-
Notifications
You must be signed in to change notification settings - Fork 0
/
ipv4ioc.py
403 lines (345 loc) · 13.1 KB
/
ipv4ioc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
import ipaddress
import httpx
import asyncio
import json
from time import time
from typing import List
from . import ioc
from . import secrets
class ipv4ioc(ioc.ioc):
"""ipv4ioc
Inheriting from the IOC class, we have a specific class for IPv4 indicators.
The way the class works is that each API endpoint has a function for the specific API endpoint.
It then passes it onto the querysources function from the IOC superclass which calls all of those
endpoints.
You can specify which endpoints are called, and the add more easily by just adding the function
and the function call.
"""
def __init__(self, indicator: str):
try:
self.api_details = []
self.api_results = {}
self.ipv4 = ipaddress.ip_address(indicator)
except ValueError:
self.api_results = {
"indicator": "ipv4",
"count": 0,
"time": "00:00",
"results": "Error - An invalid IPv4 Address Provided",
}
def set_url_list(self, url_details: list) -> None:
"""set_url_list
Updates the list of endpoints to query.
Parameters
----------
url_details (list)
A list of dictionary items for each API endpoint.
Returns
-------
None
"""
self.api_details = url_details
def get_result(self) -> dict:
"""get_results
Retrieves all of the information needed for each API endpoint by simultaneously calling the functions.
Then passes that to the IOC superclass querysources function to retrieve the data from them.
Parameters
----------
url_details (list)
A list of dictionary items for each API endpoint.
Returns
-------
api_results (dict)
A dictionary of the details from the API endpoints, or the error.
"""
if self.api_results:
return self.api_results
else:
if self.ipv4.is_global:
self._loop = asyncio.new_event_loop()
asyncio.set_event_loop(self._loop)
self._loop.run_until_complete(self.gather_urls())
super().__init__()
self.api_results = super().querysources(
indicator_type="ipv4", api_endpoint_details=self.api_details
)
else:
self.api_results = {
"indicator": "ipv4",
"count": 0,
"time": 00,
"results": "Error - A Local IPv4 Address Provided",
}
return self.api_results
async def gather_urls(self) -> None:
"""gather_urls
This function gathers a list of the functions that represent each API endpoint, then
query them all. Once is has the details it updates set_url_list with the details.
Parameters
----------
None
Returns
-------
None
"""
exec_methods = [
"query_shodan",
"query_vt",
"query_greynoise",
"query_alientvaultotx",
"query_robtex",
"query_threatminer_passivedns",
"query_threatminer_uris",
"query_threatminer_samples",
]
func_methods = []
for method in exec_methods:
func_methods.append(getattr(self, method)())
res = await asyncio.gather(*func_methods)
self.set_url_list(res)
async def query_shodan(self) -> dict:
"""query_shodan
Returns a dictionary for querying the Shodan API.
Refer to documentation for details: https://developer.shodan.io/api
Parameters
----------
None
Returns
-------
source_dict (dict)
A dictionary including URL, sourcepoint, HTTP Request type, data (for a POST request), headers and more.
"""
source_dict = {}
source_dict["name"] = "Shodan"
source_dict["type"] = "GET"
source_dict["data"] = None
source_dict["header"] = None
source_dict[
"url"
] = f"https://api.shodan.io/shodan/host/{self.ipv4}?key={secrets.SHODAN_API_KEY}"
return source_dict
async def query_vt(self) -> dict:
"""query_vt
Returns a dictionary for querying the VirusTotal API.
Refer to documentation for details: https://developers.virustotal.com/reference/ip-info
Parameters
----------
None
Returns
-------
source_dict (dict)
A dictionary including URL, sourcepoint, HTTP Request type, data (for a POST request), headers and more.
"""
source_dict = {}
source_dict["name"] = "VirusTotal"
source_dict["type"] = "GET"
source_dict["data"] = None
source_dict["header"] = {
"x-apikey": f"{secrets.VIRUSTOTAL_API_KEY}",
"Accept": "application/json",
}
source_dict[
"url"
] = f"https://www.virustotal.com/api/v3/ip_addresses/{self.ipv4}"
return source_dict
async def query_greynoise(self) -> dict:
"""query_greynoise
Returns a dictionary for querying the GreyNoise API.
Refer to documentation for details: https://docs.greynoise.io/docs/using-the-greynoise-community-api
Parameters
----------
None
Returns
-------
source_dict (dict)
A dictionary including URL, sourcepoint, HTTP Request type, data (for a POST request), headers and more.
"""
source_dict = {}
source_dict["name"] = "GreyNoise"
source_dict["type"] = "GET"
source_dict["data"] = None
source_dict["header"] = {
"key": f"{secrets.GREYNOISE_API_KEY}",
"Accept": "application/json",
"User-Agent": "inspectorgadget/1.0.0",
}
source_dict["url"] = f"https://api.greynoise.io/v3/community/{self.ipv4}"
return source_dict
async def query_alientvaultotx(self) -> dict:
"""query_alientvaultotx
Returns a dictionary for querying the OTX AlienVault API.
Refer to documentation for details: https://otx.alienvault.com/api
Parameters
----------
None
Returns
-------
source_dict (dict)
A dictionary including URL, sourcepoint, HTTP Request type, data (for a POST request), headers and more.
"""
source_dict = {}
source_dict["name"] = "AlienVaultOTX"
source_dict["type"] = "GET"
source_dict["data"] = None
source_dict["header"] = {"x-otx-api-key": f"{secrets.ALIENVAULTOTX_API_KEY}"}
source_dict[
"url"
] = f"https://otx.alienvault.com/api/v1/indicators/IPv4/{self.ipv4}/geo"
return source_dict
async def query_robtex(self) -> dict:
"""query_robtex
Returns a dictionary for querying the Robtex API.
