In [2]:
import warnings
warnings.filterwarnings("ignore")

#### Before opening the notebook:
- Explore the data on a text file a little - check for instance that the number and type of fields in each line varies, which is a complication if, for instance, you which to analyse the data with bash

#### Jupyter Notebook
- The notebook allows us to run blocks of code and get an output immediately, much like a REPL
- At the end, its possible to export the results as a report, which is an advantage to use a notebook instead of the REPL

#### Pandas
- Pandas allows us to work with the data on a table - a dataframe - and apply countless useful functions for data manipulation and analysis
- When loading the data to a dataframe, all data is put in memory, so if the data if large enough, its impractical do use pandas. In those cases, you might need to perform some cleaning of sharding before importing, use a raw Python script, or a distributed framework such as Apache Spark

In [3]:
#Import pandas as pd, to shorten the name each time we need it
import pandas as pd

Our data is comprised by several individual nested json objects instead of a single json array, which pandas does not handle well. Because of that, you might need to do a slight manipulation before loading the data to a dataframe.

In [4]:
def convert_json_file_to_dataframe(file):
    with open(file, 'rb') as f:
        data = f.readlines()

    data = map(lambda x: x.rstrip(), data)
    data_json_str = "[" + ','.join(data) + "]"
    df = pd.read_json(data_json_str)

    return df

Our json's main fields are setup as columns in the dataframe
- "origin", "target", "status" and "result"

In [5]:
file_name = 'ssh_test'

In [6]:
df = convert_json_file_to_dataframe(file_name)

In [7]:
df

Unnamed: 0,origin,result,target
0,{u'job_id': u'demo-19d87145-c351-42ea-b766-9fe...,{u'response': u'synack'},"{u'ip': u'131.176.108.11', u'protocol': u'tcp'..."
1,{u'job_id': u'demo-19d87145-c351-42ea-b766-9fe...,{u'response': u'synack'},"{u'ip': u'131.176.149.82', u'protocol': u'tcp'..."
2,{u'job_id': u'demo-19d87145-c351-42ea-b766-9fe...,{u'response': u'synack'},"{u'ip': u'131.176.60.114', u'protocol': u'tcp'..."
3,{u'job_id': u'demo-19d87145-c351-42ea-b766-9fe...,{u'response': u'synack'},"{u'ip': u'131.176.60.127', u'protocol': u'tcp'..."
4,{u'job_id': u'demo-19d87145-c351-42ea-b766-9fe...,{u'response': u'synack'},"{u'ip': u'212.126.210.36', u'protocol': u'tcp'..."
5,{u'job_id': u'demo-19d87145-c351-42ea-b766-9fe...,{u'response': u'synack'},"{u'ip': u'213.218.23.16', u'protocol': u'tcp',..."
6,{u'job_id': u'demo-19d87145-c351-42ea-b766-9fe...,{u'response': u'synack'},"{u'ip': u'131.176.230.198', u'protocol': u'tcp..."
7,{u'job_id': u'demo-19d87145-c351-42ea-b766-9fe...,{u'response': u'synack'},"{u'ip': u'131.176.60.196', u'protocol': u'tcp'..."
8,{u'job_id': u'demo-19d87145-c351-42ea-b766-9fe...,{u'response': u'synack'},"{u'ip': u'213.218.5.34', u'protocol': u'tcp', ..."
9,{u'job_id': u'demo-19d87145-c351-42ea-b766-9fe...,{u'response': u'synack'},"{u'ip': u'195.2.174.25', u'protocol': u'tcp', ..."


We can access each entry on a column to explore in detail:

df[column name][row number]

In [8]:
df['origin'][0]

{u'client_id': u'demo',
 u'country': u'us',
 u'job_id': u'demo-19d87145-c351-42ea-b766-9febd955abde',
 u'module': u'portscan',
 u'ts': 1477587129563L,
 u'type': u'port'}

We can also access a particular field of the nested object:

df[column name][row number][field name]

In [9]:
df['origin'][0]['client_id']

u'demo'

In [10]:
df['target'][3]['ip']

u'131.176.60.127'

For analysing SSH data, the columns that we are most interested in are "target", since it contains IP Address and Port information, and "result", since it contains the effective data that was extracted by the SSH module.
By creating a new dataframe with only the data that we are interested in, we diminish the quantity of data that we have to manipulate, which accelerates the process and eases reading and interpretation.

