Regex for more crypto wallets, IPv6 and improved coordinates #26
Conversation
amadejpapez
commented
May 21, 2021
amadejpapez
commented
- pyWhat can now detect Ripple, Bitcoin Cash, Litecoin and Monero!
- added detection for IPv6
- if there is a port number alongside of the IP address, it will now grab that too
- improved detection for coordinates, added formats (N 32° 53.733 W 096° 48.358") and made it less restrictive (20,80 is no longer a coordinate :D)
pywhat/Data/regex.json
Outdated
| }, | ||
| { | ||
| "Name": "Bitcoin Cash (BCH) Wallet Address", | ||
| "Regex": "^bitcoincash:[a-zA-Z0-9]{42}$", |
There was a problem hiding this comment.
This is much higher as it says bitcoincash at the front, i'd give it a rarity of 1.0
pywhat/Data/regex.json
Outdated
| @@ -251,15 +291,25 @@ | |||
| ] | |||
| }, | |||
| { | |||
| "Name": "Internet Protocol (IP) Address", | |||
| "Regex": "(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)", | |||
| "Name": "Internet Protocol (IP) Address version 4", | |||
pywhat/Data/regex.json
Outdated
| "Description": "Universal address pointing to an entity on the web.", | ||
| "Rarity": 0.4, | ||
| "Tags": [ | ||
| "Identifiers", | ||
| "Networking" | ||
| ] | ||
| }, | ||
| { | ||
| "Name": "Internet Protocol (IP) Address version 6", |
pywhat/Data/regex.json
Outdated
| "Name": "Internet Protocol (IP) Address version 6", | ||
| "Regex": "\\[?(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\\]?(:[0-9]{1,5})?", | ||
| "Description": "Universal address pointing to an entity on the web.", | ||
| "Rarity": 1.0, |
There was a problem hiding this comment.
Please manually sort them in the file, so the ones with the highest rarity (1.0) go at the top and the lower the rarity the lower down in the file they are.
this is so when we import via JSON it's already sorted most likely (least false positives) to least likely (most false positives) :D
| def test_monero(): | ||
| r = regex_identifier.RegexIdentifier() | ||
| res = r.check(["47DF8D9NwtmefhFUghynYRMqrexiZTsm48T1hhi2jZcbfcwoPbkhMrrED6zqJRfeYpXFfdaqAT3jnBEwoMwCx6BYDJ1W3ub"]) | ||
| assert "Monero (XMR) Wallet Address" in res[0]["Regex Pattern"]["Name"] | ||
|
|
||
|
|
||
| def test_litecoin(): | ||
| r = regex_identifier.RegexIdentifier() | ||
| res = r.check(["LRX8rSPVjifTxoLeoJtLf2JYdJFTQFcE7m"]) | ||
| assert "Litecoin (LTC) Wallet Address" in res[0]["Regex Pattern"]["Name"] | ||
|
|
||
|
|
||
| def test_bitcoincash(): | ||
| r = regex_identifier.RegexIdentifier() | ||
| res = r.check(["bitcoincash:qzlg6uvceehgzgtz6phmvy8gtdqyt6vf359at4n3lq"]) | ||
| assert "Bitcoin Cash (BCH) Wallet Address" in res[0]["Regex Pattern"]["Name"] | ||
|
|
||
|
|
||
| def test_ripple(): | ||
| r = regex_identifier.RegexIdentifier() | ||
| res = r.check(["rBPAQmwMrt7FDDPNyjwFgwSqbWZPf6SLkk"]) | ||
| assert "Ripple (XRP) Wallet Address" in res[0]["Regex Pattern"]["Name"] |
There was a problem hiding this comment.
This is annoying, but can you also add all the tests to:
https://github.com/bee-san/pyWhat/blob/main/fixtures/file
And copy / paste into:
https://github.com/bee-san/pyWhat/blob/main/tests/test_click.py
Because of how many regexes this has, we need to be on the ball with testing. We need to have a lot of tests to make sure we don't slip up :-)
pywhat/printer.py
Outdated
| "YouTube Video ID": "https://www.youtube.com/watch?v=", | ||
| "YouTube Channel ID": "https://www.youtube.com/channel/", | ||
| "Latitude & Longitude Coordinates": "https://www.google.com/maps/place/", |
There was a problem hiding this comment.
Can we include the Shodan link here for IP addresses, please?
https://www.shodan.io/search?query=6.6.6.6
for 6.6.6.6 :-)
There was a problem hiding this comment.
Actually, the URL is this:
pywhat/printer.py
Outdated
| "Ethereum (ETH) Wallet Address": "https://etherscan.io/address/", | ||
| "Dogecoin (DOGE) Wallet Address": "https://dogechain.info/address/", | ||
| "Bitcoin (BTC) Wallet Address": "https://www.blockchain.com/btc/address/", |
There was a problem hiding this comment.
Also this is annoying -- but can we test that these links show up? You can do so by:
This is annoying, but can you also add all the tests to:
https://github.com/bee-san/pyWhat/blob/main/fixtures/file
And copy / paste into:
https://github.com/bee-san/pyWhat/blob/main/tests/test_click.py
and then in that Click file trying to match the dogechain / etherscan URL etc :-) (I'd just do re.searchall("dogechain") to find it 😄
pywhat/printer.py
Outdated
| "YouTube Video ID": "https://www.youtube.com/watch?v=", | ||
| "YouTube Channel ID": "https://www.youtube.com/channel/", | ||
| "Latitude & Longitude Coordinates": "https://www.google.com/maps/place/", |
There was a problem hiding this comment.
Actually, the URL is this:
pywhat/Data/regex.json
Outdated
| @@ -10,7 +10,7 @@ | |||
| ] | |||
| }, | |||
| { | |||
| "Name": "Bitcoin Wallet", | |||
| "Name": "Bitcoin (BTC) Wallet Address", | |||
There was a problem hiding this comment.
Perhaps include the bitcoin char here? ₿
