mihari 0.16.0 → 0.17.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +8 -5
- data/lib/mihari.rb +1 -0
- data/lib/mihari/analyzers/dnstwister.rb +63 -0
- data/lib/mihari/cli.rb +10 -0
- data/lib/mihari/version.rb +1 -1
- data/mihari.gemspec +1 -0
- metadata +17 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 0a5030ba15be3b81b4a71d9f38f3a0305d023dcddb3121e0c700a0cb82f1dcd9
|
|
4
|
+
data.tar.gz: fc4f48e49a363550d165367e7aba0e3802535f3b13bcb32304d71a82eab256c7
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 79487f0a7350c6299d159a32d7bc9655ac76934c2f2d224b059de59f128c18c4b23725269687cc3bd777d111c7245100f0b735d7011be997fc1bfed293b9f7b1
|
|
7
|
+
data.tar.gz: 3071b839707180910cd1286041696b9f6b768abff4bb6e9a724ce553945118edb26784c70c848f0f5f888e1be7854c9e0b6d6a1645c8019d726926c10bda065f
|
data/README.md
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# mihari
|
|
2
2
|
|
|
3
3
|
[](https://badge.fury.io/rb/mihari)
|
|
4
|
-
[](https://travis-ci.com/ninoseki/mihari)
|
|
5
5
|
[](https://hub.docker.com/r/ninoseki/mihari)
|
|
6
6
|
[](https://coveralls.io/github/ninoseki/mihari?branch=master)
|
|
7
7
|
[](https://www.codefactor.io/repository/github/ninoseki/mihari)
|
|
@@ -57,6 +57,8 @@ mihari supports the following services by default.
|
|
|
57
57
|
- [Censys](http://censys.io)
|
|
58
58
|
- [CIRCL passive DNS](https://www.circl.lu/services/passive-dns/) / [passive SSL](https://www.circl.lu/services/passive-ssl/)
|
|
59
59
|
- [crt.sh](https://crt.sh/)
|
|
60
|
+
- [DN Pedia](https://dnpedia.com/)
|
|
61
|
+
- [dnstwister](https://dnstwister.report/)
|
|
60
62
|
- [Onyphe](https://onyphe.io)
|
|
61
63
|
- [PassiveTotal](https://community.riskiq.com/)
|
|
62
64
|
- [SecurityTrails](https://securitytrails.com/)
|
|
@@ -74,6 +76,7 @@ Commands:
|
|
|
74
76
|
mihari circl [DOMAIN|SHA1] # CIRCL passive DNS/SSL lookup by a domain or SHA1 certificate fingerprint
|
|
75
77
|
mihari crtsh [QUERY] # crt.sh search by a query
|
|
76
78
|
mihari dnpedia [QUERY] # DNPedia domain search by a query
|
|
79
|
+
mihari dnstwister [DOMAIN] # dnstwister lookup by a domain
|
|
77
80
|
mihari free_text [TEXT] # Cross search with search engines by a free text
|
|
78
81
|
mihari help [COMMAND] # Describe available commands or one specific command
|
|
79
82
|
mihari http_hash # Cross search with search engines by a hash of an HTTP response (SHA256, MD5 and MurmurHash3)
|
|
@@ -102,7 +105,7 @@ mihari has cross search features. A cross search is a search across a number of
|
|
|
102
105
|
You can get aggregated results by using the following commands.
|
|
103
106
|
|
|
104
107
|
| Command | Desc. |
|
|
105
|
-
|
|
108
|
+
|-----------------|---------------------------------------------------------------------------------------------------------|
|
|
106
109
|
| passive_dns | Passive DNS lookup with CIRCL passive DNS, PassiveTotal, Pulsedive, SecurityTrails and VirusTotal |
|
|
107
110
|
| passive_ssl | Passive SSL lookup with CIRCL passive SSL and PassiveTotal |
|
|
108
111
|
| reverse_whois | Revese Whois lookup with PassiveTotal and SecurityTrails |
|
|
@@ -213,7 +216,7 @@ The input is a JSON data should have `title`, `description` and `artifacts` key.
