CIRCL
/
AIL-framework
mirror of https://github.com/CIRCL/AIL-framework
2
1
Fork 0
Code Issues Releases Wiki Activity

chg: [Cryptocurrency] add private_key entry + fix dash regex

pull/401/head
Terrtia 2019-09-22 14:44:37 +02:00
parent 7dbb27055e
commit 30fd361e1c
No known key found for this signature in database
GPG Key ID: 1E1B1F50D84613D0
3 changed files with 45 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
bin/Cryptocurrencies.py
View File

@ -41,7 +41,6 @@ signal.signal(signal.SIGALRM, timeout_handler)
def search_crytocurrency(item_id, item_content): def search_crytocurrency(item_id, item_content):
# bitcoin_private_key = re.findall(regex_bitcoin_private_key, content)
is_cryptocurrency_found = False is_cryptocurrency_found = False
@ -69,20 +68,7 @@ def search_crytocurrency(item_id, item_content):
# build bitcoin correlation # build bitcoin correlation
Cryptocurrency.save_cryptocurrency_data(crypto_name, Item.get_item_date(item_id), item_id, address) Cryptocurrency.save_cryptocurrency_data(crypto_name, Item.get_item_date(item_id), item_id, address)
# # TODO: add private key validation # At least one valid cryptocurrency address was found
#if(len(bitcoin_private_key) > 0):
# for private_key in bitcoin_private_key:
# print('Bitcoin private key found : {}'.format(private_key))
# to_print = 'Bitcoin found: {} address and {} private Keys'.format(len(bitcoin_address), len(bitcoin_private_key))
# print(to_print)
# publisher.warning(to_print)
# msg = 'infoleak:automatic-detection="bitcoin-private-key";{}'.format(message)
# p.populate_set_out(msg, 'Tags')
# to_print = 'Bitcoin;{};{};{};'.format(paste.p_source, paste.p_date,
# paste.p_name)
# publisher.warning('{}Detected {} Bitcoin private key;{}'.format(
# to_print, len(bitcoin_private_key),paste.p_rel_path))
if(is_valid_crypto_addr): if(is_valid_crypto_addr):
# valid cryptocurrency found in this item # valid cryptocurrency found in this item
is_cryptocurrency_found = True is_cryptocurrency_found = True
@ -91,6 +77,35 @@ def search_crytocurrency(item_id, item_content):
msg = '{};{}'.format(crypto_dict['tag'], item_id) msg = '{};{}'.format(crypto_dict['tag'], item_id)
p.populate_set_out(msg, 'Tags') p.populate_set_out(msg, 'Tags')
# search cryptocurrency private key
if crypto_dict.get('private_key'):
signal.alarm(crypto_dict['private_key']['max_execution_time'])
try:
addr_private_key = re.findall(crypto_dict['private_key']['regex'], item_content)
except TimeoutException:
addr_private_key = []
p.incr_module_timeout_statistic() # add encoder type
print ("{0} processing timeout".format(item_id))
continue
else:
signal.alarm(0)
if addr_private_key:
# Tag Item
msg = '{};{}'.format(crypto_dict['private_key']['tag'], item_id)
p.populate_set_out(msg, 'Tags')
# debug
print(addr_private_key)
to_print = '{} found: {} address and {} private Keys'.format(crypto_name, len(crypto_addr), len(addr_private_key))
print(to_print)
publisher.warning(to_print)
to_print = 'Cryptocurrency;{};{};{};'.format(Item.get_source(item_id), Item.get_item_date(item_id), Item.get_item_basename(item_id))
publisher.warning('{}Detected {} {} private key;{}'.format(
to_print, len(addr_private_key), crypto_name, item_id))
if is_cryptocurrency_found: if is_cryptocurrency_found:
# send to duplicate module # send to duplicate module
p.populate_set_out(item_id, 'Duplicate') p.populate_set_out(item_id, 'Duplicate')
@ -106,6 +121,11 @@ cryptocurrency_dict = {
'regex': r'\b[13][A-Za-z0-9]{26,33}\b', 'regex': r'\b[13][A-Za-z0-9]{26,33}\b',
'max_execution_time': default_max_execution_time, 'max_execution_time': default_max_execution_time,
'tag': 'infoleak:automatic-detection="bitcoin-address"', 'tag': 'infoleak:automatic-detection="bitcoin-address"',
'private_key': {
'regex': r'[5KL][1-9A-HJ-NP-Za-km-z]{50,51}',
'max_execution_time': default_max_execution_time,
'tag': 'infoleak:automatic-detection="bitcoin-private-key"',
},
}, },
'ethereum': { 'ethereum': {
'name': 'ethereum', # e.g. 0x8466b50B53c521d0B4B163d186596F94fB8466f1 'name': 'ethereum', # e.g. 0x8466b50B53c521d0B4B163d186596F94fB8466f1
@ -139,7 +159,7 @@ cryptocurrency_dict = {
}, },
'dash': { 'dash': {
'name': 'dash', # e.g. XmNfXq2kDmrNBTiDTofohRemwGur1WmgTT 'name': 'dash', # e.g. XmNfXq2kDmrNBTiDTofohRemwGur1WmgTT
'regex': r'\bX[a-za0-9]{33}\b', 'regex': r'\bX[A-Za-z0-9]{33}\b',
'max_execution_time': default_max_execution_time, 'max_execution_time': default_max_execution_time,
'tag': 'infoleak:automatic-detection="dash-address"', 'tag': 'infoleak:automatic-detection="dash-address"',
} }
@ -158,9 +178,6 @@ if __name__ == "__main__":
# Sent to the logging a description of the module # Sent to the logging a description of the module
publisher.info("Run Cryptocurrency module ") publisher.info("Run Cryptocurrency module ")
regex_bitcoin_private_key = re.compile(r'[5KL][1-9A-HJ-NP-Za-km-z]{50,51}')
# Endless loop getting messages from the input queue # Endless loop getting messages from the input queue
while True: while True:
# Get one message from the input queue # Get one message from the input queue

