From b14bc5843ca0e26dd17116c0452be4c0652961a1 Mon Sep 17 00:00:00 2001 From: Tobias Kessels Date: Fri, 11 Jan 2019 13:23:35 +0100 Subject: [PATCH] vt_pdns.py added first throw on requesting passive dns resolves from virustotal --- scan_vt.py | 3 +- vt_pdns.py | 102 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 103 insertions(+), 2 deletions(-) create mode 100755 vt_pdns.py diff --git a/scan_vt.py b/scan_vt.py index 38cde92..3a5f295 100755 --- a/scan_vt.py +++ b/scan_vt.py @@ -16,7 +16,7 @@ with open(sys.argv[1],'rb') as f: params = {'apikey': api_key, 'resource': hash.hexdigest()} headers = { "Accept-Encoding": "gzip, deflate", - "User-Agent" : "gzip, My Python requests library example client or username" + "User-Agent" : "gzip,python_requests,scan_vt.py" } response = requests.get('https://www.virustotal.com/vtapi/v2/file/report', params=params, headers=headers) @@ -31,4 +31,3 @@ if json_response["response_code"]: print("{}{}{}{}{}/{}{}{}".format(sys.argv[1],out_sep,hash.hexdigest(),out_sep,json_response["positives"],json_response["total"],out_sep,json_response["permalink"])) else: print("{}{}{}{}{}".format(sys.argv[1],out_sep,hash.hexdigest(),out_sep,out_sep)) - diff --git a/vt_pdns.py b/vt_pdns.py new file mode 100755 index 0000000..d4ca519 --- /dev/null +++ b/vt_pdns.py @@ -0,0 +1,102 @@ +#!/usr/bin/python3 +import sys +import pprint +import requests +from os.path import expanduser + + +out_sep=';' + +with open(expanduser('~/.virustotal_api_key')) as api_f: + api_key=api_f.readline().strip() + +domain=sys.argv[1] +url='https://www.virustotal.com/vtapi/v2/domain/report' +params = {'apikey': api_key, 'domain':domain } +headers = { + "Accept-Encoding": "gzip, deflate", + "User-Agent" : "gzip,python_requests,vt_pdns.py" + } + + +cat_fields=["Alexa category", +"categories", +"BitDefender category", +"TrendMicro category", +"Forcepoint ThreatSeeker category"] +# +# "whois", +# "WOT domain info", +# "Webutation domain info", +# "BitDefender domain info", +# "Alexa domain info", +# BitDefender category +# WOT domain info +# Webutation domain info +# Alexa category +# Opera domain info +# TrendMicro category +# categories +# domain_siblings +# BitDefender domain info +# whois +# Alexa domain info +# Forcepoint ThreatSeeker category +# Alexa rank +# +# detected_downloaded_samples +# detected_urls +# +# detected_communicating_samples +# detected_referrer_samples +# undetected_downloaded_samples +# undetected_referrer_samples +# undetected_urls +# undetected_communicating_samples +# resolutions +# response_code +# verbose_msg +# pcaps +# +try: + response = requests.get(url, params=params, headers=headers) + response_data = response.json() +except requests.exceptions.ProxyError as e: + print("Proxy Error") + print(e) + exit(1) + +# resolutions=[r for r in response.json()['resolutions']] + + +def get(key,dict): + split_key=key.split(sep=" ") + if len(split_key)>1: + prefix="{}: ".format(split_key[0]) + else: + prefix="VT: " + if key in dict: + print("{}{}".format(prefix,dict[key])) + +# # detected_downloaded_samples=[d for d in response.json()['detected_downloaded_samples']] +# # detected_url=[d for d in response.json()['detected_url']] + +print("=== Short report for : {} ===".format(domain)) +print(response_data['verbose_msg']) +if 'detected_urls' in response_data : + print("{} detected URLs found".format(len(response_data['detected_urls']))) +if 'detected_downloaded_samples' in response_data : + print("{} detected Downloads found".format(len(response_data['detected_downloaded_samples']))) +if any([True for x in cat_fields if x in response_data]): + print("== Categories ==") + for cat in cat_fields: + get(cat,response_data) +if 'resolutions' in response_data: + print("== Resolutions ==") + data=sorted(response_data['resolutions'], key=lambda i:i['last_resolved']) if len(response_data['resolutions'])>1 else response_data['resolutions'] + for r in data: + print(" {} : {}".format(r["last_resolved"],r["ip_address"])) + +# print('--------------------------infos') +# for k in response.json(): +# print(k)