-
Notifications
You must be signed in to change notification settings - Fork 263
/
search_threatcrowd.rb
105 lines (87 loc) · 3.41 KB
/
search_threatcrowd.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
module Intrigue
module Task
class SearchThreatcrowd < BaseTask
include Intrigue::Task::Web
def self.metadata
{
:name => "search_threatcrowd",
:pretty_name => "Search ThreatCrowd",
:authors => ["jcran"],
:description => "This task hits the ThreatCrowd API and finds related content. Discovered IPs / subdomains / emails are created.",
:references => [],
:type => "discovery",
:passive => true,
:allowed_types => ["DnsRecord"],
:example_entities => [{"type" => "DnsRecord", "details" => {"name" => "intrigue.io"}}],
:allowed_options => [
{:name => "extract_pattern", :type => "String", :regex => "alpha_numeric", :default => false },
{:name => "gather_resolutions", :type => "Boolean", :regex => "boolean", :default => true },
{:name => "gather_subdomains", :type => "Boolean", :regex => "boolean", :default => true },
{:name => "gather_email_addresses", :type => "Boolean", :regex => "boolean", :default => true }
],
:created_types => ["DnsRecord", "EmailAddress", "IpAddress"]
}
end
## Default method, subclasses must override this
def run
super
opt_gather_email_addresses = _get_option "gather_email_addresses"
opt_extract_pattern = _get_option("extract_pattern") == "false"
opt_gather_resolutions = _get_option "gather_resolutions"
opt_gather_subdomains = _get_option "gather_subdomains"
# Check Sublist3r API & create domains from returned JSON
search_domain = _get_entity_name
search_uri = "https://www.threatcrowd.org/searchApi/v2/domain/report/?domain=#{search_domain}"
begin
tc_json = JSON.parse(http_get_body(search_uri))
if tc_json["response_code"] == "1"
# handle IP resolution
if opt_gather_resolutions
_log "Gathering Resolutions"
tc_json["resolutions"].each do |ip|
_create_entity "IpAddress", {
"name" => ip["ip_address"],
"resolver" => "threatcrowd",
"last_resolved" => ip["last_resolved"]
}
end
end
# Handle Subdomains
if opt_gather_subdomains
_log "Gathering Subdomains"
tc_json["subdomains"].each do |d|
# If we have an extract pattern set, respect it
if opt_extract_pattern
_log "Checking pattern: #{opt_extract_pattern} vs #{d}"
next unless d =~ /#{opt_extract_pattern}/
end
# seems like this needs some cleanup?
d.gsub!(":","")
d.gsub!(" ","")
_create_entity "DnsRecord", { "name" => d }
end
end
# Handle Emails
if opt_gather_email_addresses
_log "Gathering Email Addresses"
tc_json["emails"].each do |e|
# If we have an extract pattern set, respect it
if opt_extract_pattern
_log "Checking pattern: #{opt_extract_pattern} vs #{e}"
next unless e =~ /#{opt_extract_pattern}/
end
_create_entity "EmailAddress", { "name" => e }
end
end
else
_log_error "Got error code: #{tc_json["response_code"]}"
end
rescue JSON::ParserError => e
_log_error "Unable to get parsable response from #{search_uri}: #{e}"
rescue StandardError => e
_log_error "Error grabbing sublister domains: #{e}"
end
end # end run()
end # end Class
end
end