mihari 5.0.1 → 5.1.1

data/lib/mihari/clients/base.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Clients
+    class Base
+      # @return [String]
+      attr_reader :base_url
+
+      # @return [Hash]
+      attr_reader :headers
+
+      #
+      # @param [String] base_url
+      # @param [Hash] headers
+      #
+      def initialize(base_url, headers: {})
+        @base_url = base_url
+        @headers = headers || {}
+      end
+
+      private
+
+      #
+      # @param [String] path
+      #
+      # @return [String]
+      #
+      def url_for(path)
+        base_url + path
+      end
+
+      #
+      # @param [String] path
+      # @param [Hashk, nil] params
+      #
+      # @return [String] <description>
+      #
+      def get(path, params: nil)
+        HTTP.get(url_for(path), headers: headers, params: params)
+      end
+
+      #
+      # @param [String] path
+      # @param [Hash, nil] json
+      #
+      # @return [String] <description>
+      #
+      def post(path, json: {})
+        HTTP.post(url_for(path), headers: headers, json: json)
+      end
+    end
+  end
+end

data/lib/mihari/clients/binaryedge.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Clients
+    class BinaryEdge < Base
+      def initialize(base_url = "https://api.binaryedge.io/v2", api_key:, headers: {})
+        raise(ArgumentError, "'api_key' argument is required") unless api_key
+
+        headers["x-key"] = api_key
+
+        super(base_url, headers: headers)
+      end
+
+      #
+      # @param [String] query String used to query our data
+      # @param [Integer] page Default 1, Maximum: 500
+      # @param [Integer, nil] only_ips If selected, only output IP addresses, ports and protocols.
+      #
+      # @return [Hash]
+      #
+      def search(query, page: 1, only_ips: nil)
+        params = {
+          query: query,
+          page: page,
+          only_ips: only_ips
+        }.compact
+
+        res = get("/query/search", params: params)
+        JSON.parse(res.body.to_s)
+      end
+    end
+  end
+end

data/lib/mihari/clients/censys.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require "base64"
+
+module Mihari
+  module Clients
+    class Censys < Base
+      #
+      # @param [String] base_url
+      # @param [String] id
+      # @param [String] secret
+      # @param [Hash] headers
+      #
+      def initialize(base_url = "https://search.censys.io", id:, secret:, headers: {})
+        raise(ArgumentError, "'id' argument is required") if id.nil?
+        raise(ArgumentError, "'secret' argument is required") if secret.nil?
+
+        headers["authorization"] = "Basic #{Base64.strict_encode64("#{id}:#{secret}")}"
+
+        super(base_url, headers: headers)
+      end
+
+      #
+      # Search current index.
+      #
+      # Searches the given index for all records that match the given query.
+      # For more details, see our documentation: https://search.censys.io/api/v2/docs
+      #
+      # @param [String] query the query to be executed.
+      # @params [Integer, nil] per_page the number of results to be returned for each page.
+      # @params [Integer, nil] cursor the cursor of the desired result set.
+      #
+      # @return [Hash]
+      #
+      def search(query, per_page: nil, cursor: nil)
+        params = { q: query, per_page: per_page, cursor: cursor }.compact
+        res = get("/api/v2/hosts/search", params: params)
+        JSON.parse(res.body.to_s)
+      end
+    end
+  end
+end

data/lib/mihari/clients/circl.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require "base64"
+
+module Mihari
+  module Clients
+    class CIRCL < Base
+      #
+      # @param [String] base_url
+      # @param [String] username
+      # @param [String] password
+      # @param [Hash] headers
+      #
+      def initialize(base_url = "https://www.circl.lu", username:, password:, headers: {})
+        raise(ArgumentError, "'username' argument is required") if username.nil?
+        raise(ArgumentError, "'password' argument is required") if password.nil?
+
+        headers["authorization"] = "Basic #{Base64.strict_encode64("#{username}:#{password}")}"
+
+        super(base_url, headers: headers)
+      end
+
+      #
+      # @param [String] query
+      #
+      # @return [Hash]
+      #
+      def dns_query(query)
+        _get("/pdns/query/#{query}")
+      end
+
+      #
+      # @param [String] query
+      #
+      # @return [Hash]
+      #
+      def ssl_cquery(query)
+        _get("/v2pssl/cquery/#{query}")
+      end
+
+      private
+
+      #
+      #
+      # @param [String] path
+      # @param [Array<Hash>] params
+      #
+      def _get(path, params: {})
+        res = get(path, params: params)
+        body = res.body.to_s
+        content_type = res["Content-Type"].to_s
+
+        return JSON.parse(body) if content_type.include?("application/json")
+
+        body.lines.map { |line| JSON.parse line }
+      end
+    end
+  end
+end