In [11]:
df2 = df[['target', 'result']]

To show only the first 5 rows of the dataframe: df[:5]

To show only the last 5 rows of the dataframe: df[-5:]

In [12]:
df2[:5]

Unnamed: 0,target,result
0,"{u'ip': u'131.176.108.11', u'protocol': u'tcp'...",{u'response': u'synack'}
1,"{u'ip': u'131.176.149.82', u'protocol': u'tcp'...",{u'response': u'synack'}
2,"{u'ip': u'131.176.60.114', u'protocol': u'tcp'...",{u'response': u'synack'}
3,"{u'ip': u'131.176.60.127', u'protocol': u'tcp'...",{u'response': u'synack'}
4,"{u'ip': u'212.126.210.36', u'protocol': u'tcp'...",{u'response': u'synack'}


All the rows that do not contain any values - NaN - can and should be discarded
In order to do that, we can use the df.dropna() method:
- DataFrame.dropna(axis=0, how='any', thresh=None, subset=None, inplace=False)
- Return object with labels on given axis omitted where alternately any or all of the data are missing

In [13]:
df2 = df2.dropna()

In [14]:
df2[:5]

Unnamed: 0,target,result
0,"{u'ip': u'131.176.108.11', u'protocol': u'tcp'...",{u'response': u'synack'}
1,"{u'ip': u'131.176.149.82', u'protocol': u'tcp'...",{u'response': u'synack'}
2,"{u'ip': u'131.176.60.114', u'protocol': u'tcp'...",{u'response': u'synack'}
3,"{u'ip': u'131.176.60.127', u'protocol': u'tcp'...",{u'response': u'synack'}
4,"{u'ip': u'212.126.210.36', u'protocol': u'tcp'...",{u'response': u'synack'}


On the "result" column, we are only interested on the values which actually have information - by looking at the raw data we know that only the rows with "data" have information.

To apply a function to all the rows of a specific column, you can use the .map() method.

In [15]:
#Maintain only "result" rows with the "data" string in it
df2['result'] =  df2['result'].map(lambda x: x if 'data' in x else None )

In [16]:
df2[:5]

Unnamed: 0,target,result
0,"{u'ip': u'131.176.108.11', u'protocol': u'tcp'...",
1,"{u'ip': u'131.176.149.82', u'protocol': u'tcp'...",
2,"{u'ip': u'131.176.60.114', u'protocol': u'tcp'...",
3,"{u'ip': u'131.176.60.127', u'protocol': u'tcp'...",
4,"{u'ip': u'212.126.210.36', u'protocol': u'tcp'...",


In [17]:
#Remove null results
df3 = df2.dropna()

In [18]:
df3[:5]

Unnamed: 0,target,result
34,"{u'ip': u'131.176.230.221', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_6.7p1'...
35,"{u'ip': u'131.176.230.224', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_6.7p1'...
36,"{u'ip': u'131.176.230.226', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_6.7p1'...
37,"{u'ip': u'213.218.0.170', u'port': 22}","{u'data': {u'banner': u'SSH-2.0-OpenSSH_5.3', ..."
38,"{u'ip': u'131.176.145.137', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_4.2-ch...


We can compute the quantity of entries with no data, by computing the size of the dataframe before and after dropping the null values.

To get the size of a dataframe you can use the len() method.

In [19]:
print 'Total results: %s' % len(df2)

Total results: 177


In [20]:
print 'Total results with data: %s' % len(df3)

Total results with data: 101


In order to facilitate the analysis, we can take the json fields and put then into columns.

First we check which fields are exist on the json:

In [21]:
df3['target'].map(lambda x: x.keys())[:3]

34    [ip, port]
35    [ip, port]
36    [ip, port]
Name: target, dtype: object

In [22]:
df3['result'].map(lambda x: x.keys())[:3]

34    [data]
35    [data]
36    [data]
Name: result, dtype: object

The "target" column can then be divided into "ip" and "port".

