mirror of https://github.com/CIRCL/AIL-framework
Merge branch 'master' into domain_object
commit
71718fb69f
|
@ -42,8 +42,8 @@ Features
|
||||||
* Multiple feed support
|
* Multiple feed support
|
||||||
* Each module can process and reprocess the information already processed by AIL
|
* Each module can process and reprocess the information already processed by AIL
|
||||||
* Detecting and extracting URLs including their geographical location (e.g. IP address location)
|
* Detecting and extracting URLs including their geographical location (e.g. IP address location)
|
||||||
* Extracting and validating potential leak of credit cards numbers, credentials, ...
|
* Extracting and validating potential leaks of credit card numbers, credentials, ...
|
||||||
* Extracting and validating email addresses leaked including DNS MX validation
|
* Extracting and validating leaked email addresses, including DNS MX validation
|
||||||
* Module for extracting Tor .onion addresses (to be further processed for analysis)
|
* Module for extracting Tor .onion addresses (to be further processed for analysis)
|
||||||
* Keep tracks of duplicates (and diffing between each duplicate found)
|
* Keep tracks of duplicates (and diffing between each duplicate found)
|
||||||
* Extracting and validating potential hostnames (e.g. to feed Passive DNS systems)
|
* Extracting and validating potential hostnames (e.g. to feed Passive DNS systems)
|
||||||
|
|
142
bin/Bitcoin.py
142
bin/Bitcoin.py
|
@ -1,142 +0,0 @@
|
||||||
#!/usr/bin/env python3
|
|
||||||
# -*-coding:UTF-8 -*
|
|
||||||
"""
|
|
||||||
The Bitcoin Module
|
|
||||||
============================
|
|
||||||
|
|
||||||
It trying to extract Bitcoin address and secret key from paste
|
|
||||||
|
|
||||||
..seealso:: Paste method (get_regex)
|
|
||||||
|
|
||||||
Requirements
|
|
||||||
------------
|
|
||||||
|
|
||||||
*Need running Redis instances. (Redis).
|
|
||||||
|
|
||||||
"""
|
|
||||||
|
|
||||||
from packages import Paste
|
|
||||||
from Helper import Process
|
|
||||||
from pubsublogger import publisher
|
|
||||||
|
|
||||||
import re
|
|
||||||
import time
|
|
||||||
import redis
|
|
||||||
|
|
||||||
from hashlib import sha256
|
|
||||||
|
|
||||||
|
|
||||||
#### thank http://rosettacode.org/wiki/Bitcoin/address_validation#Python for this 2 functions
|
|
||||||
|
|
||||||
def decode_base58(bc, length):
|
|
||||||
n = 0
|
|
||||||
for char in bc:
|
|
||||||
n = n * 58 + digits58.index(char)
|
|
||||||
return n.to_bytes(length, 'big')
|
|
||||||
|
|
||||||
def check_bc(bc):
|
|
||||||
try:
|
|
||||||
bcbytes = decode_base58(bc, 25)
|
|
||||||
return bcbytes[-4:] == sha256(sha256(bcbytes[:-4]).digest()).digest()[:4]
|
|
||||||
except Exception:
|
|
||||||
return False
|
|
||||||
########################################################
|
|
||||||
|
|
||||||
def search_key(content, message, paste):
|
|
||||||
bitcoin_address = re.findall(regex_bitcoin_public_address, content)
|
|
||||||
bitcoin_private_key = re.findall(regex_bitcoin_private_key, content)
|
|
||||||
date = str(paste._get_p_date())
|
|
||||||
validate_address = False
|
|
||||||
key = False
|
|
||||||
if(len(bitcoin_address) >0):
|
|
||||||
#print(message)
|
|
||||||
for address in bitcoin_address:
|
|
||||||
if(check_bc(address)):
|
|
||||||
validate_address = True
|
|
||||||
print('Bitcoin address found : {}'.format(address))
|
|
||||||
if(len(bitcoin_private_key) > 0):
|
|
||||||
for private_key in bitcoin_private_key:
|
|
||||||
print('Bitcoin private key found : {}'.format(private_key))
|
|
||||||
key = True
|
|
||||||
# build bitcoin correlation
|
|
||||||
save_cryptocurrency_data('bitcoin', date, message, address)
|
|
||||||
|
|
||||||
if(validate_address):
|
|
||||||
p.populate_set_out(message, 'Duplicate')
|
|
||||||
to_print = 'Bitcoin found: {} address and {} private Keys'.format(len(bitcoin_address), len(bitcoin_private_key))
|
|
||||||
print(to_print)
|
|
||||||
publisher.warning(to_print)