data/lib/mihari/clients/crtsh.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Clients
+    class Crtsh < Base
+      #
+      # @param [String] base_url
+      # @param [Hash] headers
+      #
+      def initialize(base_url = "https://crt.sh", headers: {})
+        super(base_url, headers: headers)
+      end
+
+      #
+      # Search crt.sh by a given identity
+      #
+      # @param [String] identity
+      # @param [String, nil] match "=", "ILIKE", "LIKE", "single", "any" or nil
+      # @param [String, nil] exclude "expired" or nil
+      #
+      # @return [Array<Hash>]
+      #
+      def search(identity, match: nil, exclude: nil)
+        params = { identity: identity, match: match, exclude: exclude, output: "json" }.compact
+
+        res = get("/", params: params)
+        JSON.parse(res.body.to_s)
+      end
+    end
+  end
+end

data/lib/mihari/clients/dnpedia.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require "json"
+require "zlib"
+
+module Mihari
+  module Clients
+    class DNPedia < Base
+      DEFAULT_HEADERS = {
+        "Accept-Encoding" => "gzip",
+        "Referer" => "https://dnpedia.com/tlds/search.php",
+        "X-Requested-With" => "XMLHttpRequest"
+      }.freeze
+
+      DEFAULT_PARAMS = {
+        cmd: "search",
+        columns: "id,name,zoneid,length,idn,thedate,",
+        ecf: "name",
+        ecv: "",
+        days: 2,
+        mode: "added",
+        _search: false,
+        nd: 1_569_842_920_216,
+        rows: 500,
+        page: 1,
+        sidx: "length",
+        sord: "asc"
+      }.freeze
+
+      #
+      # @param [String] base_url
+      # @param [Hash] headers
+      #
+      def initialize(base_url = "https://dnpedia.com", headers: {})
+        headers = headers.merge(DEFAULT_HEADERS)
+
+        super(base_url, headers: headers)
+      end
+
+      #
+      # @param [String] keyword
+      #
+      def search(keyword)
+        params = DEFAULT_PARAMS.merge({ ecv: normalize(keyword) })
+        res = get("/tlds/ajax.php", params: params)
+
+        sio = StringIO.new(res.body.to_s)
+        gz = Zlib::GzipReader.new(sio)
+        page = gz.read
+
+        JSON.parse page
+      end
+
+      private
+
+      def normalize(word)
+        return word if word.start_with?("~")
+        return word unless word.include?("%")
+
+        "~#{word}"
+      end
+    end
+  end
+end

data/lib/mihari/clients/dnstwister.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Clients
+    class DNSTwister < Base
+      #
+      # @param [String] base_url
+      # @param [Hash] headers
+      #
+      def initialize(base_url = "https://dnstwister.report", headers: {})
+        super(base_url, headers: headers)
+      end
+
+      #
+      # Get fuzzy domains
+      #
+      # @param [String] domain
+      #
+      # @return [Hash]
+      #
+      def fuzz(domain)
+        res = get("/api/fuzz/#{to_hex(domain)}")
+        JSON.parse(res.body.to_s)
+      end
+
+      private
+
+      #
+      # Converts string to hex
+      #
+      # @param [String] str String
+      #
+      # @return [String] Hex
+      #
+      def to_hex(str)
+        str.each_byte.map { |b| b.to_s(16) }.join
+      end
+    end
+  end
+end

