i["name_servers"]: print bcolors.OKBLUE + j + bcolors.ENDC help = help + 1 except KeyError as e: print bcolors.FAIL + "No information found about " + e.message + bcolors.ENDC help = help - 1 print "---" else: "No records found" return False # output = { sdate: :{create_date : xxx, contact : {xxx : xxx}, dns : [xxx]} tools.json_output(self.domain, "/whois_history", json_whois_history) if elastic_output: tools.elast('history', 'domain', json_whois_history) return output
def virustotal(self, key, elastic_output): help = 0 output = {self.ip_address: {'detected': {}, 'hostname': {}}} print "----------------VirusTotal module---------------------------" req_virustotal = requests.get( "https://www.virustotal.com/vtapi/v2/ip-address/report?apikey=" + key + "&ip=" + self.ip_address) if req_virustotal.status_code == 403: print "Wrong API key, no more info can be gathered" sys.exit() if req_virustotal.status_code == 204: print "API limit, putting into sleep for 70 sec" time.sleep(70) req_virustotal = requests.get( "https://www.virustotal.com/vtapi/v2/ip-address/report?apikey=" + key + "&ip=" + self.ip_address) json_virustotal = json.loads(req_virustotal.content) print "[*] Following url(s) was/were hosted on ip " + bcolors.HEADER + self.ip_address + bcolors.ENDC + ' and consider as dangerous: ' try: for i in json_virustotal['detected_urls']: # output[self.ip_address]['detected']['url'] = i['url'] output[self.ip_address]['detected'][i['url']] = i['scan_date'] print i['url'] + " on " + bcolors.OKGREEN + i['scan_date'] + bcolors.ENDC help = help + 1 if help == 3: break except KeyError: print "Nothing found" return False sorted_json_virustotal = sorted(json_virustotal['resolutions'], key=lambda k: k['last_resolved'], reverse=True) help = 0 print "[*] Newest resolution from VirusTotal" for i in sorted_json_virustotal: if help < 3: print bcolors.HEADER + self.ip_address + bcolors.ENDC + " was resolved to " + bcolors.OKGREEN + i[ 'hostname'] + bcolors.ENDC + " on " + bcolors.OKGREEN + i['last_resolved'] + bcolors.ENDC output[self.ip_address]['hostname'][i['hostname']] = i['last_resolved'] help = help + 1 else: break # output = {self.ip : { detected {url:scan_date}, hostname : {xxx.xxx.xxx.xxx: xxxx-xx-xx}} # output.append([json_virustotal['detected_urls']]) if elastic_output: tools.elast('virustotal_ip', 'ip', json_virustotal) tools.json_output(self.ip_address, "/virustotal", sorted_json_virustotal) return output
def whois(self, key, elastic_output): print("-------------------WhoIs module---------------------") req_whois = requests.get("https://api.whoxy.com/?key=" + key + "&whois=" + self.domain) json_whois = json.loads(req_whois.content) # # output = {self.domain: {}} if json_whois['status'] == 0: print(bcolors.FAIL + "Whois Retrieval Failed" + bcolors.ENDC) try: if json_whois['domain_registered'] != 'no': print("[*] Domain " + bcolors.HEADER + json_whois['domain_name'] + bcolors.ENDC + " was registered on " + bcolors.OKGREEN + json_whois['create_date'] + bcolors.ENDC + " in " + json_whois['domain_registrar']['registrar_name']) print("[*] Name servers") output[self.domain]['create_date'] = json_whois['create_date'] for j in json_whois['name_servers']: print(bcolors.OKBLUE + j + bcolors.ENDC) output[ self.domain]['contact'] = json_whois['registrant_contact'] output[self.domain]['dns'] = json_whois['name_servers'] output[self.domain]['domain_name'] = json_whois['domain_name'] print("[*] Contact: ") for k in json_whois['registrant_contact']: print(bcolors.OKBLUE + json_whois['registrant_contact'][k] + bcolors.ENDC) else: print(bcolors.FAIL + "No match for domain" + self.domain + bcolors.ENDC) except KeyError as e: print(bcolors.FAIL + "No information found about " + e.message + bcolors.ENDC) # create_date, domain_registered, domain_registar, name_servers # output = {self.domain : {create_date: xxx, name_servers : [xxxxxx], contact : {x:x}} if elastic_output: tools.elast('whois', 'domain', json_whois) tools.json_output(self.domain, "/whois", json_whois) return output