In [23]:
df3['ip'] = df3['target'].map(lambda x: x['ip'])

In [24]:
df3[:10]

Unnamed: 0,target,result,ip
34,"{u'ip': u'131.176.230.221', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_6.7p1'...,131.176.230.221
35,"{u'ip': u'131.176.230.224', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_6.7p1'...,131.176.230.224
36,"{u'ip': u'131.176.230.226', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_6.7p1'...,131.176.230.226
37,"{u'ip': u'213.218.0.170', u'port': 22}","{u'data': {u'banner': u'SSH-2.0-OpenSSH_5.3', ...",213.218.0.170
38,"{u'ip': u'131.176.145.137', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_4.2-ch...,131.176.145.137
39,"{u'ip': u'212.126.215.124', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_6.6.1p...,212.126.215.124
40,"{u'ip': u'213.218.5.99', u'port': 22}","{u'data': {u'banner': u'SSH-2.0-OpenSSH_7.2', ...",213.218.5.99
41,"{u'ip': u'213.218.23.16', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_5.2p1'...,213.218.23.16
42,"{u'ip': u'212.126.220.243', u'port': 22}","{u'data': {u'banner': u'SSH-2.0-OpenSSH_5.3', ...",212.126.220.243
43,"{u'ip': u'213.218.23.18', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_6.6p1'...,213.218.23.18


Inside the "data" field, we know there are more fields, which we want to explore.

In [25]:
df3['result'].map(lambda x: x['data'].keys())[:20]

34    [banner, cyphers, algorithms]
35    [banner, cyphers, algorithms]
36    [banner, cyphers, algorithms]
37    [banner, cyphers, algorithms]
38    [banner, cyphers, algorithms]
39    [banner, cyphers, algorithms]
40    [banner, cyphers, algorithms]
41    [banner, cyphers, algorithms]
42    [banner, cyphers, algorithms]
43    [banner, cyphers, algorithms]
44                 [state, service]
45    [banner, cyphers, algorithms]
46    [banner, cyphers, algorithms]
47    [banner, cyphers, algorithms]
48                 [state, service]
49                 [state, service]
50                 [state, service]
51                 [state, service]
52                 [state, service]
53                 [state, service]
Name: result, dtype: object

The "data" fields might not always have the same fields inside, hence, you need to ensure that the field you want to explore actually exists, before trying to access it.

In [26]:
df3['banner'] = df3['result'].map(lambda x: x['data']['banner'] if 'banner' in x['data'] else None)

In [27]:
df3['cyphers'] = df3['result'].map(lambda x: x['data']['cyphers'] if 'cyphers' in x['data'] else None)

In [28]:
df3['algorithms'] = df3['result'].map(lambda x: x['data']['algorithms'] if 'algorithms' in x['data'] else None)

In [29]:
df3[:5]

Unnamed: 0,target,result,ip,banner,cyphers,algorithms
34,"{u'ip': u'131.176.230.221', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_6.7p1'...,131.176.230.221,SSH-2.0-OpenSSH_6.7p1,[],"{u'server_host_key': [u'ssh-rsa', u'ssh-dss', ..."
35,"{u'ip': u'131.176.230.224', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_6.7p1'...,131.176.230.224,SSH-2.0-OpenSSH_6.7p1,[],"{u'server_host_key': [u'ssh-rsa', u'ssh-dss', ..."
36,"{u'ip': u'131.176.230.226', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_6.7p1'...,131.176.230.226,SSH-2.0-OpenSSH_6.7p1,[],"{u'server_host_key': [u'ssh-rsa', u'ssh-dss', ..."
37,"{u'ip': u'213.218.0.170', u'port': 22}","{u'data': {u'banner': u'SSH-2.0-OpenSSH_5.3', ...",213.218.0.170,SSH-2.0-OpenSSH_5.3,[],"{u'server_host_key': [u'ssh-rsa', u'ssh-dss'],..."
38,"{u'ip': u'131.176.145.137', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_4.2-ch...,131.176.145.137,SSH-2.0-OpenSSH_4.2-chrootssh,[],"{u'server_host_key': [u'ssh-rsa', u'ssh-dss'],..."


Inside "cyphers" there are even more fields that we can explore. Notice that the "cyphers" field corresponds to a list, which may have several objects in it. We can build a function to get all these values out.

In [30]:
def get_cyphers_length(line):
    if not line:
        return None
    
    length_list = []
    for i in range(len(line)):
        if 'length' in line[i]:
            length = line[i]['length']
            length_list.append(length)

    return length_list

In [31]:
df3['cyphers_length'] = df3['cyphers'].map(get_cyphers_length)

You can also build a function to gather all the cyphers.