data/lib/mihari/clients/greynoise.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Clients
+    class GreyNoise < Base
+      def initialize(base_url = "https://api.greynoise.io", api_key:, headers: {})
+        raise(ArgumentError, "'api_key' argument is required") unless api_key
+
+        headers["key"] = api_key
+        super(base_url, headers: headers)
+      end
+
+      #
+      # GNQL (GreyNoise Query Language) is a domain-specific query language that uses Lucene deep under the hood
+      #
+      # @param [String] query GNQL query string
+      # @param [Integer, nil] size Maximum amount of results to grab
+      # @param [Integer, nil] scroll Scroll token to paginate through results
+      #
+      # @return [Hash]
+      #
+      def gnql_search(query, size: nil, scroll: nil)
+        params = { query: query, size: size, scroll: scroll }.compact
+        res = get("/v2/experimental/gnql", params: params)
+        JSON.parse res.body.to_s
+      end
+    end
+  end
+end

data/lib/mihari/clients/misp.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Clients
+    class MISP < Base
+      #
+      # @param [String] base_url
+      # @param [String] api_key
+      # @param [Hash] headers
+      #
+      def initialize(base_url, api_key:, headers: {})
+        raise(ArgumentError, "'api_key' argument is required") unless api_key
+
+        headers["authorization"] = api_key
+        super(base_url, headers: headers)
+      end
+
+      def create_event(payload)
+        res = post("/events/add", json: payload)
+        JSON.parse(res.body.to_s)
+      end
+    end
+  end
+end

data/lib/mihari/clients/onyphe.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Clients
+    class Onyphe < Base
+      attr_reader :api_key
+
+      def initialize(base_url = "https://www.onyphe.io", api_key:, headers: {})
+        raise(ArgumentError, "'api_key' argument is required") if api_key.nil?
+
+        super(base_url, headers: headers)
+
+        @api_key = api_key
+      end
+
+      def datascan(query, page: 1)
+        params = { page: page, apikey: api_key }
+        res = get("/api/v2/simple/datascan/#{query}", params: params)
+        JSON.parse(res.body.to_s)
+      end
+    end
+  end
+end

data/lib/mihari/clients/otx.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Clients
+    class OTX < Base
+      def initialize(base_url = "https://otx.alienvault.com", api_key:, headers: {})
+        raise(ArgumentError, "'api_key' argument is required") unless api_key
+
+        headers["x-otx-api-key"] = api_key
+        super(base_url, headers: headers)
+      end
+
+      def query_by_ip(ip)
+        _get "/api/v1/indicators/IPv4/#{ip}/passive_dns"
+      end
+
+      def query_by_domain(domain)
+        _get "/api/v1/indicators/domain/#{domain}/passive_dns"
+      end
+
+      private
+
+      def _get(path)
+        res = get(path)
+        JSON.parse(res.body.to_s)
+      end
+    end
+  end
+end

data/lib/mihari/clients/passivetotal.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require "base64"
+
+module Mihari
+  module Clients
+    class PassiveTotal < Base
+      #
+      # @param [String] base_url
+      # @param [String] username
+      # @param [String] api_key
+      # @param [Hash] headers
+      #
+      def initialize(base_url = "https://api.passivetotal.org", username:, api_key:, headers: {})
+        raise(ArgumentError, "'username' argument is required") if username.nil?
+        raise(ArgumentError, "'api_key' argument is required") if api_key.nil?
+
+        headers["authorization"] = "Basic #{Base64.strict_encode64("#{username}:#{api_key}")}"
+
+        super(base_url, headers: headers)
+      end
+
+      #
+      # @param [String] query
+      #
+      def ssl_search(query)
+        params = { query: query }
+        _get("/v2/ssl-certificate/history", params: params)
+      end
+
+      #
+      # @param [String] query
+      #
+      def passive_dns_search(query)
+        params = { query: query }
+        _get("/v2/dns/passive/unique", params: params)
+      end
+
+      #
+      # @param [String] query the domain being queried
+      # @param [String] field whether to return historical results
+      #
+      # @return [Hash]
+      #
+      def reverse_whois_search(query:, field:)
+        params = {
+          query: query,
+          field: field
+        }.compact
+        _get("/v2/whois/search", params: params)
+      end
+
+      private
+
+      #
+      # @param [String] path
+      # @param [Hash] params
+      #
+      def _get(path, params: {})
+        res = get(path, params: params)
+        JSON.parse(res.body.to_s)
+      end
+    end
+  end
+end