def threatcrowd_ip(self, elastic_output): print("----------------ThreatCrowd module---------------------------") req_threatcrowd = requests.get( "https://www.threatcrowd.org/searchApi/v2/ip/report/?ip=" + self.ip_address) json_threatcrowd = json.loads(req_threatcrowd.content) try: votes = json_threatcrowd['votes'] except KeyError: votes = 0 output = {self.ip_address: {}} if json_threatcrowd['response_code'] == 0: print("[*] " + bcolors.FAIL + "No information about " + bcolors.HEADER + self.ip_address + bcolors.ENDC) return False try: newlist = sorted(json_threatcrowd['resolutions'], key=lambda k: k['last_resolved']) except KeyError: newlist = [] print("Error") print("[*] Newest resolution from ThreatCrowd") for i, j in enumerate(reversed(newlist)): print(bcolors.HEADER + self.ip_address + bcolors.ENDC + " was resolved to " + bcolors.OKGREEN + j['domain'] + bcolors.ENDC + " on " + bcolors.OKGREEN + j['last_resolved'] + bcolors.ENDC) output[self.ip_address]['domain'] = j['domain'] output[self.ip_address]['last_resolved'] = j['last_resolved'] if i == 2: break trust = bcolors.WARNING + "non-trusted" + bcolors.ENDC if votes < 0 else bcolors.OKGREEN + "trusted" + bcolors.ENDC if votes > 0 else "no opinion" print("Reputation of " + bcolors.HEADER + self.ip_address + bcolors.ENDC + ": " + trust) output[self.ip_address]['trust'] = trust # output = {self.ip : {domain:[xxx,xxx], trust: trust} if elastic_output: tools.elast('threatcrowd_ip', 'domain', json_threatcrowd) tools.json_output(self.ip_address, "/threatcrowd", json_threatcrowd) return json_threatcrowd
def threatcrowd_ip(self, elastic_output): print "----------------ThreatCrowd module---------------------------" req_threatcrowd = requests.get("https://www.threatcrowd.org/searchApi/v2/ip/report/?ip=" + self.ip_address) json_threatcrowd = json.loads(req_threatcrowd.content) try: votes = json_threatcrowd['votes'] except KeyError: votes = 0 output = {self.ip_address: {}} if json_threatcrowd['response_code'] == 0: print "[*] " + bcolors.FAIL + "No information about " + bcolors.HEADER + self.ip_address + bcolors.ENDC return False try: newlist = sorted(json_threatcrowd['resolutions'], key=lambda k: k['last_resolved']) except KeyError: newlist = [] print "Error" print "[*] Newest resolution from ThreatCrowd" for i, j in enumerate(reversed(newlist)): print bcolors.HEADER + self.ip_address + bcolors.ENDC + " was resolved to " + bcolors.OKGREEN + j[ 'domain'] + bcolors.ENDC + " on " + bcolors.OKGREEN + j['last_resolved'] + bcolors.ENDC output[self.ip_address]['domain'] = j['domain'] output[self.ip_address]['last_resolved'] = j['last_resolved'] if i == 2: break trust = bcolors.WARNING + "non-trusted" + bcolors.ENDC if votes < 0 else bcolors.OKGREEN + "trusted" + bcolors.ENDC if votes > 0 else "no opinion" print "Reputation of " + bcolors.HEADER + self.ip_address + bcolors.ENDC + ": " + trust output[self.ip_address]['trust'] = trust # output = {self.ip : {domain:[xxx,xxx], trust: trust} if elastic_output: tools.elast('threatcrowd_ip', 'domain', json_threatcrowd) tools.json_output(self.ip_address, "/threatcrowd", json_threatcrowd) return json_threatcrowd