|
|
||||||
|
|
||||||
msg = 'infoleak:automatic-detection="bitcoin-address";{}'.format(message)
|
|
||||||
p.populate_set_out(msg, 'Tags')
|
|
||||||
|
|
||||||
if(key):
|
|
||||||
msg = 'infoleak:automatic-detection="bitcoin-private-key";{}'.format(message)
|
|
||||||
p.populate_set_out(msg, 'Tags')
|
|
||||||
|
|
||||||
to_print = 'Bitcoin;{};{};{};'.format(paste.p_source, paste.p_date,
|
|
||||||
paste.p_name)
|
|
||||||
publisher.warning('{}Detected {} Bitcoin private key;{}'.format(
|
|
||||||
to_print, len(bitcoin_private_key),paste.p_rel_path))
|
|
||||||
|
|
||||||
def save_cryptocurrency_data(cryptocurrency_name, date, item_path, cryptocurrency_address):
|
|
||||||
# create basic medata
|
|
||||||
if not serv_metadata.exists('cryptocurrency_metadata_{}:{}'.format(cryptocurrency_name, cryptocurrency_address)):
|
|
||||||
serv_metadata.hset('cryptocurrency_metadata_{}:{}'.format(cryptocurrency_name, cryptocurrency_address), 'first_seen', date)
|
|
||||||
serv_metadata.hset('cryptocurrency_metadata_{}:{}'.format(cryptocurrency_name, cryptocurrency_address), 'last_seen', date)
|
|
||||||
else:
|
|
||||||
last_seen = serv_metadata.hget('cryptocurrency_metadata_{}:{}'.format(cryptocurrency_name, cryptocurrency_address), 'last_seen')
|
|
||||||
if not last_seen:
|
|
||||||
serv_metadata.hset('cryptocurrency_metadata_{}:{}'.format(cryptocurrency_name, cryptocurrency_address), 'last_seen', date)
|
|
||||||
else:
|
|
||||||
if int(last_seen) < int(date):
|
|
||||||
serv_metadata.hset('cryptocurrency_metadata_{}:{}'.format(cryptocurrency_name, cryptocurrency_address), 'last_seen', date)
|
|
||||||
|
|
||||||
# global set
|
|
||||||
serv_metadata.sadd('set_cryptocurrency_{}:{}'.format(cryptocurrency_name, cryptocurrency_address), item_path)
|
|
||||||
|
|
||||||
# daily
|
|
||||||
serv_metadata.hincrby('cryptocurrency:{}:{}'.format(cryptocurrency_name, date), cryptocurrency_address, 1)
|
|
||||||
|
|
||||||
# all type
|
|
||||||
serv_metadata.zincrby('cryptocurrency_all:{}'.format(cryptocurrency_name), cryptocurrency_address, 1)
|
|
||||||
|
|
||||||
# item_metadata
|
|
||||||
serv_metadata.sadd('item_cryptocurrency_{}:{}'.format(cryptocurrency_name, item_path), cryptocurrency_address)
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
|
||||||
publisher.port = 6380
|
|
||||||
publisher.channel = "Script"
|
|
||||||
|
|
||||||
config_section = 'Bitcoin'
|
|
||||||
|
|
||||||
# Setup the I/O queues
|
|
||||||
p = Process(config_section)
|
|
||||||
|
|
||||||
serv_metadata = redis.StrictRedis(
|
|
||||||
host=p.config.get("ARDB_Metadata", "host"),
|
|
||||||
port=p.config.getint("ARDB_Metadata", "port"),
|
|
||||||
db=p.config.getint("ARDB_Metadata", "db"),
|
|
||||||
decode_responses=True)
|
|
||||||
|
|
||||||
# Sent to the logging a description of the module
|
|
||||||
publisher.info("Run Keys module ")
|
|
||||||
|
|
||||||
digits58 = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'
|
|
||||||
|
|
||||||
regex_bitcoin_public_address = re.compile(r'(?<![a-km-zA-HJ-NP-Z0-9])[13][a-km-zA-HJ-NP-Z0-9]{26,33}(?![a-km-zA-HJ-NP-Z0-9])')
|
|
||||||
regex_bitcoin_private_key = re.compile(r'[5KL][1-9A-HJ-NP-Za-km-z]{50,51}')
|
|
||||||
|
|
||||||
# Endless loop getting messages from the input queue
|
|
||||||
while True:
|
|
||||||
# Get one message from the input queue
|
|
||||||
message = p.get_from_set()
|
|
||||||
if message is None:
|
|
||||||
publisher.debug("{} queue is empty, waiting".format(config_section))
|
|
||||||
time.sleep(1)
|
|
||||||
continue
|
|
||||||
|
|
||||||
# Do something with the message from the queue
|
|
||||||
paste = Paste.Paste(message)
|
|
||||||
content = paste.get_p_content()
|
|
||||||
search_key(content, message, paste)
|
|
|
@ -0,0 +1,81 @@
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
# -*-coding:UTF-8 -*
|
||||||
|
"""
|
||||||
|
The IP Module
|
||||||
|
======================
|
||||||
|
|
||||||
|
This module is consuming the global channel.