In [32]:
def get_cyphers_cypher(line):
    if not line:
        return None
    
    cypher_list = []
    for i in range(len(line)):
        if 'cypher' in line[i]:
            cypher = line[i]['cypher']
            cypher_list.append(cypher)

    return cypher_list

In [33]:
def get_cyphers_cypher(line):
    return None if not line else [line[i]['cypher'] for i in range(len(line)) if 'cypher' in line[i]]

In [34]:
df3['cyphers_cypher'] = df3['cyphers'].map(get_cyphers_cypher)

In [35]:
df3[:5]

Unnamed: 0,target,result,ip,banner,cyphers,algorithms,cyphers_length,cyphers_cypher
34,"{u'ip': u'131.176.230.221', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_6.7p1'...,131.176.230.221,SSH-2.0-OpenSSH_6.7p1,[],"{u'server_host_key': [u'ssh-rsa', u'ssh-dss', ...",,
35,"{u'ip': u'131.176.230.224', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_6.7p1'...,131.176.230.224,SSH-2.0-OpenSSH_6.7p1,[],"{u'server_host_key': [u'ssh-rsa', u'ssh-dss', ...",,
36,"{u'ip': u'131.176.230.226', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_6.7p1'...,131.176.230.226,SSH-2.0-OpenSSH_6.7p1,[],"{u'server_host_key': [u'ssh-rsa', u'ssh-dss', ...",,
37,"{u'ip': u'213.218.0.170', u'port': 22}","{u'data': {u'banner': u'SSH-2.0-OpenSSH_5.3', ...",213.218.0.170,SSH-2.0-OpenSSH_5.3,[],"{u'server_host_key': [u'ssh-rsa', u'ssh-dss'],...",,
38,"{u'ip': u'131.176.145.137', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_4.2-ch...,131.176.145.137,SSH-2.0-OpenSSH_4.2-chrootssh,[],"{u'server_host_key': [u'ssh-rsa', u'ssh-dss'],...",,


The "algorithms" column also has some information that can be retrieved and organized.

But before applying the map method, we need to filter the None values.

In [38]:
df3['kex'] = df3['algorithms'].map(lambda x: x if x else []).map(lambda x: x['kex'] if 'kex' in x else [])

In [39]:
df3[:5]

Unnamed: 0,target,result,ip,banner,cyphers,algorithms,cyphers_length,cyphers_cypher,kex
34,"{u'ip': u'131.176.230.221', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_6.7p1'...,131.176.230.221,SSH-2.0-OpenSSH_6.7p1,[],"{u'server_host_key': [u'ssh-rsa', u'ssh-dss', ...",,,"[curve25519-sha256@libssh.org, ecdh-sha2-nistp..."
35,"{u'ip': u'131.176.230.224', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_6.7p1'...,131.176.230.224,SSH-2.0-OpenSSH_6.7p1,[],"{u'server_host_key': [u'ssh-rsa', u'ssh-dss', ...",,,"[curve25519-sha256@libssh.org, ecdh-sha2-nistp..."
36,"{u'ip': u'131.176.230.226', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_6.7p1'...,131.176.230.226,SSH-2.0-OpenSSH_6.7p1,[],"{u'server_host_key': [u'ssh-rsa', u'ssh-dss', ...",,,"[curve25519-sha256@libssh.org, ecdh-sha2-nistp..."
37,"{u'ip': u'213.218.0.170', u'port': 22}","{u'data': {u'banner': u'SSH-2.0-OpenSSH_5.3', ...",213.218.0.170,SSH-2.0-OpenSSH_5.3,[],"{u'server_host_key': [u'ssh-rsa', u'ssh-dss'],...",,,"[diffie-hellman-group-exchange-sha256, diffie-..."
38,"{u'ip': u'131.176.145.137', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_4.2-ch...,131.176.145.137,SSH-2.0-OpenSSH_4.2-chrootssh,[],"{u'server_host_key': [u'ssh-rsa', u'ssh-dss'],...",,,"[diffie-hellman-group-exchange-sha1, diffie-he..."


With the data we've treated so far, we can already compute some metrics and draw some conclusions.

We can, for instance, try to understand which banners are most used by the IP Address range that was scanned. In order to do that, we can group the values of the banners in the dataframe.

"groupby()", groups the values of by a given column of the dataframe.