def virustotal(self, key, elastic_output): output = {self.domain: []} help = 0 print("----------------VirusTotal module---------------------------") req_virustotal = requests.get( "https://www.virustotal.com/vtapi/v2/domain/report?apikey=" + key + "&domain=" + self.domain) if req_virustotal.status_code == 204: print("API limitation, putting into sleep for 70 sec") time.sleep(70) req_virustotal = requests.get( "https://www.virustotal.com/vtapi/v2/domain/report?apikey=" + key + "&domain=" + self.domain) if req_virustotal.status_code == 403: print("Wrong API key, no more info can be gathered") sys.exit() json_virustotal = json.loads(req_virustotal.content) if json_virustotal['response_code'] != 0: print("[*] Domain was resolved to following IPs: ") for i in json_virustotal['resolutions']: print(bcolors.HEADER + i['ip_address'] + bcolors.ENDC + " on " + bcolors.OKBLUE + i['last_resolved'] + bcolors.ENDC) output[self.domain].append(i['ip_address']) help = help + 1 if help > 2: break else: print(bcolors.FAIL + "Nothing found" + bcolors.ENDC) # output = { self.domain : [xxx.xxx,zzz.zzz,yyy.yyy] if elastic_output: tools.elast('virustotal', 'domain', json_virustotal) tools.json_output(self.domain, "/virustotal", json_virustotal) return output
def geolocation(self, elastic_output): print "-------------Geolocation module---------------------" req_geolocation = requests.get("https://extreme-ip-lookup.com/json/" + self.ip_address) json_geolocation = json.loads(req_geolocation.content) try: business_name = json_geolocation['businessName'] print bcolors.HEADER + self.ip_address + bcolors.ENDC + " belongs to " + bcolors.OKGREEN + business_name if len( business_name) > 0 else "No business name for that IP" print "It is from " + bcolors.OKGREEN + json_geolocation['country'] + ", " + json_geolocation[ 'city'] + ", " + json_geolocation[ 'region'] + bcolors.ENDC except KeyError: print bcolors.FAIL + "Error" + bcolors.ENDC coordinates = dict(json_geolocation.items()[8:11]) if elastic_output: tools.elast('coordinates', 'ip', coordinates) tools.json_output(self.ip_address, "/geolocation", json_geolocation) return coordinates
def whoxy(self, key, elastic_output): print(bcolors.UNDERLINE + "------------Reverse whoxy module-----------------------" + bcolors.ENDC) req_whoxy = requests.get( "https://api.whoxy.com/?key=" + key + "&reverse=whois&email=" + self.email_address) json_whoxy = json.loads(req_whoxy.content) output = {self.email_address: {}} if json_whoxy['status'] == 0: print(json_whoxy['status_reason']) sys.exit() guard = 0 # with open('whois_history.json') as f: # data = json.load(f) print("Found " + bcolors.OKGREEN + str(json_whoxy[ 'total_results']) + bcolors.ENDC + " results for email: " + bcolors.HEADER + self.email_address + bcolors.ENDC) if json_whoxy['total_results'] > 0: for i in json_whoxy['search_result']: print("[*] Domain " + bcolors.HEADER + i[ 'domain_name'] + bcolors.ENDC + " was registered on " + bcolors.OKGREEN + i[ 'create_date'] + bcolors.ENDC) output[self.email_address][guard] = {i['domain_name']: {}} output[self.email_address][guard]['domain_name'] = i['domain_name'] output[self.email_address][guard]['create_date'] = i['create_date'] try: output[self.email_address][guard]['dns'] = i['name_servers'] output[self.email_address][guard]['contact'] = i['registrant_contact'] # output[self.email_address][i['domain_name']]['create_date']= i['create_date'] # output[self.email_address][i['domain_name']]['contact'] = i['registrant_contact'] # output[self.email_address][i['domain_name']]['dns'] = i['name_servers'] print("[*] Name servers:") for j in i['name_servers']: print(bcolors.OKBLUE + j + bcolors.ENDC) print("[*] Contact: ") for k in i['registrant_contact']: print(bcolors.OKBLUE + i['registrant_contact'][k] + bcolors.ENDC) except KeyError as e: guard = guard - 1 print(e) print("No more info") guard = guard + 1 if guard == 3: # first three if there are 4000 break else: print("No records found") # domain_name : create_date : xxx, dn # output = { self.email :{domain : xxx, create_date : xxx, contact : {xxx : xxx}, dns : [xxx]} if elastic_output: tools.elast('reverse_whois', 'email', json_whoxy) tools.json_output(self.email_address, "/reverse_whois", json_whoxy) return output
