mihari 0.9.1 → 0.10.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +19 -15
- data/lib/mihari.rb +3 -1
- data/lib/mihari/analyzers/circl.rb +61 -0
- data/lib/mihari/analyzers/dnpedia.rb +43 -0
- data/lib/mihari/cli.rb +20 -0
- data/lib/mihari/version.rb +1 -1
- data/mihari.gemspec +2 -0
- metadata +32 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8de738680ca57bdaf9ba336692c3cad0be84cfffc055eef2785fd7c1c3bf32d6
|
|
4
|
+
data.tar.gz: e6cda3a6e8d0f9c49728e6d04284332fe7f820287078e83fdd5cfa1ede4c27fc
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: '0238a0da4e31a5146aa4fc5b8ed16b012a9d874657e1ae69ede3ad0bc7ec6c95a74374160b6871e5eade40d90455f54c5522fe17b33d200e0898f7c748629619'
|
|
7
|
+
data.tar.gz: 9d60cae8a47366f44eebed73fc78ed0d21c239131636d87be6621af255b669b3ef5abb5649a4d3ae8ba77120f06939cf74bf52f78d07fa4535369bec426a88aa
|
data/README.md
CHANGED
|
@@ -51,14 +51,16 @@ docker pull ninoseki/mihari
|
|
|
51
51
|
|
|
52
52
|
## Basic usage
|
|
53
53
|
|
|
54
|
-
mihari supports Censys, Shodan, Onyphe, urlscan, SecurityTrails, crt.sh and VirusTotal by default.
|
|
54
|
+
mihari supports Censys, Shodan, Onyphe, urlscan, SecurityTrails, crt.sh, CIRCL passive DNS/SSL and VirusTotal by default.
|
|
55
55
|
|
|
56
56
|
```bash
|
|
57
57
|
$ mihari
|
|
58
58
|
Commands:
|
|
59
59
|
mihari alerts # Show the alerts on TheHive
|
|
60
60
|
mihari censys [QUERY] # Censys IPv4 lookup by a given query
|
|
61
|
+
mihari circl [DOMAIN|SHA1] # CIRCL passive DNS/SSL lookup by a given domain / SHA1 certificate fingerprint
|
|
61
62
|
mihari crtsh [QUERY] # crt.sh lookup by a given query
|
|
63
|
+
mihari dnpedia [QUERY] # DNPedia domain lookup by a given query
|
|
62
64
|
mihari help [COMMAND] # Describe available commands or one specific command
|
|
63
65
|
mihari import_from_json # Give a JSON input via STDIN
|
|
64
66
|
mihari onyphe [QUERY] # Onyphe datascan lookup by a given query
|
|
@@ -145,20 +147,22 @@ The input is a JSON data should have `title`, `description` and `artifacts` key.
|
|
|
145
147
|
|
|
146
148
|
All configuration is done via ENV variables.
|
|
147
149
|
|
|
148
|
-
| Key | Desc.