"reset_index()", resets the indexes of the dataframe (might be needed to solve wierd errors).

"sort_values()", sorts the values, ascending or descendingly according to a given column.

In [40]:
df_banners = pd.DataFrame({'counts': df3.groupby(['banner']).size()}) \
    .reset_index() \
    .sort_values(by = 'counts', ascending = False)

In [41]:
df_banners

Unnamed: 0,banner,counts
13,SSH-2.0-OpenSSH_6.7p1,5
9,SSH-2.0-OpenSSH_5.3,3
14,SSH-2.0-OpenSSH_7.2,2
11,SSH-2.0-OpenSSH_6.6.1p1,2
0,SSH-1.99-OpenSSH_4.6,1
15,SSH-2.0-OpenSSH_7.2p2,1
12,SSH-2.0-OpenSSH_6.6p1,1
10,SSH-2.0-OpenSSH_6.0p1,1
8,SSH-2.0-OpenSSH_5.2p1,1
1,SSH-2.0-Cisco-1.25,1


We can now visualize this dataframe as a plot, so that its easier to understand the banner distribution.

Python has several packages that can be used to plot information (matplotlib, vincent, seaborn). This time we will be using Plotly, which is very versatile and allows the creation of interactive plots - Plotly (https://plot.ly/)

In [42]:
import plotly.plotly as py
import plotly.graph_objs as go
from plotly.graph_objs import *
py.sign_in('be_bsides', 'qjbnt6hobb')

Let us create a simple bar plot

In [43]:
data = [go.Bar(x=df_banners['banner'], y=df_banners['counts'])]

layout = go.Layout(title='SSH Banners', xaxis=dict(title = 'Banners'), yaxis=dict(title='Counts'))

fig = go.Figure(data=data, layout=layout)
py.iplot(fig, filename='banners')

High five! You successfuly sent some data to your account on plotly. View your plot in your browser at https://plot.ly/~be_bsides/0 or inside your plot.ly account where it is named 'banners'


Let us explore the data a bit further - for instance, cypher length.

Since some of the entries are really lists, in order to count, it's necessary to have only a single list with all the values.

In [44]:
cyphers_length_list = list(df3['cyphers_length'].dropna())
cyphers_length_list[:5]

[[2048, 1024], [1024, 2048], [2048, 1024], [2048], [1024, 2048]]

In [45]:
cyphers_length_list = [item for sublist in cyphers_length_list for item in sublist]
cyphers_length_list[:5]

[2048, 1024, 1024, 2048, 2048]

Now we can put the list in a dataframe in order to group the values (although there are other ways to do it, such as using the Counter class).

In [46]:
df_cyphers_length = pd.DataFrame(cyphers_length_list)
df_cyphers_length[:5]

Unnamed: 0,0
0,2048
1,1024
2,1024
3,2048
4,2048


You can modify the names of the columns of the dataframe by changing the df.columns instance variable

In [47]:
df_cyphers_length.columns = [['length']]
df_cyphers_length[:5]

Unnamed: 0,length
0,2048
1,1024
2,1024
3,2048
4,2048


In [48]:
df_cyphers_length = pd.DataFrame({'counts': df_cyphers_length.groupby(['length']).size()}) \
    .reset_index() \
    .sort_values(by = 'counts', ascending = False)

In [49]:
df_cyphers_length[:5]

Unnamed: 0,length,counts
0,1024,13
1,2048,12


One interesting thing that we can do with the IP Addresses, is to visualise its location.

In order to do that, we can use a database such as GeoIP (the free ones are called GeoLite).

In [50]:
from geoip2.database import Reader
reader = Reader('/opt/geoip/GeoLite2-Country.mmdb')

In order to get the name of the country:

reader.country(ip).country.name

You can also get city name, latitude, longitude, timezone, etc.

In [51]:
reader.country('131.176.230.221').country.name

u'United States'

Not all IPs are mapped in these databases, as such it's necessary to take some precaution against these cases which generate exceptions.

In [52]:
def ip_country(ip):
    try:
        return reader.country(ip).country.name
    except:
        return None

Also, never do this, always try to be as specific as you can with exceptions.