|
|
|
213
216
|
```
|
|
214
217
|
|
|
215
218
|
| Key | Desc. | Required or optional |
|
|
216
|
-
|
|
219
|
+
|-------------|----------------------------------------------------------------------------|----------------------|
|
|
217
220
|
| title | A title of an alert | Required |
|
|
218
221
|
| description | A description of an alert | Required |
|
|
219
222
|
| artifacts | An array of artifacts (supported data types: ip, domain, url, email, hash) | Required |
|
|
@@ -224,7 +227,7 @@ The input is a JSON data should have `title`, `description` and `artifacts` key.
|
|
|
224
227
|
All configuration is done via ENV variables.
|
|
225
228
|
|
|
226
229
|
| Key | Desc. | Required or optional |
|
|
227
|
-
|
|
230
|
+
|------------------------|--------------------------------|--------------------------------|
|
|
228
231
|
| THEHIVE_API_ENDPOINT | TheHive URL | Required |
|
|
229
232
|
| THEHIVE_API_KEY | TheHive API key | Required |
|
|
230
233
|
| MISP_API_ENDPOINT | MISP URL | Optional |
|
|
@@ -257,7 +260,7 @@ mihari status
|
|
|
257
260
|
Create a class which extends `Mihari::Analyzers::Base` and implements the following methods.
|
|
258
261
|
|
|
259
262
|
| Name | Desc. | @return | Required or optional |
|
|
260
|
-
|
|
263
|
+
|----------------|----------------------------------------------------------------------------|---------------|----------------------|
|
|
261
264
|
| `#title` | A title of an alert | String | Required |
|
|
262
265
|
| `#description` | A description of an alert | String | Required |
|
|
263
266
|
| `#artifacts` | An array of artifacts (supported data types: ip, domain, url, email, hash) | Array<String> | Required |
|
data/lib/mihari.rb
CHANGED
|
@@ -44,6 +44,7 @@ require "mihari/analyzers/censys"
|
|
|
44
44
|
require "mihari/analyzers/circl"
|
|
45
45
|
require "mihari/analyzers/crtsh"
|
|
46
46
|
require "mihari/analyzers/dnpedia"
|
|
47
|
+
require "mihari/analyzers/dnstwister"
|
|
47
48
|
require "mihari/analyzers/onyphe"
|
|
48
49
|
require "mihari/analyzers/passivetotal"
|
|
49
50
|
require "mihari/analyzers/pulsedive"
|
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "dnstwister"
|
|
4
|
+
require "resolv"
|
|
5
|
+
require "parallel"
|
|
6
|
+
|
|
7
|
+
module Mihari
|
|
8
|
+
module Analyzers
|
|
9
|
+
class DNSTwister < Base
|
|
10
|
+
attr_reader :query
|
|
11
|
+
attr_reader :type
|
|
12
|
+
|
|
13
|
+
attr_reader :title
|
|
14
|
+
attr_reader :description
|
|
15
|
+
attr_reader :tags
|
|
16
|
+
|
|
17
|
+
def initialize(query, title: nil, description: nil, tags: [])
|
|
18
|
+
super()
|
|
19
|
+
|
|
20
|
+
@query = query
|
|
21
|
+
@type = TypeChecker.type(query)
|
|
22
|
+
|
|
23
|
+
@title = title || "dnstwister domain lookup"
|
|
24
|
+
@description = description || "query = #{query}"
|
|
25
|
+
@tags = tags
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
def artifacts
|
|
29
|
+
lookup || []
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
private
|
|
33
|
+
|
|
34
|
+
def valid_type?
|
|
35
|
+
type == "domain"
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
def api
|
|
39
|
+
@api ||= ::DNSTwister::API.new
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
def resolvable?(domain)
|
|
43
|
+
Resolv.getaddress domain
|
|
44
|
+
true
|
|
45
|
+
rescue Resolv::ResolvError => _e
|
|
46
|
+
false
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
def lookup
|
|
50
|
+
raise InvalidInputError, "#{query}(type: #{type || 'unknown'}) is not supported." unless valid_type?