def virustotal(self, key, elastic_output): help = 0 output = {self.ip_address: {'detected': {}, 'hostname': {}}} print "----------------VirusTotal module---------------------------" req_virustotal = requests.get( "https://www.virustotal.com/vtapi/v2/ip-address/report?apikey=" + key + "&ip=" + self.ip_address) if req_virustotal.status_code == 403: print "Wrong API key, no more info can be gathered" sys.exit() if req_virustotal.status_code == 204: print "API limit, putting into sleep for 70 sec" time.sleep(70) req_virustotal = requests.get( "https://www.virustotal.com/vtapi/v2/ip-address/report?apikey=" + key + "&ip=" + self.ip_address) json_virustotal = json.loads(req_virustotal.content) print "[*] Following url(s) was/were hosted on ip " + bcolors.HEADER + self.ip_address + bcolors.ENDC + ' and consider as dangerous: ' try: for i in json_virustotal['detected_urls']: # output[self.ip_address]['detected']['url'] = i['url'] output[self.ip_address]['detected'][i['url']] = i['scan_date'] print i['url'] + " on " + bcolors.OKGREEN + i[ 'scan_date'] + bcolors.ENDC help = help + 1 if help == 3: break except KeyError: print "Nothing found" return False sorted_json_virustotal = sorted(json_virustotal['resolutions'], key=lambda k: k['last_resolved'], reverse=True) help = 0 print "[*] Newest resolution from VirusTotal" for i in sorted_json_virustotal: if help < 3: print bcolors.HEADER + self.ip_address + bcolors.ENDC + " was resolved to " + bcolors.OKGREEN + i[ 'hostname'] + bcolors.ENDC + " on " + bcolors.OKGREEN + i[ 'last_resolved'] + bcolors.ENDC output[self.ip_address]['hostname'][ i['hostname']] = i['last_resolved'] help = help + 1 else: break # output = {self.ip : { detected {url:scan_date}, hostname : {xxx.xxx.xxx.xxx: xxxx-xx-xx}} # output.append([json_virustotal['detected_urls']]) if elastic_output: tools.elast('virustotal_ip', 'ip', json_virustotal) tools.json_output(self.ip_address, "/virustotal", sorted_json_virustotal) return output
def whoxy(self, key, elastic_output): print bcolors.UNDERLINE + "------------Reverse whoxy module-----------------------" + bcolors.ENDC req_whoxy = requests.get( "https://api.whoxy.com/?key=" + key + "&reverse=whois&email=" + self.email_address) json_whoxy = json.loads(req_whoxy.content) output = {self.email_address: {}} if json_whoxy['status'] == 0: print json_whoxy['status_reason'] sys.exit() guard = 0 # with open('whois_history.json') as f: # data = json.load(f) print "Found " + bcolors.OKGREEN + str(json_whoxy[ 'total_results']) + bcolors.ENDC + " results for email: " + bcolors.HEADER + self.email_address + bcolors.ENDC if json_whoxy['total_results'] > 0: for i in json_whoxy['search_result']: print "[*] Domain " + bcolors.HEADER + i[ 'domain_name'] + bcolors.ENDC + " was registered on " + bcolors.OKGREEN + i[ 'create_date'] + bcolors.ENDC output[self.email_address][guard] = {i['domain_name']: {}} output[self.email_address][guard]['domain_name'] = i['domain_name'] output[self.email_address][guard]['create_date'] = i['create_date'] try: output[self.email_address][guard]['dns'] = i['name_servers'] output[self.email_address][guard]['contact'] = i['registrant_contact'] # output[self.email_address][i['domain_name']]['create_date']= i['create_date'] # output[self.email_address][i['domain_name']]['contact'] = i['registrant_contact'] # output[self.email_address][i['domain_name']]['dns'] = i['name_servers'] print "[*] Name servers:" for j in i['name_servers']: print bcolors.OKBLUE + j + bcolors.ENDC print "[*] Contact: " for k in i['registrant_contact']: print bcolors.OKBLUE + i['registrant_contact'][k] + bcolors.ENDC except KeyError as e: guard = guard - 1 print e print "No more info" guard = guard + 1 if guard == 3: # first three if there are 4000 break else: print "No records found" # domain_name : create_date : xxx, dn # output = { self.email :{domain : xxx, create_date : xxx, contact : {xxx : xxx}, dns : [xxx]} if elastic_output: tools.elast('reverse_whois', 'email', json_whoxy) tools.json_output(self.email_address, "/reverse_whois", json_whoxy) return output