Few more scripts

Author: Te-k

network/README.md

@@ -1,3 +1,4 @@
 # Network scripts
 
-* `extract_iocs.py` : extract potential network indicators using tshark
+* `extract_iocs.py` : extract potential network indicators from a PCAP file using tshark
+* `dns_resolve.py` : resolve domains, results in a CSV file

network/dns_resolve.py

@@ -0,0 +1,53 @@
+import os
+import argparse
+from dns import resolver, reversename, exception
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description='Resolve domains')
+    parser.add_argument('TXTFILE', help='Text files with domains')
+    parser.add_argument('--verbose', '-v', action='store_true',
+            help='verbose mode')
+    args = parser.parse_args()
+
+    results = {}
+
+    with open(args.TXTFILE) as f:
+        data = f.read().split("\n")
+
+    for d in data:
+        dd = d.strip()
+        if dd not in results and len(dd) > 0:
+            try:
+                res = resolver.query(dd, "A")
+            except (resolver.NoAnswer, resolver.NXDOMAIN):
+                results[dd] = [True, ""]
+                if args.verbose:
+                    print("{}: NXDOMAIN".format(dd))
+            except resolver.NoNameservers:
+                results[dd] = [False, "SERVFAIL"]
+                if args.verbose:
+                    print("{}: SERVFAIL".format(dd))
+            except exception.Timeout:
+                results[dd] = [False, "Timeout"]
+                if args.verbose:
+                    print("{}: Timeout".format(dd))
+            else:
+                addr = [r.address for r in res]
+                results[dd] = [True, addr]
+                if args.verbose:
+                    print("{}: {}".format(dd, addr))
+    with open("resolutions.csv", "w+") as f:
+        f.write("Domain,Success,Resolution\n")
+        for domain in results.keys():
+            f.write("{},{},{}\n".format(
+                domain,
+                results[domain][0],
+                ";".join(results[domain][1])
+            ))
+
+    print("Results written in resolutions.csv")
+
+
+
+

pt/README.md

@@ -0,0 +1,3 @@
+# Passive Total scripts
+
+* `get_ip_domains.py` : extract all the domains for an IP address

pt/get_ip_domains.py

@@ -0,0 +1,40 @@
+#!/usr/bin/env python3
+import requests
+import os
+import sys
+import json
+import argparse
+from passivetotal.libs.dns import DnsRequest
+
+def get_config():
+    conf_file = os.path.join(os.path.expanduser("~"), ".config/passivetotal/api_config.json")
+    if os.path.isfile(conf_file):
+        with open(conf_file, 'r') as f:
+            conf = json.loads(f.read())
+    else:
+        print('No config file')
+        sys.exit(1)
+    return conf
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Extract all domains from an IP address')
+    parser.add_argument('IP', help='an IP address')
+    args = parser.parse_args()
+
+    conf = get_config()
+
+    client = DnsRequest(conf['username'], conf['api_key'])
+    raw_results = client.get_passive_dns(query=args.IP)
+    print("{} domains identified".format(len(raw_results["results"])))
+
+    csvout = open("csv.out", "w+")
+    csvout.write("Domain,First,Last,Type\n")
+    for r in raw_results["results"]:
+        csvout.write("{},{},{},{}\n".format(
+            r['resolve'],
+            r['firstSeen'],
+            r['lastSeen'],
+            r['recordType']
+        ))
+    print("extracted in csv.out")