|
|
51
|
+
|
|
52
|
+
res = api.fuzz(query)
|
|
53
|
+
fuzzy_domains = res.dig("fuzzy_domains") || []
|
|
54
|
+
domains = fuzzy_domains.map { |domain| domain.dig("domain") }
|
|
55
|
+
Parallel.map(domains) do |domain|
|
|
56
|
+
resolvable?(domain) ? domain : nil
|
|
57
|
+
end.compact
|
|
58
|
+
rescue ::DNSTwister::Error => _e
|
|
59
|
+
nil
|
|
60
|
+
end
|
|
61
|
+
end
|
|
62
|
+
end
|
|
63
|
+
end
|
data/lib/mihari/cli.rb
CHANGED
|
@@ -151,6 +151,16 @@ module Mihari
|
|
|
151
151
|
end
|
|
152
152
|
end
|
|
153
153
|
|
|
154
|
+
desc "dnstwister [DOMAIN]", "dnstwister lookup by a domain"
|
|
155
|
+
method_option :title, type: :string, desc: "title"
|
|
156
|
+
method_option :description, type: :string, desc: "description"
|
|
157
|
+
method_option :tags, type: :array, desc: "tags"
|
|
158
|
+
def dnstwister(domain)
|
|
159
|
+
with_error_handling do
|
|
160
|
+
run_analyzer Analyzers::DNSTwister, query: domain, options: options
|
|
161
|
+
end
|
|
162
|
+
end
|
|
163
|
+
|
|
154
164
|
desc "passive_dns [IP|DOMAIN]", "Cross search with passive DNS services by an ip or domain"
|
|
155
165
|
method_option :title, type: :string, desc: "title"
|
|
156
166
|
method_option :description, type: :string, desc: "description"
|
data/lib/mihari/version.rb
CHANGED
data/mihari.gemspec
CHANGED
|
@@ -38,6 +38,7 @@ Gem::Specification.new do |spec|
|
|
|
38
38
|
spec.add_dependency "censu", "~> 0.2"
|
|
39
39
|
spec.add_dependency "crtsh-rb", "~> 0.1"
|
|
40
40
|
spec.add_dependency "dnpedia", "~> 0.1"
|
|
41
|
+
spec.add_dependency "dnstwister", "~> 0.1"
|
|
41
42
|
spec.add_dependency "email_address", "~> 0.1"
|
|
42
43
|
spec.add_dependency "hachi", "~> 0.2"
|
|
43
44
|
spec.add_dependency "lightly", "~> 0.3"
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: mihari
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.17.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Manabu Niseki
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-11
|
|
11
|
+
date: 2019-12-11 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -192,6 +192,20 @@ dependencies:
|
|
|
192
192
|
- - "~>"
|
|
193
193
|
- !ruby/object:Gem::Version
|
|
194
194
|
version: '0.1'
|
|
195
|
+
- !ruby/object:Gem::Dependency
|
|
196
|
+
name: dnstwister
|
|
197
|
+
requirement: !ruby/object:Gem::Requirement
|
|
198
|
+
requirements:
|
|
199
|
+
- - "~>"
|
|
200
|
+
- !ruby/object:Gem::Version
|
|
201
|
+
version: '0.1'
|
|
202
|
+
type: :runtime
|
|
203
|
+
prerelease: false
|
|
204
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
205
|
+
requirements:
|
|
206
|
+
- - "~>"
|
|
207
|
+
- !ruby/object:Gem::Version
|
|
208
|
+
version: '0.1'
|
|
195
209
|
- !ruby/object:Gem::Dependency
|
|
196
210
|
name: email_address
|
|
197
211
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -501,6 +515,7 @@ files:
|
|
|
501
515
|
- lib/mihari/analyzers/circl.rb
|
|
502
516
|
- lib/mihari/analyzers/crtsh.rb
|
|
503
517
|
- lib/mihari/analyzers/dnpedia.rb
|
|
518
|
+
- lib/mihari/analyzers/dnstwister.rb
|
|
504
519
|
- lib/mihari/analyzers/free_text.rb
|
|
505
520
|
- lib/mihari/analyzers/http_hash.rb
|
|
506
521
|
- lib/mihari/analyzers/onyphe.rb
|