|
|
149
|
-
|
|
150
|
-
| THEHIVE_API_ENDPOINT | TheHive URL
|
|
151
|
-
| THEHIVE_API_KEY | TheHive API key
|
|
152
|
-
| MISP_API_ENDPOINT | MISP URL
|
|
153
|
-
| MISP_API_KEY | MISP API key
|
|
154
|
-
| SLACK_WEBHOOK_URL | Slack Webhook URL
|
|
155
|
-
| SLACK_CHANNEL | Slack channel name
|
|
156
|
-
| CENSYS_ID | Censys API ID
|
|
157
|
-
| CENSYS_SECRET | Censys secret
|
|
158
|
-
|
|
|
159
|
-
|
|
|
160
|
-
|
|
|
161
|
-
|
|
|
150
|
+
| Key | Desc. | Required or optional |
|
|
151
|
+
|------------------------|--------------------------------|--------------------------------|
|
|
152
|
+
| THEHIVE_API_ENDPOINT | TheHive URL | Required |
|
|
153
|
+
| THEHIVE_API_KEY | TheHive API key | Required |
|
|
154
|
+
| MISP_API_ENDPOINT | MISP URL | Optional |
|
|
155
|
+
| MISP_API_KEY | MISP API key | Optional |
|
|
156
|
+
| SLACK_WEBHOOK_URL | Slack Webhook URL | Optional |
|
|
157
|
+
| SLACK_CHANNEL | Slack channel name | Optional (default: `#general`) |
|
|
158
|
+
| CENSYS_ID | Censys API ID | Optional |
|
|
159
|
+
| CENSYS_SECRET | Censys secret | Optional |
|
|
160
|
+
| CIRCL_PASSIVE_USERNAME | CIRCL passive DNS/SSL username | Optional |
|
|
161
|
+
| CIRCL_PASSIVE_PASSWORD | CIRC_ passive DNS/SSL password | Optional |
|
|
162
|
+
| ONYPHE_API_KEY | Onyphe API key | Optional |
|
|
163
|
+
| SECURITYTRAILS_API_KEY | SecurityTrails API key | Optional |
|
|
164
|
+
| SHODAN_API_KEY | Shodan API key | Optional |
|
|
165
|
+
| VIRUSTOTAL_API_KEY | VirusTotal API key | Optional |
|
|
162
166
|
|
|
163
167
|
You can check the configuration status via `status` command.
|
|
164
168
|
|
data/lib/mihari.rb
CHANGED
|
@@ -29,10 +29,12 @@ require "mihari/the_hive"
|
|
|
29
29
|
require "mihari/analyzers/base"
|
|
30
30
|
require "mihari/analyzers/basic"
|
|
31
31
|
require "mihari/analyzers/censys"
|
|
32
|
+
require "mihari/analyzers/circl"
|
|
32
33
|
require "mihari/analyzers/crtsh"
|
|
34
|
+
require "mihari/analyzers/dnpedia"
|
|
33
35
|
require "mihari/analyzers/onyphe"
|
|
34
|
-
require "mihari/analyzers/securitytrails"
|
|
35
36
|
require "mihari/analyzers/securitytrails_domain_feed"
|
|
37
|
+
require "mihari/analyzers/securitytrails"
|
|
36
38
|
require "mihari/analyzers/shodan"
|
|
37
39
|
require "mihari/analyzers/urlscan"
|
|
38
40
|
require "mihari/analyzers/virustotal"
|
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "passive_circl"
|
|
4
|
+
|
|
5
|
+
module Mihari
|
|
6
|
+
module Analyzers
|
|
7
|
+
class CIRCL < Base
|
|
8
|
+
attr_reader :title
|
|
9
|
+
attr_reader :description
|
|
10
|
+
attr_reader :tags
|
|
11
|
+
|
|
12
|
+
def initialize(query, title: nil, description: nil, tags: [])
|
|
13
|
+
super()
|
|
14
|
+
|
|
15
|
+
@query = query
|
|
16
|
+
@type = TypeChecker.type(query)
|
|
17
|
+
|
|
18
|
+
@title = title || "CIRCL passive lookup"
|
|
19
|
+
@description = description || "query = #{query}"
|
|
20
|
+
@tags = tags
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
def artifacts
|
|
24
|
+
lookup || []
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
private
|
|
28
|
+
|
|
29
|
+
def api
|
|
30
|
+
@api ||= ::PassiveCIRCL::API.new
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
def lookup
|
|
34
|
+
case @type
|
|
35
|
+
when "domain"
|
|
36
|
+
passive_dns_lookup
|
|
37
|
+
when "hash"
|
|
38
|
+
passive_ssl_lookup
|
|
39
|
+
else
|
|
40
|
+
raise ArgumentError, "#{@query}(type: #{@type || 'unknown'}) is not supported."