5
bin/packages/Cryptocurrency.py
View File

@ -14,6 +14,7 @@ from Correlation import Correlation
r_serv_metadata = Flask_config.r_serv_metadata r_serv_metadata = Flask_config.r_serv_metadata
digits58 = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz' digits58 = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'
#address_validation = {'bitcoin': 'base58', 'dash': 'base58'}
cryptocurrency = Correlation('cryptocurrency') cryptocurrency = Correlation('cryptocurrency')
@ -25,7 +26,7 @@ def decode_base58(bc, length):
return n.to_bytes(length, 'big') return n.to_bytes(length, 'big')
# http://rosettacode.org/wiki/Bitcoin/address_validation#Python # http://rosettacode.org/wiki/Bitcoin/address_validation#Python
def check_bitcoin_address(bc): def check_base58_address(bc):
try: try:
bcbytes = decode_base58(bc, 25) bcbytes = decode_base58(bc, 25)
return bcbytes[-4:] == sha256(sha256(bcbytes[:-4]).digest()).digest()[:4] return bcbytes[-4:] == sha256(sha256(bcbytes[:-4]).digest()).digest()[:4]
@ -34,7 +35,7 @@ def check_bitcoin_address(bc):
def verify_cryptocurrency_address(cryptocurrency_type, cryptocurrency_address): def verify_cryptocurrency_address(cryptocurrency_type, cryptocurrency_address):
if cryptocurrency_type == 'bitcoin': if cryptocurrency_type == 'bitcoin':
return check_bitcoin_address(cryptocurrency_address) return check_base58_address(cryptocurrency_address)
else: else:
return True return True

6
bin/packages/Item.py
View File

@ -29,6 +29,12 @@ def get_item_date(item_id):
l_directory = item_id.split('/') l_directory = item_id.split('/')
return '{}{}{}'.format(l_directory[-4], l_directory[-3], l_directory[-2]) return '{}{}{}'.format(l_directory[-4], l_directory[-3], l_directory[-2])
def get_source(item_id):
return item_id.split('/')[-5]
def get_item_basename(item_id):
return os.path.basename(item_id)
def get_item_size(item_id): def get_item_size(item_id):
return round(os.path.getsize(os.path.join(PASTES_FOLDER, item_id))/1024.0, 2) return round(os.path.getsize(os.path.join(PASTES_FOLDER, item_id))/1024.0, 2)