AIL-framework/bin/Bitcoin.py

109 lines
3.5 KiB
Python
Raw Normal View History

2018-05-04 13:53:29 +02:00
#!/usr/bin/env python3
2018-04-23 14:51:53 +02:00
# -*-coding:UTF-8 -*
"""
The Bitcoin Module
============================
It trying to extract Bitcoin address and secret key from paste
..seealso:: Paste method (get_regex)
Requirements
------------
*Need running Redis instances. (Redis).
"""
from packages import Paste
from Helper import Process
from pubsublogger import publisher
import re
import time
from hashlib import sha256
2018-04-23 16:22:23 +02:00
#### thank http://rosettacode.org/wiki/Bitcoin/address_validation#Python for this 2 functions
2018-04-23 14:51:53 +02:00
def decode_base58(bc, length):
n = 0
for char in bc:
n = n * 58 + digits58.index(char)
return n.to_bytes(length, 'big')
def check_bc(bc):
try:
bcbytes = decode_base58(bc, 25)
return bcbytes[-4:] == sha256(sha256(bcbytes[:-4]).digest()).digest()[:4]
except Exception:
return False
2018-04-23 16:22:23 +02:00
########################################################
2018-04-23 14:51:53 +02:00
2018-04-24 17:03:10 +02:00
def search_key(content, message, paste):
2018-04-23 14:51:53 +02:00
bitcoin_address = re.findall(regex_bitcoin_public_address, content)
bitcoin_private_key = re.findall(regex_bitcoin_private_key, content)
validate_address = False
2018-04-24 17:03:10 +02:00
key = False
2018-04-23 14:51:53 +02:00
if(len(bitcoin_address) >0):
#print(message)
for address in bitcoin_address:
if(check_bc(address)):
validate_address = True
print('Bitcoin address found : {}'.format(address))
if(len(bitcoin_private_key) > 0):
for private_key in bitcoin_private_key:
print('Bitcoin private key found : {}'.format(private_key))
2018-04-24 17:03:10 +02:00
key = True
2018-04-23 14:51:53 +02:00
if(validate_address):
p.populate_set_out(message, 'Duplicate')
2018-04-24 17:03:10 +02:00
to_print = 'Bitcoin found: {} address and {} private Keys'.format(len(bitcoin_address), len(bitcoin_private_key))
2018-04-23 14:51:53 +02:00
print(to_print)
publisher.warning(to_print)
msg = ('bitcoin;{}'.format(message))
p.populate_set_out( msg, 'alertHandler')
2018-05-16 14:39:01 +02:00
msg = 'infoleak:automatic-detection="bitcoin-address";{}'.format(message)
p.populate_set_out(msg, 'Tags')
2018-04-24 17:03:10 +02:00
if(key):
2018-05-16 14:39:01 +02:00
msg = 'infoleak:automatic-detection="bitcoin-private-key";{}'.format(message)
p.populate_set_out(msg, 'Tags')
2018-04-24 17:03:10 +02:00
to_print = 'Bitcoin;{};{};{};'.format(paste.p_source, paste.p_date,
paste.p_name)
publisher.warning('{}Detected {} Bitcoin private key;{}'.format(
to_print, len(bitcoin_private_key),paste.p_path))
2018-04-23 14:51:53 +02:00
if __name__ == "__main__":
publisher.port = 6380
publisher.channel = "Script"
config_section = 'Bitcoin'
# Setup the I/O queues
p = Process(config_section)
# Sent to the logging a description of the module
publisher.info("Run Keys module ")
digits58 = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'
regex_bitcoin_public_address = re.compile(r'(?<![a-km-zA-HJ-NP-Z0-9])[13][a-km-zA-HJ-NP-Z0-9]{26,33}(?![a-km-zA-HJ-NP-Z0-9])')
regex_bitcoin_private_key = re.compile(r'[5KL][1-9A-HJ-NP-Za-km-z]{50,51}')
# Endless loop getting messages from the input queue
while True:
# Get one message from the input queue
message = p.get_from_set()
if message is None:
publisher.debug("{} queue is empty, waiting".format(config_section))
time.sleep(1)
continue
# Do something with the message from the queue
paste = Paste.Paste(message)
content = paste.get_p_content()
2018-04-24 17:03:10 +02:00
search_key(content, message, paste)