Refer to documentation for details: https://www.robtex.com/api/
Parameters
----------
None
Returns
-------
source_dict (dict)
A dictionary including URL, sourcepoint, HTTP Request type, data (for a POST request), headers and more.
"""
source_dict = {}
source_dict["name"] = "Robtex"
source_dict["type"] = "GET"
source_dict["data"] = None
source_dict["header"] = None
source_dict["url"] = f"https://freeapi.robtex.com/ipquery/{self.ipv4}"
return source_dict
async def query_googlesafebrowsing(self) -> dict:
"""query_googlesafebrowsing
Returns a dictionary for querying the Google Safe Browsing API.
Refer to documentation for details: https://developers.google.com/safe-browsing/v4/lookup-api
Parameters
----------
None
Returns
-------
source_dict (dict)
A dictionary including URL, sourcepoint, HTTP Request type, data (for a POST request), headers and more.
"""
source_dict = {}
source_dict["name"] = "GoogleSafeBrowsing"
source_dict["type"] = "POST"
source_dict["data"] = {
"client": {"clientId": "InspectorGadget", "clientVersion": "1.0.0"},
"threatInfo": {
"threatTypes": ["MALWARE", "SOCIAL_ENGINEERING"],
"platformTypes": ["PLATFORM_TYPE_UNSPECIFIED"],
"threatEntryTypes": ["URL"],
"threatEntries": [
{"url": f"http://{self.ipv4}"},
{"url": f"https://{self.ipv4}"},
],
},
}
source_dict["header"] = {"Content-Type": "application/json"}
source_dict[
"url"
] = f"https://safebrowsing.googleapis.com/v4/threatMatches:find?key={secrets.GOOGLESAFEBROWSING_API_KEY}"
return source_dict
"""
These functions were a test to gather information about the TOR exit nodes, but unfortunately
their method doesn't work in this class, so they're currently being ignored.
async def generate_torexitips(self):
r = requests.get("https://check.torproject.org/exit-addresses")
tor_exit_ip_list = []
for line in r.text.split("\n"):
values = line.split(" ")
if values[0] == "ExitAddress":
tor_exit_ip_list.append(values[1])
return tor_exit_ip_list
async def query_torexitips(self):
source_dict = {}
source_dict["source"] = "TorExitIPs"
tor_ip_list = self.generate_torexitips()
if self.ipv4 in tor_ip_list:
source_dict["results"] = {"TorExitIP": True}
return source_dict
else:
source_dict["results"] = {"TorExitIP": False}
return source_dict
"""
async def query_threatminer_passivedns(self) -> dict:
"""query_threatminer_passivedns
Returns a dictionary for querying the Threat Miner (Passive DNS) API.
Refer to documentation for details: https://www.threatminer.org/api.php
Parameters
----------
None
Returns
-------
source_dict (dict)
A dictionary including URL, sourcepoint, HTTP Request type, data (for a POST request), headers and more.
"""
source_dict = {}
source_dict["name"] = "ThreatMiner_PassiveDNS"
source_dict["type"] = "GET"
source_dict["data"] = None
source_dict["header"] = {"Content-Type": "application/json"}
source_dict[
"url"
] = f"https://api.threatminer.org/v2/host.php?q={self.ipv4}&rt=2"
return source_dict
async def query_threatminer_uris(self) -> dict:
"""query_threatminer_uris
Returns a dictionary for querying the Threat Miner (URIs) API.
Refer to documentation for details: https://www.threatminer.org/api.php
Parameters
----------
None
Returns
-------
source_dict (dict)
A dictionary including URL, sourcepoint, HTTP Request type, data (for a POST request), headers and more.
"""
source_dict = {}
source_dict["name"] = "ThreatMiner_URIs"
source_dict["type"] = "GET"
source_dict["data"] = None
source_dict["header"] = {"Content-Type": "application/json"}
source_dict[
"url"
] = f"https://api.threatminer.org/v2/host.php?q={self.ipv4}&rt=3"
return source_dict
async def query_threatminer_samples(self) -> dict:
"""query_threatminer_samples
Returns a dictionary for querying the Threat Miner (Samples) API.
Refer to documentation for details: https://www.threatminer.org/api.php
Parameters
----------
None
Returns
-------
source_dict (dict)
A dictionary including URL, sourcepoint, HTTP Request type, data (for a POST request), headers and more.
"""
source_dict = {}
source_dict["name"] = "ThreatMiner_Samples"
source_dict["type"] = "GET"
source_dict["data"] = None
source_dict["header"] = {"Content-Type": "application/json"}
source_dict[
"url"
] = f"https://api.threatminer.org/v2/host.php?q={self.ipv4}&rt=4"
return source_dict
async def query_threatminer_sslcerthash(self) -> dict:
"""query_threatminer_sslcerthash
Returns a dictionary for querying the Threat Miner (SSL Cert hash) API.
Refer to documentation for details: https://www.threatminer.org/api.php
Parameters
----------
None
Returns
-------
source_dict (dict)
A dictionary including URL, sourcepoint, HTTP Request type, data (for a POST request), headers and more.
"""
source_dict = {}
source_dict["name"] = "ThreatMiner_SSLCertHash"
source_dict["type"] = "GET"
source_dict["data"] = None
source_dict["header"] = {"Content-Type": "application/json"}
source_dict[
"url"
] = f"https://api.threatminer.org/v2/host.php?q={self.ipv4}&rt=5"
return source_dict