Now searches within observable_compositions

pull/47/head
Hannah Ward 2016-08-19 17:21:12 +01:00
parent 9db9247e55
commit a492d975c4
No known key found for this signature in database
GPG Key ID: BA89E572EE1B4C5F
2 changed files with 90 additions and 9 deletions

View File

@ -0,0 +1,62 @@
import json
import os
import subprocess
import requests
import tempfile
misperrors = {'error': 'Error'}
mispattributes = {'input': ['domain'], 'output': ['domain']}
# possible module-types: 'expansion', 'hover' or both
moduleinfo = {'version': '1', 'author': 'Hannah Ward',
'description': 'Attempt to brute force subdomains',
'module-type': ['expansion']}
# config fields that your code expects from the site admin
moduleconfig = ["use_top_n_subdomains"]
domains = requests.get("http://hannah-ward.uk/Subdomain_List.txt").text.split("\n")[:-1]
def handler(q=False):
global domains
if q is False:
return False
request = json.loads(q)
r = {"results": []}
f = tempfile.NamedTemporaryFile(delete=False, prefix="domains", mode="w")
print("Saving domains to {}".format(f.name))
f.write("\n".join(domains[:int(request["config"]["use_top_n_subdomains"])]))
f.close()
print("Searching for subdomains of {}".format(request["domain"]))
print("Using {} domains".format(request["config"]["use_top_n_subdomains"]))
print("Turning on tor...")
#subprocess.call([".","torsocks","on"])
proc = subprocess.Popen(["knockpy", "-w", f.name, request["domain"]],
stdout=subprocess.PIPE
)
os.remove(f.name)
print("Turning off tor...")
#subprocess.call([".","torsocks","off"])
out,err = proc.communicate()
r["results"] = {'values':out.split("\n"), "types":'domain'}
return r
def introspection():
return mispattributes
def version():
moduleinfo['config'] = moduleconfig
return moduleinfo

View File

@ -4,6 +4,7 @@ import re
import base64 import base64
import hashlib import hashlib
import tempfile import tempfile
import pickle
misperrors = {'error': 'Error'} misperrors = {'error': 'Error'}
userConfig = {} userConfig = {}
@ -49,6 +50,9 @@ def handler(q=False):
# Load up the package into STIX # Load up the package into STIX
package = loadPackage(package, memsize) package = loadPackage(package, memsize)
# Hash it
with open("/home/hward/tmp.dat", "wb") as f:
pickle.dump( package, f)
# Build all the observables # Build all the observables
if package.observables: if package.observables:
for obs in package.observables: for obs in package.observables:
@ -62,7 +66,7 @@ def handler(q=False):
# Aaaand the indicators # Aaaand the indicators
if package.indicators: if package.indicators:
for ind in package.indicators: for ind in package.indicators:
r["results"].append(buildIndicator(ind)) r["results"] += buildIndicator(ind)
# Are you seeing a pattern? # Are you seeing a pattern?
if package.exploit_targets: if package.exploit_targets:
@ -76,7 +80,7 @@ def handler(q=False):
# Clean up results # Clean up results
# Don't send on anything that didn't have a value # Don't send on anything that didn't have a value
r["results"] = [x for x in r["results"] if len(x["values"]) != 0] r["results"] = [x for x in r["results"] if isinstance(x, dict) and len(x["values"]) != 0]
return r return r
# Quick and dirty regex for IP addresses # Quick and dirty regex for IP addresses
@ -126,11 +130,14 @@ def buildIndicator(ind):
and other fun things and other fun things
like that like that
""" """
r = {"values": [], "types": []} r = []
# Try to get hashes. I hate stix # Try to get hashes. I hate stix
if ind.observable: if ind.observables:
return buildObservable(ind.observable) for i in ind.observables:
if i.observable_composition:
for j in i.observable_composition.observables:
r.append(buildObservable(j))
r.append(buildObservable(i))
return r return r
@ -152,7 +159,6 @@ def buildObservable(o):
and extract the value and extract the value
and category and category
""" """
# Life is easier with json # Life is easier with json
if not isinstance(o, dict): if not isinstance(o, dict):
o = json.loads(o.to_json()) o = json.loads(o.to_json())
@ -168,7 +174,6 @@ def buildObservable(o):
props = o["object"]["properties"] props = o["object"]["properties"]
# If it has an address_value field, it's gonna be an address # If it has an address_value field, it's gonna be an address
# print(props)
# Kinda obvious really # Kinda obvious really
if "address_value" in props: if "address_value" in props:
@ -193,7 +198,21 @@ def buildObservable(o):
for hsh in props["hashes"]: for hsh in props["hashes"]:
r["values"].append(hsh["simple_hash_value"]["value"]) r["values"].append(hsh["simple_hash_value"]["value"])
r["types"] = identifyHash(hsh["simple_hash_value"]["value"]) r["types"] = identifyHash(hsh["simple_hash_value"]["value"])
return r
elif "xsi:type" in props:
# Cybox. Ew.
try:
type_ = props["xsi:type"]
val = props["value"]
if type_ == "LinkObjectType":
r["types"] = ["link"]
r["values"].append(val)
else:
print("Ignoring {}".format(type_))
except:
pass
return r
def loadPackage(data, memsize=1024): def loadPackage(data, memsize=1024):