|
|
41
|
+
end
|
|
42
|
+
rescue ::PassiveCIRCL::Error => _e
|
|
43
|
+
nil
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
def passive_dns_lookup
|
|
47
|
+
results = api.dns.query(@query)
|
|
48
|
+
results.map do |result|
|
|
49
|
+
type = result.dig("rrtype")
|
|
50
|
+
type == "A" ? result.dig("rdata") : nil
|
|
51
|
+
end.compact.uniq
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
def passive_ssl_lookup
|
|
55
|
+
result = api.ssl.cquery(@query)
|
|
56
|
+
seen = result.dig("seen") || []
|
|
57
|
+
seen.uniq
|
|
58
|
+
end
|
|
59
|
+
end
|
|
60
|
+
end
|
|
61
|
+
end
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "dnpedia"
|
|
4
|
+
|
|
5
|
+
module Mihari
|
|
6
|
+
module Analyzers
|
|
7
|
+
class DNPedia < Base
|
|
8
|
+
attr_reader :query
|
|
9
|
+
attr_reader :title
|
|
10
|
+
attr_reader :description
|
|
11
|
+
attr_reader :tags
|
|
12
|
+
|
|
13
|
+
def initialize(query, title: nil, description: nil, tags: [])
|
|
14
|
+
super()
|
|
15
|
+
|
|
16
|
+
@query = query
|
|
17
|
+
@title = title || "DNPedia domain lookup"
|
|
18
|
+
@description = description || "query = #{query}"
|
|
19
|
+
@tags = tags
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
def artifacts
|
|
23
|
+
lookup || []
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
private
|
|
27
|
+
|
|
28
|
+
def api
|
|
29
|
+
@api ||= ::DNPedia::API.new
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
def lookup
|
|
33
|
+
res = api.search(query)
|
|
34
|
+
rows = res.dig("rows") || []
|
|
35
|
+
rows.map do |row|
|
|
36
|
+
[row.dig("name"), row.dig("zoneid")].join(".")
|
|
37
|
+
end
|
|
38
|
+
rescue ::DNPedia::Error => _e
|
|
39
|
+
nil
|
|
40
|
+
end
|
|
41
|
+
end
|
|
42
|
+
end
|
|
43
|
+
end
|
data/lib/mihari/cli.rb
CHANGED
|
@@ -89,6 +89,26 @@ module Mihari
|
|
|
89
89
|
end
|
|
90
90
|
end
|
|
91
91
|
|
|
92
|
+
desc "dnpedia [QUERY]", "DNPedia domain lookup by a given query"
|
|
93
|
+
method_option :title, type: :string, desc: "title"
|
|
94
|
+
method_option :description, type: :string, desc: "description"
|
|
95
|
+
method_option :tags, type: :array, desc: "tags"
|
|
96
|
+
def dnpedia(query)
|
|
97
|
+
with_error_handling do
|
|
98
|
+
run_analyzer Analyzers::DNPedia, query: query, options: options
|
|
99
|
+
end
|
|
100
|
+
end
|
|
101
|
+
|
|
102
|
+
desc "circl [DOMAIN|SHA1]", "CIRCL passive DNS/SSL lookup by a given domain / SHA1 certificate fingerprint"
|
|
103
|
+
method_option :title, type: :string, desc: "title"
|
|
104
|
+
method_option :description, type: :string, desc: "description"
|
|
105
|
+
method_option :tags, type: :array, desc: "tags"
|
|
106
|
+
def circl(query)
|
|
107
|
+
with_error_handling do
|
|
108
|
+
run_analyzer Analyzers::CIRCL, query: query, options: options
|
|
109
|
+
end
|
|
110
|
+
end
|
|
111
|
+
|
|
92
112
|
desc "import_from_json", "Give a JSON input via STDIN"
|
|
93
113
|
def import_from_json(input = nil)
|
|
94
114
|
with_error_handling do
|
data/lib/mihari/version.rb
CHANGED
data/mihari.gemspec
CHANGED
|
@@ -36,6 +36,7 @@ Gem::Specification.new do |spec|
|
|
|
36
36
