From 30fd361e1c20f8c76d671cb7b28daaf423a1ad87 Mon Sep 17 00:00:00 2001 From: Terrtia Date: Sun, 22 Sep 2019 14:44:37 +0200 Subject: [PATCH] chg: [Cryptocurrency] add private_key entry + fix dash regex --- bin/Cryptocurrencies.py | 55 ++++++++++++++++++++++------------ bin/packages/Cryptocurrency.py | 5 ++-- bin/packages/Item.py | 6 ++++ 3 files changed, 45 insertions(+), 21 deletions(-) diff --git a/bin/Cryptocurrencies.py b/bin/Cryptocurrencies.py index 8571e5d1..ba006062 100755 --- a/bin/Cryptocurrencies.py +++ b/bin/Cryptocurrencies.py @@ -41,7 +41,6 @@ signal.signal(signal.SIGALRM, timeout_handler) def search_crytocurrency(item_id, item_content): - # bitcoin_private_key = re.findall(regex_bitcoin_private_key, content) is_cryptocurrency_found = False @@ -69,20 +68,7 @@ def search_crytocurrency(item_id, item_content): # build bitcoin correlation Cryptocurrency.save_cryptocurrency_data(crypto_name, Item.get_item_date(item_id), item_id, address) - # # TODO: add private key validation - #if(len(bitcoin_private_key) > 0): - # for private_key in bitcoin_private_key: - # print('Bitcoin private key found : {}'.format(private_key)) - # to_print = 'Bitcoin found: {} address and {} private Keys'.format(len(bitcoin_address), len(bitcoin_private_key)) - # print(to_print) - # publisher.warning(to_print) - # msg = 'infoleak:automatic-detection="bitcoin-private-key";{}'.format(message) - # p.populate_set_out(msg, 'Tags') - # to_print = 'Bitcoin;{};{};{};'.format(paste.p_source, paste.p_date, - # paste.p_name) - # publisher.warning('{}Detected {} Bitcoin private key;{}'.format( - # to_print, len(bitcoin_private_key),paste.p_rel_path)) - + # At least one valid cryptocurrency address was found if(is_valid_crypto_addr): # valid cryptocurrency found in this item is_cryptocurrency_found = True @@ -91,6 +77,35 @@ def search_crytocurrency(item_id, item_content): msg = '{};{}'.format(crypto_dict['tag'], item_id) p.populate_set_out(msg, 'Tags') + # search cryptocurrency private key + if crypto_dict.get('private_key'): + signal.alarm(crypto_dict['private_key']['max_execution_time']) + try: + addr_private_key = re.findall(crypto_dict['private_key']['regex'], item_content) + except TimeoutException: + addr_private_key = [] + p.incr_module_timeout_statistic() # add encoder type + print ("{0} processing timeout".format(item_id)) + continue + else: + signal.alarm(0) + + if addr_private_key: + # Tag Item + msg = '{};{}'.format(crypto_dict['private_key']['tag'], item_id) + p.populate_set_out(msg, 'Tags') + + # debug + print(addr_private_key) + to_print = '{} found: {} address and {} private Keys'.format(crypto_name, len(crypto_addr), len(addr_private_key)) + print(to_print) + publisher.warning(to_print) + + to_print = 'Cryptocurrency;{};{};{};'.format(Item.get_source(item_id), Item.get_item_date(item_id), Item.get_item_basename(item_id)) + publisher.warning('{}Detected {} {} private key;{}'.format( + to_print, len(addr_private_key), crypto_name, item_id)) + + if is_cryptocurrency_found: # send to duplicate module p.populate_set_out(item_id, 'Duplicate') @@ -106,6 +121,11 @@ cryptocurrency_dict = { 'regex': r'\b[13][A-Za-z0-9]{26,33}\b', 'max_execution_time': default_max_execution_time, 'tag': 'infoleak:automatic-detection="bitcoin-address"', + 'private_key': { + 'regex': r'[5KL][1-9A-HJ-NP-Za-km-z]{50,51}', + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="bitcoin-private-key"', + }, }, 'ethereum': { 'name': 'ethereum', # e.g. 0x8466b50B53c521d0B4B163d186596F94fB8466f1 @@ -139,7 +159,7 @@ cryptocurrency_dict = { }, 'dash': { 'name': 'dash', # e.g. XmNfXq2kDmrNBTiDTofohRemwGur1WmgTT - 'regex': r'\bX[a-za0-9]{33}\b', + 'regex': r'\bX[A-Za-z0-9]{33}\b', 'max_execution_time': default_max_execution_time, 'tag': 'infoleak:automatic-detection="dash-address"', } @@ -158,9 +178,6 @@ if __name__ == "__main__": # Sent to the logging a description of the module publisher.info("Run Cryptocurrency module ") - - regex_bitcoin_private_key = re.compile(r'[5KL][1-9A-HJ-NP-Za-km-z]{50,51}') - # Endless loop getting messages from the input queue while True: # Get one message from the input queue diff --git a/bin/packages/Cryptocurrency.py b/bin/packages/Cryptocurrency.py index 46ba7f96..fe7b385f 100755 --- a/bin/packages/Cryptocurrency.py +++ b/bin/packages/Cryptocurrency.py @@ -14,6 +14,7 @@ from Correlation import Correlation r_serv_metadata = Flask_config.r_serv_metadata digits58 = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz' +#address_validation = {'bitcoin': 'base58', 'dash': 'base58'} cryptocurrency = Correlation('cryptocurrency') @@ -25,7 +26,7 @@ def decode_base58(bc, length): return n.to_bytes(length, 'big') # http://rosettacode.org/wiki/Bitcoin/address_validation#Python -def check_bitcoin_address(bc): +def check_base58_address(bc): try: bcbytes = decode_base58(bc, 25) return bcbytes[-4:] == sha256(sha256(bcbytes[:-4]).digest()).digest()[:4] @@ -34,7 +35,7 @@ def check_bitcoin_address(bc): def verify_cryptocurrency_address(cryptocurrency_type, cryptocurrency_address): if cryptocurrency_type == 'bitcoin': - return check_bitcoin_address(cryptocurrency_address) + return check_base58_address(cryptocurrency_address) else: return True diff --git a/bin/packages/Item.py b/bin/packages/Item.py index 264ef300..4f7aa851 100755 --- a/bin/packages/Item.py +++ b/bin/packages/Item.py @@ -29,6 +29,12 @@ def get_item_date(item_id): l_directory = item_id.split('/') return '{}{}{}'.format(l_directory[-4], l_directory[-3], l_directory[-2]) +def get_source(item_id): + return item_id.split('/')[-5] + +def get_item_basename(item_id): + return os.path.basename(item_id) + def get_item_size(item_id): return round(os.path.getsize(os.path.join(PASTES_FOLDER, item_id))/1024.0, 2)