data/lib/mihari/clients/publsedive.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Clients
+    class PulseDive < Base
+      attr_reader :api_key
+
+      def initialize(base_url = "https://pulsedive.com", api_key:, headers: {})
+        super(base_url, headers: headers)
+
+        @api_key = api_key
+
+        raise(ArgumentError, "'api_key' argument is required") unless api_key
+      end
+
+      def get_indicator(ip_or_domain)
+        _get "/api/info.php", params: { indicator: ip_or_domain }
+      end
+
+      def get_properties(indicator_id)
+        _get "/api/info.php", params: { iid: indicator_id, get: "properties" }
+      end
+
+      private
+
+      #
+      #
+      # @param [String] path
+      # @param [Hash] params
+      #
+      def _get(path, params: {})
+        params["key"] = api_key
+
+        res = get(path, params: params)
+        JSON.parse(res.body.to_s)
+      end
+    end
+  end
+end

data/lib/mihari/clients/shodan.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Clients
+    class Shodan < Base
+      attr_reader :api_key
+
+      def initialize(base_url = "https://api.shodan.io", api_key:, headers: {})
+        raise(ArgumentError, "'api_key' argument is required") unless api_key
+
+        super(base_url, headers: headers)
+
+        @api_key = api_key
+      end
+
+      # Search Shodan using the same query syntax as the website and use facets
+      # to get summary information for different properties.
+      def search(query, page: 1, minify: true)
+        params = {
+          query: query,
+          page: page,
+          minify: minify,
+          key: api_key
+        }
+        res = get("/shodan/host/search", params: params)
+        JSON.parse(res.body.to_s)
+      end
+    end
+  end
+end

data/lib/mihari/clients/the_hive.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Clients
+    class TheHive < Base
+      #
+      # @param [String] base_url
+      # @param [String] api_key
+      # @param [String, nil] api_version
+      # @param [Hash] headers
+      #
+      def initialize(base_url, api_key:, api_version:, headers: {})
+        raise(ArgumentError, "'api_key' argument is required") unless api_key
+
+        base_url += "/#{api_version}" unless api_version.nil?
+        headers["authorization"] = "Bearer #{api_key}"
+
+        super(base_url, headers: headers)
+      end
+
+      def alert(json)
+        json = json.to_camelback_keys.compact
+        res = post("/alert", json: json)
+        JSON.parse(res.body.to_s)
+      end
+    end
+  end
+end

data/lib/mihari/clients/urlscan.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Clients
+    class UrlScan < Base
+      #
+      # @param [String] base_url
+      # @param [String] api_key
+      # @param [Hash] headers
+      #
+      def initialize(base_url = "https://urlscan.io", api_key:, headers: {})
+        raise(ArgumentError, "'api_key' argument is required") if api_key.nil?
+
+        headers["api-key"] = api_key
+
+        super(base_url, headers: headers)
+      end
+
+      #
+      # @param [String] q
+      # @param [Integer] size
+      # @param [String, nil] search_after
+      #
+      def search(q, size: 100, search_after: nil)
+        params = { q: q, size: size, search_after: search_after }.compact
+        res = get("/api/v1/search/", params: params)
+        JSON.parse res.body.to_s
+      end
+    end
+  end
+end

data/lib/mihari/clients/virustotal.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Clients
+    class VirusTotal < Base
+      #
+      # @param [String] base_url
+      # @param [String] id
+      # @param [String] secret
+      # @param [Hash] headers
+      #
+      def initialize(base_url = "https://www.virustotal.com", api_key:, headers: {})
+        raise(ArgumentError, "'api_key' argument is required") if api_key.nil?
+
+        headers["x-apikey"] = api_key
+
+        super(base_url, headers: headers)
+      end
+
+      #
+      # @param [String] query
+      #
+      def domain_search(query)
+        _get("/api/v3/domains/#{query}/resolutions")
+      end
+
+      #
+      # @param [String] query
+      #
+      def ip_search(query)
+        _get("/api/v3/ip_addresses/#{query}/resolutions")
+      end
+
+      #
+      # @param [String] query
+      # @param [String, nil] cursor
+      #
+      def intel_search(query, cursor: nil)
+        params = { query: query, cursor: cursor }.compact
+        _get("/api/v3/intelligence/search", params: params)
+      end
+
+      private
+
+      #
+      #
+      # @param [String] path
+      # @param [Hash] params
+      #
+      def _get(path, params: {})
+        res = get(path, params: params)
+        JSON.parse(res.body.to_s)
+      end
+    end
+  end
+end