|
4 | 4 | import dns.resolver |
5 | 5 | import os |
6 | 6 | import re |
| 7 | +import requests |
7 | 8 | import socket as sock |
8 | 9 | import shodan |
9 | 10 | import sqlite3 |
@@ -121,10 +122,13 @@ def __init__(self): |
121 | 122 | "shodan: isp": self.ip_to_shodan_isp, |
122 | 123 | "shodan: city": self.ip_to_shodan_city, |
123 | 124 | "shodan: asn": self.ip_to_shodan_asn}) |
124 | | - virustotal_api_key = self.api_db.get_api_key("virustotal") |
125 | | - if virustotal_api_key: |
| 125 | + self.virustotal_api_key = self.api_db.get_api_key("virustotal") |
| 126 | + if self.virustotal_api_key: |
126 | 127 | self.osint_options.update({ |
127 | | - "virustotal: report": self.ip_to_vt_report |
| 128 | + "virustotal: network report": self.ip_to_vt_network_report, |
| 129 | + "virustotal: communicating samples": self.ip_to_vt_communicating_samples, |
| 130 | + "virustotal: downloaded samples": self.ip_to_vt_downloaded_samples, |
| 131 | + "virustotal: detected urls": self.ip_to_vt_detected_urls |
128 | 132 | }) |
129 | 133 |
|
130 | 134 | def is_ip_address(self, _input: str): |
@@ -223,8 +227,68 @@ def ip_to_shodan_asn(self, ip:str): |
223 | 227 | except Exception as e: |
224 | 228 | return ["shodan api error: ", e] |
225 | 229 |
|
226 | | - def ip_to_vt_report(self, ip:str): |
227 | | - """Searches virustotal to return an ip report""" |
| 230 | + def ip_to_vt_network_report(self, ip:str): |
| 231 | + """Searches virustotal to return an ip network report""" |
| 232 | + try: |
| 233 | + data = make_vt_api_request( |
| 234 | + "https://www.virustotal.com/vtapi/v2/ip-address/report", |
| 235 | + self.virustotal_api_key, |
| 236 | + {"ip":ip} |
| 237 | + ) |
| 238 | + if data: |
| 239 | + return ["asn owner: {}".format(data.json().get("as_owner")), |
| 240 | + "asn: {}".format(data.json().get("asn")), |
| 241 | + "continent: {}".format(data.json().get("continent")), |
| 242 | + "country: {}".format(data.json().get("country")), |
| 243 | + "network: {}".format(data.json().get("network")), |
| 244 | + "whois: {}".format(data.json().get("whois")) |
| 245 | + ] |
| 246 | + else: |
| 247 | + return ["no data available"] |
| 248 | + except Exception as e: |
| 249 | + return ["virustotal api error: ", e] |
| 250 | + |
| 251 | + def ip_to_vt_communicating_samples(self, ip:str): |
| 252 | + """Searches virustotal to search for detected communicating samples""" |
| 253 | + try: |
| 254 | + data = make_vt_api_request( |
| 255 | + "https://www.virustotal.com/vtapi/v2/ip-address/report", |
| 256 | + self.virustotal_api_key, |
| 257 | + {"ip":ip}) |
| 258 | + if data: |
| 259 | + return [record.get("sha256") for record in data.json()["detected_communicating_samples"]] |
| 260 | + else: |
| 261 | + return ["no data available"] |
| 262 | + except Exception as e: |
| 263 | + return ["virustotal api error: ", e] |
| 264 | + |
| 265 | + def ip_to_vt_downloaded_samples(self, ip:str): |
| 266 | + """Searches virustotal to search for detected communicating samples""" |
| 267 | + try: |
| 268 | + data = make_vt_api_request( |
| 269 | + "https://www.virustotal.com/vtapi/v2/ip-address/report", |
| 270 | + self.virustotal_api_key, |
| 271 | + {"ip":ip}) |
| 272 | + if data: |
| 273 | + return [record.get("sha256") for record in data.json()["detected_downloaded_samples"]] |
| 274 | + else: |
| 275 | + return ["no data available"] |
| 276 | + except Exception as e: |
| 277 | + return ["virustotal api error: ", e] |
| 278 | + |
| 279 | + def ip_to_vt_detected_urls(self, ip:str): |
| 280 | + """Searches virustotal to search for detected communicating samples""" |
| 281 | + try: |
| 282 | + data = make_vt_api_request( |
| 283 | + "https://www.virustotal.com/vtapi/v2/ip-address/report", |
| 284 | + self.virustotal_api_key, |
| 285 | + {"ip":ip}) |
| 286 | + if data: |
| 287 | + return [record.get("url") for record in data.json()["detected_urls"]] |
| 288 | + else: |
| 289 | + return ["no data available"] |
| 290 | + except Exception as e: |
| 291 | + return ["virustotal api error: ", e] |
228 | 292 |
|
229 | 293 | class EmailAddress(object): |
230 | 294 | """Email address handler class""" |
@@ -361,6 +425,16 @@ def load_icon(): |
361 | 425 | iconfile.close() |
362 | 426 | return tempFile |
363 | 427 |
|
| 428 | +def make_vt_api_request(url: str, api_key: str, search_params: dict): |
| 429 | + """Helper function to interrogate virustotal public api""" |
| 430 | + try: |
| 431 | + params = {"apikey": api_key} |
| 432 | + params.update(search_params) |
| 433 | + headers = {'User-Agent': 'Pockint v.1.0.0-beta'} |
| 434 | + return requests.get(url, params=params, headers=headers) |
| 435 | + except Exception as e: |
| 436 | + return e |
| 437 | + |
364 | 438 | icon = \ |
365 | 439 | """ |
366 | 440 | AAABAAEAgIAAAAEAIAAoCAEAFgAAACgAAACAAAAAAAEAAAEAIAAAAAAAAAABABILAAASCwAAAAAA |
|
0 commit comments