|
||||||
|
|
||||||
|
It first performs a regex to find IP addresses and then matches those IPs to
|
||||||
|
some configured ip ranges.
|
||||||
|
|
||||||
|
The list of IP ranges are expected to be in CIDR format (e.g. 192.168.0.0/16)
|
||||||
|
and should be defined in the config.cfg file, under the [IP] section
|
||||||
|
|
||||||
|
"""
|
||||||
|
|
||||||
|
import time
|
||||||
|
import re
|
||||||
|
from pubsublogger import publisher
|
||||||
|
from packages import Paste
|
||||||
|
from Helper import Process
|
||||||
|
from ipaddress import IPv4Network, IPv4Address
|
||||||
|
|
||||||
|
|
||||||
|
def search_ip(message):
|
||||||
|
paste = Paste.Paste(message)
|
||||||
|
content = paste.get_p_content()
|
||||||
|
# regex to find IPs
|
||||||
|
reg_ip = re.compile(r'^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)', flags=re.MULTILINE)
|
||||||
|
# list of the regex results in the Paste, may be null
|
||||||
|
results = reg_ip.findall(content)
|
||||||
|
matching_ips = []
|
||||||
|
|
||||||
|
for res in results:
|
||||||
|
address = IPv4Address(res)
|
||||||
|
for network in ip_networks:
|
||||||
|
if address in network:
|
||||||
|
matching_ips.append(address)
|
||||||
|
|
||||||
|
if len(matching_ips) > 0:
|
||||||
|
print('{} contains {} IPs'.format(paste.p_name, len(matching_ips)))
|
||||||
|
publisher.warning('{} contains {} IPs'.format(paste.p_name, len(matching_ips)))
|
||||||
|
|
||||||
|
#Tag message with IP
|
||||||
|
msg = 'infoleak:automatic-detection="ip";{}'.format(message)
|
||||||
|
p.populate_set_out(msg, 'Tags')
|
||||||
|
#Send to duplicate
|
||||||
|
p.populate_set_out(message, 'Duplicate')
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
# If you wish to use an other port of channel, do not forget to run a subscriber accordingly (see launch_logs.sh)
|
||||||
|
# Port of the redis instance used by pubsublogger
|
||||||
|
publisher.port = 6380
|
||||||
|
# Script is the default channel used for the modules.
|
||||||
|
publisher.channel = 'Script'
|
||||||
|
|
||||||
|
# Section name in bin/packages/modules.cfg
|
||||||
|
config_section = 'IP'
|
||||||
|
# Setup the I/O queues
|
||||||
|
p = Process(config_section)
|
||||||
|
|
||||||
|
ip_networks = []
|
||||||
|
for network in p.config.get("IP", "networks").split(","):
|
||||||
|
ip_networks.append(IPv4Network(network))
|
||||||
|
|
||||||
|
|
||||||
|
# Sent to the logging a description of the module
|
||||||
|
publisher.info("Run IP module")
|
||||||
|
|
||||||
|
# Endless loop getting messages from the input queue
|
||||||
|
while True:
|
||||||
|
# Get one message from the input queue
|
||||||
|
message = p.get_from_set()
|
||||||
|
if message is None:
|
||||||
|
publisher.debug("{} queue is empty, waiting".format(config_section))
|
||||||
|
time.sleep(1)
|
||||||
|
continue
|
||||||
|
|
||||||
|
# Do something with the message from the queue
|
||||||
|
search_ip(message)
|
||||||
|
|
|
@ -121,6 +121,13 @@ def search_key(paste):
|
||||||
p.populate_set_out(msg, 'Tags')
|
p.populate_set_out(msg, 'Tags')
|
||||||
find = True
|
find = True
|
||||||
|
|
||||||
|
if '-----BEGIN PUBLIC KEY-----' in content:
|
||||||
|
publisher.warning('{} has a public key message'.format(paste.p_name))
|
||||||
|
|
||||||
|
msg = 'infoleak:automatic-detection="public-key";{}'.format(message)