|
spec.add_dependency "addressable", "~> 2.7"
|
|
37
37
|
spec.add_dependency "censu", "~> 0.2"
|
|
38
38
|
spec.add_dependency "crtsh-rb", "~> 0.1"
|
|
39
|
+
spec.add_dependency "dnpedia", "~> 0.1"
|
|
39
40
|
spec.add_dependency "email_address", "~> 0.1"
|
|
40
41
|
spec.add_dependency "hachi", "~> 0.2"
|
|
41
42
|
spec.add_dependency "lightly", "~> 0.3"
|
|
@@ -44,6 +45,7 @@ Gem::Specification.new do |spec|
|
|
|
44
45
|
spec.add_dependency "net-ping", "~> 2.0"
|
|
45
46
|
spec.add_dependency "onyphe", "~> 0.2"
|
|
46
47
|
spec.add_dependency "parallel", "~> 1.17"
|
|
48
|
+
spec.add_dependency "passive_circl", "~> 0.1"
|
|
47
49
|
spec.add_dependency "public_suffix", "~> 4.0"
|
|
48
50
|
spec.add_dependency "securitytrails", "~> 0.2"
|
|
49
51
|
spec.add_dependency "shodanx", "~> 0.2"
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: mihari
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.10.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Manabu Niseki
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-
|
|
11
|
+
date: 2019-10-01 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -164,6 +164,20 @@ dependencies:
|
|
|
164
164
|
- - "~>"
|
|
165
165
|
- !ruby/object:Gem::Version
|
|
166
166
|
version: '0.1'
|
|
167
|
+
- !ruby/object:Gem::Dependency
|
|
168
|
+
name: dnpedia
|
|
169
|
+
requirement: !ruby/object:Gem::Requirement
|
|
170
|
+
requirements:
|
|
171
|
+
- - "~>"
|
|
172
|
+
- !ruby/object:Gem::Version
|
|
173
|
+
version: '0.1'
|
|
174
|
+
type: :runtime
|
|
175
|
+
prerelease: false
|
|
176
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
177
|
+
requirements:
|
|
178
|
+
- - "~>"
|
|
179
|
+
- !ruby/object:Gem::Version
|
|
180
|
+
version: '0.1'
|
|
167
181
|
- !ruby/object:Gem::Dependency
|
|
168
182
|
name: email_address
|
|
169
183
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -276,6 +290,20 @@ dependencies:
|
|
|
276
290
|
- - "~>"
|
|
277
291
|
- !ruby/object:Gem::Version
|
|
278
292
|
version: '1.17'
|
|
293
|
+
- !ruby/object:Gem::Dependency
|
|
294
|
+
name: passive_circl
|
|
295
|
+
requirement: !ruby/object:Gem::Requirement
|
|
296
|
+
requirements:
|
|
297
|
+
- - "~>"
|
|
298
|
+
- !ruby/object:Gem::Version
|
|
299
|
+
version: '0.1'
|
|
300
|
+
type: :runtime
|
|
301
|
+
prerelease: false
|
|
302
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
303
|
+
requirements:
|
|
304
|
+
- - "~>"
|
|
305
|
+
- !ruby/object:Gem::Version
|
|
306
|
+
version: '0.1'
|
|
279
307
|
- !ruby/object:Gem::Dependency
|
|
280
308
|
name: public_suffix
|
|
281
309
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -399,7 +427,9 @@ files:
|
|
|
399
427
|
- lib/mihari/analyzers/base.rb
|
|
400
428
|
- lib/mihari/analyzers/basic.rb
|
|
401
429
|
- lib/mihari/analyzers/censys.rb
|
|
430
|
+
- lib/mihari/analyzers/circl.rb
|
|
402
431
|
- lib/mihari/analyzers/crtsh.rb
|
|
432
|
+
- lib/mihari/analyzers/dnpedia.rb
|
|
403
433
|
- lib/mihari/analyzers/onyphe.rb
|
|
404
434
|
- lib/mihari/analyzers/securitytrails.rb
|
|
405
435
|
- lib/mihari/analyzers/securitytrails_domain_feed.rb
|