In [53]:
df3['country'] = df3['ip'].map(ip_country)

In [54]:
df3[:5]

Unnamed: 0,target,result,ip,banner,cyphers,algorithms,cyphers_length,cyphers_cypher,kex,country
34,"{u'ip': u'131.176.230.221', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_6.7p1'...,131.176.230.221,SSH-2.0-OpenSSH_6.7p1,[],"{u'server_host_key': [u'ssh-rsa', u'ssh-dss', ...",,,"[curve25519-sha256@libssh.org, ecdh-sha2-nistp...",United States
35,"{u'ip': u'131.176.230.224', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_6.7p1'...,131.176.230.224,SSH-2.0-OpenSSH_6.7p1,[],"{u'server_host_key': [u'ssh-rsa', u'ssh-dss', ...",,,"[curve25519-sha256@libssh.org, ecdh-sha2-nistp...",United States
36,"{u'ip': u'131.176.230.226', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_6.7p1'...,131.176.230.226,SSH-2.0-OpenSSH_6.7p1,[],"{u'server_host_key': [u'ssh-rsa', u'ssh-dss', ...",,,"[curve25519-sha256@libssh.org, ecdh-sha2-nistp...",United States
37,"{u'ip': u'213.218.0.170', u'port': 22}","{u'data': {u'banner': u'SSH-2.0-OpenSSH_5.3', ...",213.218.0.170,SSH-2.0-OpenSSH_5.3,[],"{u'server_host_key': [u'ssh-rsa', u'ssh-dss'],...",,,"[diffie-hellman-group-exchange-sha256, diffie-...",Germany
38,"{u'ip': u'131.176.145.137', u'port': 22}",{u'data': {u'banner': u'SSH-2.0-OpenSSH_4.2-ch...,131.176.145.137,SSH-2.0-OpenSSH_4.2-chrootssh,[],"{u'server_host_key': [u'ssh-rsa', u'ssh-dss'],...",,,"[diffie-hellman-group-exchange-sha1, diffie-he...",United States


To better understand the geographic distribution of IPs, we can also build a map.

First we need to group by country:

In [55]:
df_country = df3[['country']]
df_country['counts'] = df_country.groupby('country')['country'].transform('count')
df_country = df_country.dropna()
df_country = df_country.drop_duplicates()

In [56]:
df_country[:5]

Unnamed: 0,country,counts
34,United States,57
37,Germany,44


Then we need to map country names and respective 3-letter country codes, because Plotly only recognizes 3-letter country codes in order to build maps.

In [57]:
wmap = pd.read_csv('https://raw.githubusercontent.com/plotly/datasets/master/2014_world_gdp_with_codes.csv')

countries = wmap['COUNTRY'].tolist()
codes = wmap['CODE'].tolist()
dic_countries = dict(zip(countries, codes))

In order for every country to appear, its necessary to have a full list of countries, even those with no occurrences.

In [58]:
df_countries = pd.DataFrame(columns = ['countries', 'codes', 'counts'])
df_countries['countries'] = countries
df_countries['counts'] = 0.0
df_countries['codes'] = df_countries['countries'].map(dic_countries)

countries_notnull = set(df_country['country'].tolist())
    
for country in countries_notnull:
    df_countries['counts'].loc[df_countries['countries'] == country] = df_country['counts'][df_country['country'] == country].values[0]

In [59]:
data = [dict(
        type = 'choropleth',
        locations = df_countries['codes'],
        z = df_countries['counts'],
        text = df_countries['countries'],
        colorscale = [[0,"rgb(5, 10, 172)"],[0.35,"rgb(40, 60, 190)"],[0.5,"rgb(70, 100, 245)"], \
            [0.6,"rgb(90, 120, 245)"],[0.7,"rgb(106, 137, 247)"],[1,"rgb(220, 220, 220)"]],
        autocolorscale = False,
        reversescale = True,
        marker = dict(
            line = dict(
                color = 'rgb(180,180,180)',
                width = 0.5
            )
        ),
        tick0 = 0,
        zmin = 0,
        dtick = 1000,
        colorbar = dict(
            autotick = False,
            ticksufix = '%',
            title = 'Worldwide Distribution'
        ),
    )]

layout = dict(
    title = 'Worldwide distribution',
    geo = dict(
        showframe = False,
        showcoastlines = False,
        projection = dict(
            type = 'Mercator'
        )
    )
)

fig = dict(data=data, layout=layout)
py.iplot(fig, validate=False, filename='worldmap')