|
||||||
|
p.populate_set_out(msg, 'Tags')
|
||||||
|
find = True
|
||||||
|
|
||||||
# pgp content
|
# pgp content
|
||||||
if get_pgp_content:
|
if get_pgp_content:
|
||||||
p.populate_set_out(message, 'PgpDump')
|
p.populate_set_out(message, 'PgpDump')
|
||||||
|
|
|
@ -186,7 +186,9 @@ function launching_scripts {
|
||||||
sleep 0.1
|
sleep 0.1
|
||||||
screen -S "Script_AIL" -X screen -t "Decoder" bash -c "cd ${AIL_BIN}; ${ENV_PY} ./Decoder.py; read x"
|
screen -S "Script_AIL" -X screen -t "Decoder" bash -c "cd ${AIL_BIN}; ${ENV_PY} ./Decoder.py; read x"
|
||||||
sleep 0.1
|
sleep 0.1
|
||||||
screen -S "Script_AIL" -X screen -t "Bitcoin" bash -c "cd ${AIL_BIN}; ${ENV_PY} ./Bitcoin.py; read x"
|
screen -S "Script_AIL" -X screen -t "Cryptocurrency" bash -c "cd ${AIL_BIN}; ${ENV_PY} ./Cryptocurrencies.py; read x"
|
||||||
|
sleep 0.1
|
||||||
|
screen -S "Script_AIL" -X screen -t "Tools" bash -c "cd ${AIL_BIN}; ${ENV_PY} ./Tools.py; read x"
|
||||||
sleep 0.1
|
sleep 0.1
|
||||||
screen -S "Script_AIL" -X screen -t "Phone" bash -c "cd ${AIL_BIN}; ${ENV_PY} ./Phone.py; read x"
|
screen -S "Script_AIL" -X screen -t "Phone" bash -c "cd ${AIL_BIN}; ${ENV_PY} ./Phone.py; read x"
|
||||||
sleep 0.1
|
sleep 0.1
|
||||||
|
@ -213,6 +215,8 @@ function launching_scripts {
|
||||||
screen -S "Script_AIL" -X screen -t "UpdateBackground" bash -c "cd ${AIL_BIN}; ${ENV_PY} ./update-background.py; read x"
|
screen -S "Script_AIL" -X screen -t "UpdateBackground" bash -c "cd ${AIL_BIN}; ${ENV_PY} ./update-background.py; read x"
|
||||||
sleep 0.1
|
sleep 0.1
|
||||||
screen -S "Script_AIL" -X screen -t "SubmitPaste" bash -c "cd ${AIL_BIN}; ${ENV_PY} ./submit_paste.py; read x"
|
screen -S "Script_AIL" -X screen -t "SubmitPaste" bash -c "cd ${AIL_BIN}; ${ENV_PY} ./submit_paste.py; read x"
|
||||||
|
sleep 0.1
|
||||||
|
screen -S "Script_AIL" -X screen -t "IPAddress" bash -c "cd ${AIL_BIN}; ${ENV_PY} ./IPAddress.py; read x"
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -132,3 +132,7 @@ publish = Redis_Mixer
|
||||||
[Crawler]
|
[Crawler]
|
||||||
subscribe = Redis_Crawler
|
subscribe = Redis_Crawler
|
||||||
publish = Redis_Mixer,Redis_Tags
|
publish = Redis_Mixer,Redis_Tags
|
||||||
|
|
||||||
|
[IP]
|
||||||
|
subscribe = Redis_Global
|
||||||
|
publish = Redis_Duplicate,Redis_Tags
|
||||||
|
|
|
@ -266,3 +266,8 @@ default_crawler_closespider_pagecount = 50
|
||||||
default_crawler_user_agent = Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0
|
default_crawler_user_agent = Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0
|
||||||
splash_url = http://127.0.0.1
|
splash_url = http://127.0.0.1
|
||||||
splash_port = 8050-8052
|
splash_port = 8050-8052
|
||||||
|
|
||||||
|
[IP]
|
||||||
|
# list of comma-separated CIDR that you wish to be alerted for. e.g:
|
||||||
|
#networks = 192.168.34.0/24,10.0.0.0/8,192.168.33.0/24
|
||||||
|
networks =
|
||||||
|
|
|
@ -50,6 +50,7 @@ flask-login
|
||||||
bcrypt
|
bcrypt
|
||||||
|
|
||||||
#DomainClassifier
|
#DomainClassifier
|
||||||
|
git+https://github.com/D4-project/BGP-Ranking.git/#egg=pybgpranking&subdirectory=client
|
||||||
DomainClassifier
|
DomainClassifier
|
||||||
#Indexer requirements
|
#Indexer requirements
|
||||||
whoosh
|
whoosh
|
||||||
|
|
Loading…
Reference in New Issue